Tuesday, 14 May 2013 00:00

Website Security - Wordpress Security Improvements for the beginner

Written by 

    Wordpress is one of the most popular blogging platforms on the Internet and provides a very easy blogging experience but with that easiness comes some lerking issues of Website Security or website security hardening.  Once Wordpress is installed using default settings, you are actually at risk.  Maybe not straight away but down the line, your blog will be at risk.

    Unknown to you, using default Wordpress settings at the installation stage means you are inadvertantly opening yourself up to attack.  Why?  Default settings are great to get you up and running quickly when you don't know much about the technology behind it.  Within minutes, you'll have a blog, you'll install a theme and off you go.  You're blogging BUT... what about your Website Security?

    Since default settings are commonly known, it means hackers have half of the equation to gaining access (okay, sometime a third :)  )

    In truth, website security (or blog security) should be one of the first improvements you make after installing Wordpress.  These steps are in no way comprehensive but allow someone who has some expererience with Wordpress to change settings, setup new account and delete old ones.  We'll cover more technically challenging changes to Wordpress in another blog post

    Wordpress being hacked is common place and you can make some simple changes to improve your website security (blog security) to reduce your risks of being successfully hacked. 

    1. Never use simple or easy to remember Passwords.

    Once you setup Wordpress (or even if you'd had you blog for years), login to Wordpress, create a new administrator with a fancy username that isn't easy to guess as well as a complex password using lowercase and uppercase letters, numbers and if you can remember them, any of the these special characters  !"£$%^&*()_-+. and don't forget '@'.

    To make it easier for you to remember but difficult to guess, pick a word you can remember that is around 6 - 8 characters in length or better still, two or three smaller words that come to around 8 - 10 characters. 

    Change 'e' to 3, 'i' to 1 and O to 0 (zero) and use the special character @ for at. Add a few other special characters or two and a uppercase letter and you have a very complex password.

    Here is an example:

    Phrase / Words:  I like icecream at home

    Becomes: 1 l1k3 1c3cr3am at h0m3

    Add an uppercase letter or two:  1 L1k3 1c3cr3am at H0m3

    Replace spaces with special characters:  1-L1k3-1c3cr3am-at-H0m3

    Replace 'at' with @:  1-L1k3-1c3cr3am-@-H0m3

    This is a 22 character password that once practiced to type, is fast and easy to remember and remains extremely complex.  If it is too long, reduce the initial words to between 10 & 12 characters rather thaan 19

    2. Never use the default "ADMIN" username on your blog.

    Okay, you have a blog, it's new (or been around for years) and you want to delete the admin account.  BEFORE you do that, create a second admin account (let's use the username BlueWaterSkyHigh and make sure you mark it as being an admin account).

    If you have lots of posts already in your blog (ie: your blog isn't new), transfer ownership of all the posts from the ADMIN account to BlueWaterSkyHigh.  Once this is done the "admin" will no longer be associated with (ie: hasn't written) any of the articles posted on the blog.  They have all changed to BlueWaterSkyHigh.

    Once this is done, log out of Wordpress, login with the new admin account (BlueWaterSkyHigh) and you can now delete ADMIN from Wordpress.

    3. DO NOT use simple or easy to remember Passwords.

    Once you setup Wordpress (or even if you'd had you blog for years) and have changed the admin account as above, remember to use a complex password.  It can not be stressed enough how important this is.

    What is a complex password?  It's a phrase that uses lowercase and uppercase letters, numbers and if you can remember them, any of the these special characters  !"£$%^&*()_-+.@. 

    Trying to remember a complex password can be challenging unless you have a method to enable you to remember it.  To make it easier but difficult to guess, pick a word you can remember that is around 8 - 10 characters in length or better still, two or three smaller (or large if you like) words that come to around 10-12 characters. 

    Change 'e' to 3, 'i' to 1 and O to 0 (zero) and use the special character @ for at. Add a few other special characters or two and an uppercase letter and you have a very complex password.

    Here is an example:

    Starting Password Phrase:  I like icecream at home

    Substitute numbers for letter: 1 l1k3 1c3cr3am at h0m3

    Add an uppercase letter or two:  1 L1k3 1c3cr3am at H0m3

    Replace spaces with special characters:  1-L1k3-1c3cr3am-at-H0m3

    Replace 'at' with @:  1-L1k3-1c3cr3am-@-H0m3

    This is a 22 character password that is easy for you to remember but remains extremely complex for hackers to crack.

    4. Make it difficult for a hacker to find your Admin URL.

    The URL you use to login to Wordpress to create your posts is always at risks.  It's one of the first locations a hacker will try to use a brut force attack on your site.  If you have no security measures in place to hide or restrict access to this URL (www.youdomainname.com/wp-admin), a hacker (or in a lot of cases, a bot) can use the default ADMIN username if you haven't deleted it and start to "guess" the password by using a list of common (and easy) passwords.

    To restrict access to the URL, it is far simplier to install a like All-in-One Security.  With this comes extra features that are well worth while

    5. Software Firewall on your website

    Don't worry, you don't have to create one.  Simply download All-in-One Security which includes this functionality to detect suspicous activity on your website.  There are others so type in Security into the Wordpress plugin search and you'll find a complete list.  Pick something that is well supported and works for your budget.  You can always remove it and upgrade to something else later if money is tight.

    Further Resources

    Well... that is a good first step to improving the website security of your blog.  Making these changes and by installing All-in-One Security adds some security to your website but there is always more to do.

    To learn more about hardening your website's security, please go to http://codex.wordpress.org/Hardening_WordPress

     

    Jason Williams
    Principal Consultant
    Website Security for Wordpress - Security Hardening for beginners

    Read 1978 times Last modified on Wednesday, 23 October 2013 17:12
    Jason Williams

    Jason Williams founded Joint Plan after a successful 17 year career in Corporate IT to return to his roots in small business, where change and improvement has a more significant and positive impact for the small business owner and their employees.