Internet Man Dedicated WordPress Hosting
Why Would I Need Dedicated WordPress Hosting?
If the WordPress login screen comes up you’re hosting at the wrong place. Everyone knows where this screen is including the bad guys. It will be attacked at this point. If it’s here and your username is Admin you’re in double trouble. Whoever is taking care of you is not taking care of you. If you have a corporate site worth thousands of dollars you need dedicated WordPress hosting. Right now you’re a sitting duck. Bad people are laughing at your naiveté.
It’s Time to Get Real About WordPress Security
There is a misconception about WordPress. The consensus is it’s safe – just install it and you’re fine. That is not the case. WordPress can be safe when installed and hosted by an experienced Linux professional. But responsible installation/hosting is the exception, not the rule. WordPress is free. Because it’s free WordPress is under no obligation to you. Furthermore the database server WordPress is running on is free. The web server serving WordPress pages is free. The operating system running the web server is free. Everything is free. Nobody paid for anything. There are no guarantees.
Web developers and hosting services love WordPress because it’s free. A web developer can WOW a client with extensive back-end capabilities. The client is thrilled with the capabilities they’re getting. Those extensive capabilities didn’t cost the developer a dime. It’s a win for the client. It’s a win for the developer. It’s a win for the hosting service.
My dad always told me, “You get what you pay for.” Laugh if you want. It’s true. With a WordPress site nobody paid anything. What’s the catch? The catch is that no one is accountable to you. No accountability is the new way of thinking. If you think a company is standing behind your web site think again. If your site gets compromised there is no one to blame. Nobody bought anything. Everything was free. You are own your own. It’s best to realize it from the outset. It’s perfectly fine to use WordPress but you’ve got to be realistic about what it is.
WordPress Has Potentially Dangerous Write Access
Wordpress has write access built in. Write access through Web pages makes network security experts cringe. Write access means that potentially anyone can upload content to your web server. Blog posting comes enabled by default. That’s a security nightmare. Backend editing capability is enabled by default too. That’s potentially dangerous as well. Everyone loves to edit their own site. However those same capabilities extended to you are just one tweak away from being extended to the public too. Unrestricted access to your server is exactly what you don’t want. Don’t think WordPress has some magical ability to keep bad guys out. WordPress, with its write access, is right up to the security line and the slightest misconfiguration puts it over the edge.
The Internet hosting business is built on inexpensive hosting services. There is competition among providers to see who can offer the cheapest service. Last I checked Go Daddy was at $4/month for its WordPress hosting. They can survive because they put thousands of web sites on a single server. Even with thousands of users they operate at a loss however. I respect Go Daddy. They’re a great company. They’ve been around a long time. Their customer service is decent. Their prices are low. However I wouldn’t put an important site there because they are open to the general public. Go Daddy welcomes anyone with open arms. No vetting. When you’ve been in continuous operation as long as I have you can’t help but be skeptical.
Every now and then a client will attempt to bring “their own developer” onto my network. The first thing they do is ask for “total access and control.” Sure, like that’ll happen! If you want “total access and control” go to Go Daddy. Let them grapple with security issues. Developers are willing to open security holes a mile wide without hesitation. I’m not saying they’re malicious. What I am saying is they are not careful. Why should they care? It’s not their equipment. They have no accountability. One bad setting in WordPress and you’re compromised. I don’t let anyone on my network without rigorous vetting.
WordPress Requires Being Protective Over Your Network
Wordpress is great. It has taken over for Dreamweaver and traditional hosting. The big problem is it’s dangerous. It’s dangerous because it’s blogging software. Blogging software? Are you kidding me? Blogging means anonymous write access. If you install WordPress as preconfigured you’ll have 100,000 postings into your server on the first day. When you take WordPress’ outdated vision of the web as a benign place where people can post and couple it with Google’s outdated vision that only web pages with external links have value, you’ve got a volatile situation. What you’ve got are intruders on your site like ants on honey. Nice work visionaries! This is coming from people who are supposed to be hip and with-it. Their entrenchment with outdated visions puts unwitting users in harm’s way constantly.
Wordpress developers abound. They’re all experts – just ask them. Here’s the issue. If you take 100 WordPress developers only one or two of them deploy their sites on their server. I’m talking about hosting your site on a fixed IP address pointed to a web server that they own personally. Ask your developer, point blank, where is my site hosted? Almost all of them will tell you they put your site on a third-party server. That means they have no responsibility. If they misconfigured WordPress by giving too much write access so what? Do they care? No. Do they feel responsible? No. You’ll be told to call the hosting company. Put yourself in their shoes. If something goes wrong with your site, it’s someone else’s problem. How convenient. Top level developers have their own IP addresses pointed to their own proprietary network. They have skin-in-the-game. They’re professionals. They care about the network. They are protective over their clients. Top level sites need to level hosting.
What Constitutes A Weak WordPress Installation
There is one correct way to deploy WordPress. Most developers deploy it wrong. They consistently give more access than is necessary. A proper WordPress installation gives as little access as possible while giving you the capability to update your site. Loose settings are the weak underbelly of WordPress. Bad guys test WordPress sites constantly for weakness. Actually I am amazed the inexpensive hosting services maintain as well as they do. The concept of being “open to the public” is too dangerous for me. I don’t operate that way. That comes from experience not paranoia.
Here are some common WordPress vulnerabilities. It isn’t malicious. It’s recklessness. Here is a list of the worst offenses:
1. Setting A Web Accessible Folder 777
Never. Never. Never set a web accessible folder to 777. This includes the WordPress Uploads folder. It also includes the Themes folder and the Plugins folder. 777 means read-write-execute-everyone privileges. This seemingly innocuous setup mistake opens a security hole in the network a mile wide. It bypasses the firewall and invites any hacker in the world to upload and run whatever they want. Can you imagine anything worse? Yet developers will argue that read-write-execute-everyone is the “correct” way to setup the WordPress Uploads folder.
No web accessible folder should be set to 777. Ever!!!
2. Giving Write Access to Htaccess
Htaccess should be set to 444 or read-owner-group-everyone. Period. Some plugins require writing (changing) htaccess. In these cases you need to open permissions, install your plugin, and close it back down to 444. Developers open access and leave it that way. Most often they don’t care about proper housekeeping. Why should they? It’s not their equipment.
3. Giving Write Access to wp-config.php.
Wp-config.php should be set to 444. You’d be amazed at how often this file has write access. I had a plugin the other day. It required wp-config.php be set to 777 so it could write to it. It would take the existing wp-config.php script and save it to another randomly generated filename for backup. What this means is not only did the plugin demand 777 for wp-config.php, it demanded 777 for the entire WordPress installation! There is no other way to install this plugin than 777 on the entire installation! This is a plugin! It actually demands 777 on the entire installation right within the software.
This is how people think in this crazy world. The author came up with this. A developer installing this plugin would make that setting. A security administrator would quit! Do not alter WordPress folder permissions. If you have to open permissions on a file to install a plugin, set it back when you’re done. But never alter a folder.
4. Setting the Username to Admin
The username should never be Admin. It should never be on record 1 in the database either.
5. Not Hiding The WordPress Login Screen
The WordPress login screen should be hidden. Always.
6. Not Disabling Comments
Does anyone actually use WordPress for blogging anymore? If you do you’ll get spammed to death. Spamming WordPress sites is a Google thing. Everyone wants that external link. I remove the comments capability completely. Why mess with it? Comments are a thing of the past especially in light of Google’s external link philosophy.
7. Setting WordPress Database Table Prefix To Wp_
The database table prefix should never be wp_. Set it to something else.
8. Giving Too Much Permission To The Database User
Wordrpess runs on a database. It connects to the database with a username and password. Inside the database that user account has privileges. There are approximately 20 privileges. WordPress only needs six. A responsible network administrator will assign to the WordPress account only the minimum access it needs to get work properly. They do not open the account up to unlimited access. Proper setting of access to the database is essential in WordPress.
How We Handle Your WordPress Installation
Setting up WordPress properly is not easy. You have to approach it as a security risk inherently. Anything that includes anonymous write access is a problem on a network. Don’t be naïve in thinking WordPress is traditional software. It’s not. It is a collection of scripts offered for free. There is no accountability what so ever. The themes and plugins are collections of free scripts too. This isn’t software built by employees offered for sale. It is a collection of unregulated scripts offered for free. It’s a great system but the responsibility lies with you. So how do you take the collection of unregulated scripts and make it a suitable platform for your corporate web site? Here are the things that I do on every WordPress site we host:
1. I download the source directly from WordPress.org and install it from the command line. This preserves the structure and permissions as intended by the authors.
2. I install WordPress by hand only on Linux servers at the command line. Linux is the WordPress native platform. I do not use installation tools. I do not install WordPress on Windows Servers either.
3. I make custom settings for file ownership and permissions at the command line. I have a very specific way of installing WordPress.
4. I provide the minimum permissions to the database account while maintaining full functionality for my clients.
5. I use only high quality published themes with a proven track record. I only use high quality plug ins as well.
6. I set strong 10 character passwords. This matters. No weak passwords allowed. I keep them on behalf of my clients in case they lose them. Users cannot create accounts. I don’t use the default Admin for the username either.
7. I remove anonymous posting entirely. I use WordPress as web site software not blogging software. There is no comments table in my installations. Forms yes, anonymous comments no.
8. Once the site is operational I lock down the installation. I recommend IThemes Security for WordPress. You better know what you’re doing because you can find yourself locked out easily.
9. I backup the WordPress database for three successive weeks so I can roll back. It’s a proprietary system. I do this because if your site is compromised your backup may be compromised too. This way I can go back up to a month if necessary.
Wordpress is great. It needs to be managed correctly. Just because it runs does not mean it’s right. There are hundreds of settings. Nothing within WordPress to warn you your installation is wrong. WordPress is free. Because it’s free management is more important than ever!