WordPress sites are marvels of Internet programming but there are WordPress security issues you should be aware of
Wordpress sites sit on a database. To create a WordPress site you need to enable access to the WordPress database. Writing data into a database from the Web is inherently a bad thing. WordPress security issues stem from what programmers call anonymous write access. When you use it you better beware of how dangerous it can be.
There are as many people looking to hack a WordPress site as view it. Bad guys can scan sites looking for WordPress login screens. They can easily harvest potential sites to hack. If you need help protecting your WordPress site call us!
Those of us in the Internet business know no site is truly secure. WordPress sites, with their database backend and anonymous write access, make easy targets for hackers. Here are a few measures that I take with WordPress sites:
1. File Permissions
Wordpress requires write access to work properly. Webmasters struggling to get something working have a tendency to assign 777 access to files and folders. Yes it solves your immediate access problem but it is a horrible thing to do. I’ve actually read forums instructing people to set file and folder permissions to 777. This means that anyone can write to your server. Anyone.
I use a specific combination of owner, group, and file permissions when I install WordPress. This allows full functionality without having to use brute force 777.
2. Database Access
How you connect to a database is critical. If you use full access in your database permission you are asking for trouble. Setup a database user that allows as little permission as possible. Once you have the site established and built out, dial the permission back even further. For example you don’t need table create and delete on a mature site. You just need basic read/write access.
If you connect to your WordPress database with too much authority you are vulnerable to SQL injection. Hackers can inject a database with a web page that is only reading the database. It doesn’t have to be a write.
The other secure measure all webmasters take is to shut down the MySQL port to the outside world. You need a firewall that closes MySQL. The combination of excessive permission and an open MySQL port is bad.
3. Security Plugins
There are several good plugins available. I use Better WP Security. It forces you to take basic measures like changing the WordPress database table prefix. It also locks out users attempting to access the back end.
Once you install the plug in it shows you a dashboard. There are about 2o items that need to be addresses. The red items are unsecure and need to be addressed immediately. The yellow items should be tightened up. The green items are OK.
Don’t be lulled into thinking WordPress is secure software because it’s not. WordPress is intended to be cool software that can do a lot of things. It is not intended to be secure. It is not secure at all as it comes out of the box. When you start opening things up to get them to work it becomes even less secure.
Rest assured you will have as many people trying to hack your WordPress site as look at it. It’s an unfortunate fact of life that everything on the Internet is open to attack. Since these sites use a database, instead of FTP like a traditional site, they are particularly vulnerable.