WordPress Security — If It Ain’t Broke, Fix It Before It Is

WordPress is a hugely popular content management system that started out as a blogging platform and has evolved into much more. Millions of websites are built on WordPress today with more being built every day.

As a result, WordPress security has become a large and very important issue.

WordPress is a Hacker’s Delight

John Sawyer

John Sawyer

Because of its popularity, WordPress now has a huge bulls eye on its figurative back and those with nothing more positive to do with their time are actively looking for ways to exploit security flaws.

Being in charge of WordPress security these days is like being the defensive coordinator for a football team. Not only do you have to correct the defects you know about, you have to try to anticipate what the opposing team (the so-called “Black Hats”) is going to attack next. In short, you must react to threats as quickly as possible while trying to prevent new ones.

Thomson Reuters Goofed

Apparently, the IT folks at Thomson Reuters lost sight of that fact, as reported in a recent story in the CIO Journal. The company was still running version 3.1.1 of WordPress which is woefully out of date. The current version is 3.4.1 released a few weeks ago.

In the many months between the release of 3.1.1 and the current version, the WordPress development team found and fixed many security flaws. More importantly, the Black Hats have known about these flaws longer than that.

In my opinion, there is no excuse for running that old a version of WordPress on a public-facing site, especially one with as high a profile as Thomson Reuters. It’s one thing to be a version behind, but three?? More if you count the minor patch releases. The only surprise here is that it took the Black Hats that long to hack the site.

Have You Updated?

WordPress LogoOkay, before we bash the Thomson Reuters people further, let’s have a show of hands. How many of you WordPress users are still seeing when you log in to your dashboard the yellow banner that says “WordPress 3.4.1 is available. Please update now”? I guarantee the number is higher than it should be.

Go do that update now while you’re thinking about it. I’ll wait…Done? Great!

I understand the reluctance to update the minute an update comes out. I have been burned enough times by flawed updates that I approach them with appropriate caution. Updates to WordPress are tested on non-production sites before being applied to live sites so that any obvious problems are spotted right away.

As a matter of policy, I do not update to major releases until the first patch appears. For example, when 3.4 came out, I held off updating until 3.4.1 appeared a couple of weeks later. Inevitably, the first patch contains bug fixes and security fixes that are shaken out in the field after the major release.

This is not in any way meant to disparage WordPress software or its developers. WordPress is a fairly complex software framework that not only has to perform its core functions, but must also provide a platform for countless themes and plugins coded to various degrees of quality.

Any software of that complexity is going to have bugs and security flaws. It’s a fact of life and just something we deal with because it’s not possible to get it perfect.

So, the aforementioned football game between the White Hats (us) and the Black Hats (them) goes on ad infinitum. It only makes sense to have the best protection possible in place as soon as practical. You wouldn’t play football with a leather helmet these days, would you?

What can you do to protect your site?

Obviously, step one is to keep WordPress and any plugins and themes updated to a very recent, if not the latest version. The next important step is to maintain current backups of your site.

Backing up WordPress requires not only backing up the database, but the plugins, themes and media files, as well. There are plenty of plugins available to automate the process so that you can set it up and have it run periodically.

For my clients’ sites, I run a daily database backup and a weekly site backup (including the database) and store those backups offline in Amazon S3 or another similar service.

For all the talk about backups, there is too little attention paid to the other side of the equation: restoring from the backups. Backing up is great, but unless you have tested the backups periodically to be sure they will restore properly, you’re leaving yourself open to the possibility that the restore will not work when it’s needed.

The last thing you want is to discover your backup is flawed right after your server has crashed!

Backing Up Your Site

For my clients, and my own sites, I use BackupBuddy from iThemes. There are a number of free WordPress plugins for backup. However, I have yet to find one that works as well as BackupBuddy for the two most important functions necessary: backup AND restore.

In addition, BackupBuddy has the ability to migrate sites from one domain to another which makes it ideal for restoring backups to test sites to verify the backups. This avoids having to restore to your live site to test the backup, which is a Catch-22 if you think about it.

To review, keep your WordPress site up to date and keep it backed up. These two steps will keep you as close to 100% security as it’s possible to get.

John Sawyer is The Small Business Website Guy, an IT professional with over 30 years’ experience in software and web development. John specializes in developing and maintaining websites built on the WordPress platform. His mission is to provide technical services to businesses and individuals who would rather run their business than mess with their website.

Leave a Reply

Comments

  1. Reassuring – my webmaster is doing this! She updates regularly and has a similar process as yours: she doesn’t do it immediately because there are inevitably conflicts with plugins we use. And fortunately, our provider has an automatic backup feature.

    I appreciate this John. And thanks Jeannette for having this most informative guest blog post.

  2. Hi, Patricia,

    Thanks for the kind words. You’re fortunate to have a webmaster who keeps your site up to date. You bring up a good point about potential conflicts with plugins and themes when WordPress releases a new major version. Ideally, the plugin and theme authors will have been ahead of the release by testing on beta releases, but that’s not always the case. It’s yet another reason to try it first on a test site before applying updates to the “real” site.

    Regarding host backups, unless your host is one of the WordPress specialist hosting companies, you will want to be sure that WordPress is being backed up correctly. As I mentioned, there are two parts to WordPress, the database and the server files. Ideally, they should be backed up simultaneously as it’s possible for them to get out of sync if not. This is why I use a plugin specifically for that purpose and I do not rely on my host’s backups at all.

    If you only have one WordPress instance on your hosting account, the host’s backup is a reasonable plan B, but if you have multiple WP instances, you want to be able to restore them individually if needed. Unless your host provides incremental restores (usually an extra cost option, if available at all), you’ll have to restore your entire account even if only one WP instance requires restoring. Again, a backup plugin such as Backup Buddy eliminates this problem.

    In short, check your host’s backup policy carefully to be sure it’s WordPress friendly.

  3. I’m a fan of BackupBuddy (and WP too). I have it on one of my blogs and need to get it on others. Do you know if there’s an easy way to apply the license to multiple blogs (how do you do this if you want to – all my log in information to BackupBuddy brings me to a sell page with no information on how to manage my account)? After you log in, do you know where can you find and amend account information related to your particular subscription?

    • Hi, Nanette,

      Backup Buddy licenses are controlled from the Plugins page in your WP dashboard. There should be a Manage Licenses link under the Backup Buddy listing.

      I assume you know that in order to use Backup Buddy on multiple sites you must have purchased a multi-site license. I haven’t checked recently, but I believe the minimum is two licenses which means you can use BB on two sites. They also have a 10-site license and a developer license which allows it to be used on unlimited sites.

      In any case, when you click the Manage Licenses link, you’ll be prompted to log in with your iThemes site password. If you have available licenses, you can create or assign one as needed. You can also remove a license from a site if you’re no longer going to be using it.

      I understand that iThemes is working on a new licensing system as the current one has had some issues.

  4. WOW!!!. I have a web developer who is working on the next phase of my blog and we haven’t update to newest version yet. I have a meeting with him this week. I will be addressing this as a major concern. Thank so much for drawing attention to this.

    His biggest concern regarding updating something before testing it is what it will do the current structure. He is careful not to break or disturb the current look. Nevertheless we need to get this done.

    • Hi, Susan,

      Your developer’s concern is valid, but that’s why having a test site that mirrors your production site is important. You can mess around all you want on the test site without danger of mucking up the live site. Once you’re satisfied that an update won’t break anything, you can apply it to your live site.

      This is another area where Backup Buddy shines. It’s very easy to restore a backup of your live site to a test site so that you know you’re working with an exact clone of the live site. If an update messes up the test site, you can wipe it out, restore, and re-test when there’s a fixed version of whatever broke it.

      Thanks,

      John

  5. Great tips John and I use Backup Buddy which is so easy to schedule. I read recently that you should get rid of inactive plugins as they are a security risk. is that true? Also I have had quite a number of hackers trying to access my website lately and always wonder if they schedule an attack every few weeks.

    • Hi, Susan,

      There will always be people trying to log in to your site that don’t belong there. I’ve been using a security plugin called WordFence on my and my clients’ sites and I get alerts every day that someone’s been locked out for having too many login fails. The “visitors” come from various countries, but it’s interesting that the same ones show up over and over again.

      I don’t know that it’s a scheduled thing. It’s more likely that they’ve stumbled across your site and added it to a list of sites in an automatic script that keeps trying different user name and password combinations to see if they can get in. This is a good case for having a strong password and a way of limiting login attempts such as what WordFence does. WordFence lets you limit the number of failed login attempts before locking the visitor out completely for a specified period of time that you can set. The fewer tries you give them, the less likely the bad guys will guess your login credentials.

      As for inactive plugins, they should be removed for several reasons, not the least of which is the possibility that an inactive version is out of date. If a plugin isn’t being used, it’s just clutter and confusion waiting to happen, so unless it’s one that you periodically activate for a particular purpose then turn off again, it should be removed. The same applies to inactive themes.

      Thanks,

      John

  6. Hi John,
    Thomson Reuters is a great example of what can go terribly wrong if we don’t keep our software updated. I always try to wait for the patched release unless I hear from one of my trusted WP “gurus” that there’s more risk to waiting than to upgrading.

    As for backups, in addition to backing up on a regular basis, I host my website with Rochen Host. They have their own proprietary software called Rochen Vault and they backup my database and entire site for me. In addition to their secure off-site backups, their tech support is superb. For me, paying a little bit more per month is worth the peace of mind knowing that they’re in my corner. Rochen is more than a hosting vendor to me. They’re the vendor that I outsource my hosting to.

    • Hi, Sherryl,

      Yes, a reliable backup system is well worth the extra investment. It’s difficult to calculate what the cost would be of having one’s site hacked. It’s the same principle as any insurance policy. You hope you’ll never need it, but if you do, it’s worth way more than what you paid for it.

      Thanks,

      John

  7. Great post and so true! I can say that I experienced first hand the frustrating ramifications of failing to update WordPress in a timely manner. Russians hacked my husband’s web site and took us down for days. Luckily, YOU came to our rescue. Thanks again and for informing people of this important issue.

    • Hi, Amy,

      Thanks for the kind words. Your experience is a good example. In your case, it was a specific piece of code that is widely used in plugins and themes for WordPress. While not part of WordPress itself, it was so widely used that many sites were hacked before the code was updated to prevent further attacks. All the bad guys had to do was look for the specific file on the server. Once they found it, it was easy for them to infect it by exploiting a known security flaw in it. Fortunately, it’s long since been patched, but there are still a lot of old copies of it floating around out there.

      Thanks,

      John

  8. Thanks for this informative post, Jeannette & John. This is one place where I know I will get the straight scoop on what works when blogging. I was depending on the backup to do its work but now I understand that it’s important to test the systems to make sure they’re working. Again, thanks.

    • Hi, Dolores,

      Thanks for the kind words. It’s important that people realize that backing up is only half the battle. The whole purpose of backing up is to be able to restore a site in the event of a disaster so it’s critical to make sure that the backup is in fact able to be restored. As with many things, there’s only one sure way to find out…restore it! This can be done to a test site so that there is no danger of wiping out the live site if something goes haywire. Of course, that’s the time you want to find out that the backup is flawed, not when your server has gone south and has to be restored from scratch.

      Thanks,

      John

  9. Even as a non-wordpress user this is still really useful information. You;re right, there’s no excuse to be behind 3 versions. That’s just crazy. This is the third blog post I’ve read concerning wordpress. I think someone is trying to tell me something. Great post!

    • Hi, Dennis,

      Thanks for the comment. You’re correct, the principles apply to computing in general. There’s a reason why Windows is updated on a regular basis, for example, and backups are crucial for any computing platform. Anybody who’s had a hard drive crash and lost a few years’ worth of photos, music, or whatever has learned that the hard way!

      Thanks,

      John

  10. Hi John,

    There’s a zillion things I myself can do to mess up my website. It’s a weight off my mind to know that you have my back and I don’t have to think about the backups on a daily basis. That gives me more time to accidently create a problem for you to solve. Thanks for the informative article, and thanks for doing the heavy lifting for me.

    • Hi, Suzanne,

      You’re most welcome. The whole purpose of the exercise is to let you do your thing without having to worry about the technical end of things.

      Thanks,

      John

  11. Good article John. Like you, I don’t upgrade until the first patch arrives, because of problems in the past.

    Thank you for the information about WordFence. Installed it.

  12. Lorenzo — Yes, BackupBuddy increasing their offsite storage capacity will be a boon to very robust WP websites with a lot of content.