WordPress Security Does Not Have To Be Frightening - 16NTC WordPress Day
1.
2. WordPress Security Does Not
Have To Be Frightening
Approachable steps to securing
your WordPress website
3. About Cornershop Creative
• We offer a wide range of affordable
services for nonprofits and small
businesses
– Website design
– Strategic planning
– Campaign implementation
– Salsa strategy and design
– WordPress maintenance
4. Intended audience
• Beginner to Intermediate WordPress users
– Have a WordPress site
– Familiar with the WordPress admin dashboard
– Have installed plugins and themes
5. Goals for today
• Understand why security matters for every
website
• Learn basic steps to secure your WordPress
– Consistently update
– Install 1-2 security plugins
– Disable comments & trackbacks
or install an anti-spam plugin
or install a social commenting plugin
– Monitor
– Optionally bring in the experts
16. Review
• Security matters for every website
• Basic steps to secure your WordPress
– Consistently update
– Install 1-2 security plugins
– Disable comments & trackbacks
or install an anti-spam plugin
or install a social commenting plugin
– Monitor
– Optionally bring in the experts
17.
18. Resources: Plugins
• Plugins
– Bad Behavior
– WordFence
– iThemes Security
– Disable Comments
– Akismet
– Disqus Comment System
– Facebook Comments by Vivacity
19. Creative Commons attributions
• Flickr photo by Stròlic Furlàn - Davide
Gabino
– https://www.flickr.com/photos/strolicfurlan/144
81395826/
• Flikr photo by andreas_fischler
– https://www.flickr.com/photos/fischler/6181295
838/
• Flikr photo by Rose Davies
– https://www.flickr.com/photos/rosedavies/1108
50792/
Editor's Notes
Pushing spam over the internet is just as common as sending spam through email. Almost always contain links with lots of search engine keywords, directed to a dodgy website.
If a WP user logs in to their admin dashboard and sees this many comments, it’s probably a bad thing. Especially if they don’t expect commenting on the site at all!
If the comment list looks like this, with comments like these, they’re a victim of spam attacks. Nobody wants to be responsible for more spam in the world.
While a spammer tries to get content onto a WP site, a hacker tries to take control of the WP site or even the web server.
Once they take over the site, the hacker will commonly change the site for their own financial gain.
Send different content to search engines, crammed with keyword filled links to yet more dodgy websites. If you visit the site, you won’t even see a change! But Google will.
Send spam emails. Again, no one wants to be responsible for more spam in the world!
Serve phishing pages, trying to steal innocent peoples’ email, banking, and other personal credentials.
Reputable hosts and organizations will eventually notice and flag the site as an attack site.
Hosts send very terse emails like this one, received by a client last year who brought us in to help clean up the mess.
All major browsers show dire warnings before allowing users to proceed to the site, driving away supporters! This is Chrome’s.
For almost everyone, it’s not personal. There’s no conspiracy. There’s no vendetta. There’s no dedicated attacker. Instead, malicious programs are constantly trawling the internet in search of an easy victim.
In the physical world, image a large group canvasing a neighborhood, quickly trying every door and window. If it’s easy, they’re in. If it’s not, they don’t care and move to the next house. Houses aren’t singled out in any way. But a completely insecure house is quickly attacked.
There’s a constant smattering of automated attacks falling across the internet like a rainy day. Putting a website on the internet is like stepping outside into the weather. The rain doesn’t know or care who it soaks. And so long as you have an umbrella, you don’t need to care much about it either.
Now that we understand why security matters for every website, let’s move on to the WordPress equivalents of locking your doors and opening your umbrella.
First and most important, keep WordPress, plugins, and themes up to date. When a new security vulnerability is discovered and corrected, WordPress or the plugin/theme author releases a security update, the groups running those automated attack scripts learn about the technique as well. They start trying to exploit the old, now known vulnerable version right away.
The goal is to update the vulnerable software before a trawling attack tries to exploit it.
WordPress and all plugins & themes from the WordPress.org site can be easily updated through the WordPress admin dashboard. If you log in and see a number next to the circled arrows, this will tell you how many updates are available. After you reach the update page, feel comfortable updating everything possible. The WordPress development community prioritizes backwards compatibility. If an update could ever mess up a living website, the author will make a huge deal of it.
There’s one huge caveat here. Premium plugins and themes, such as those purchased directly from the author or through a premium service like ThemeForest, usually can’t update through WP Admin. Keep an eye open for emails from the author, who will often send a notice when a new version releases. If the words “security” or “vulnerability” appear anywhere in the notice, you’ll want to hop right on the update following whatever process they instruct.
Now that you’re updating the site and clearing up known vulnerabilities, it’s time to get a bit proactive in protecting WordPress by installing a few security plugins. Our goal here is to lock the doors and windows. We’re not setting up an alarm system. We’re not hiring a security guard. We don’t want to be the low hanging fruit.
There are oodles to choose from, some of which compliment one another and others that conflict terribly. The general guidelines for security plugins are the same as selecting functional plugins. Check when it last updated, preferring more actively maintained projects. Check the install count and review score, preferring more installs and better reviews. Finally, skim the support forum link and see if any of the situations people complain about apply to the site.
In terms of specific recommendations, we always install Bad Behavior. It’s a specialist plugin that does a great job of insulating the site from a wide range of clearly automated attacks by detecting their “bad behaviors”
After Bad Behavior, we recommend an additional, more general security plugin. In this slot, we go with either WordFence or iThemes Security. WordFence is easy to configure and does an entirely acceptable job for most sites out of the box. IThemes Security is inarguably more powerful. But that power comes with a tradeoff of requiring extensive configuration to be the most effective for your particular situation.
Next we’re going to focus again on the spam side of life. A spammer works by abusing WordPress’ standard commenting system to get their bogus links to show up on the website. For the many, many sites using WordPress to manage content easily, rather than as a blogging and discussion platform, a dead simple answer is just to shut off commenting.
In the WordPress admin Discussion settings, there are two checkboxes to disable discussion on new content. The first is obvious and clearly says “comments”. The second is obtuse and easily missed, mentioning “trackbacks”. This is an automated feature where another blog can let WordPress know they reference its content. Sadly the feature is far more frequently used by spammers claiming they “referenced” WordPress’ content at a bogus link. Even if you allow comments on your site, I recommend disabling trackbacks.
There’s a catch, sadly. This Discussion settings page only sets the default for new content. It doesn’t change the settings for existing content. To accomplish that, I recommend the very aptly named Disable Comments.
OK, comments and discussion with supporters through the website are critical to accomplishing your mission. That’s fine. You can’t shut out all spam but you can automatically check incoming comments like an email spam filter.
There’s no discussion of tradeoffs here. Use Akismet. It is, hands down, the standard for comment spam filtering. It’s also a free service for all but the largest and most active communities.
Alternately, we have the option of making comment spam someone else’s problem by switching to a social commenting plugin. The two major players in this space are Facebook, where a site’s comment area is fully replaced with a FaceBook comment thread, and Disqus which allows people to log in and contribute using a wide variety of services including Twitter, Facebook, Google, Yahoo, and so on.
By using one of these social discussion plugins, Facebook or Disqus will receive every attempted comment, legitimate or spam. Telling the difference is up to their own spam filters.
As I mentioned previously, what we’re doing is the internet equivalent of locking our doors and windows.
Real world implications of never visiting a vacation home. Who knows what happens?
Log on occasionally, look for anything new or different. Doing this anyway for updating, right?
Set the security plugin to send emails
If you can install WordPress and a plugin, everything I discussed today is within your reach.
That said, I understand and respect that “maintain the website” all too often shows up as a job responsibility bullet point without the time or training to do it. Bringing in a group of experts to maintain a WordPress site can be easy and affordable.
Cornershop Creative offers a WordPress Maintenance Package, including daily WP, plugin, and theme updates as well as support for small site tweaks and prioritized support in the event of a problem.
This session hopefully helped you understand why security matters for every website, even and especially when no attacker targets you.
You learned the basic steps to lock your doors and windows on the internet.
Keep everything up to date.
Install a security plugin or two.
Disable comments & trackbacks to prevent spam. Or, if discussions are required for your case, either install Akismet or use a social commenting service.
Keep an active eye on your site for anything wonky or concerning.
Again, I know that if you can install WP and a plugin, everything here is within your reach. But if you’re swamped with other work more central to your organization’s mission, consider bringing in experts to handle the basics in the long term.
