recent months, the web world was hit with a code exploit that affected many users across various web development platforms, from custom systems to Drupal and WordPress.org. This hack exploited a security vulnerability in the popular TimThumb image resizing PHP script, which allowed the hacker full access to any website running the older version of this script.
An exploit of this nature, of course, didn’t go unnoticed. Within hours of the exploit being publicised, developers and website owners alike were rushing to their computers to make sure that all was safe on their online real estate. Having assisted many WordPress users in upgrading and safe-guarding their websites, I can assure you that this was not a hack to be taken lightly.
Website security is a topic that is in constant discussion online. Constant evolution and discovery of web exploits ensures that website security specialists are kept constantly on their toes, making sure that their clients have the most secure websites possible. Security is also a topic that cannot be discussed enough, as it is important for website owners (technical and non-technical alike) to be aware of the latest developments and methods of safeguarding their content online. Today, I’d like to run through a few steps that can be done towards safeguarding your WordPress-powered website.
As with security in any context, awareness of one’s surroundings is important. The difference here is that one’s surroundings is, essentially, the entire internet. As daunting as that may seem, there are methods of keeping informed as to developments in the web world. Simply following several tech-related websites such as Memeburn and, for WordPress users, WPCandy, is a great way of making sure that you know exactly what’s going on around you and your website.
In addition to this, keeping an open line of communication with your website development team (if you haven’t developed your website yourself) is important. This is to make sure that the team behind your website are also aware of developments in website security. This goes for your theme provider as well, if you make use of a premium WordPress theme on your website.
This is something that cannot be mentioned enough, and also ties in with awareness. When using a third-party system, it is important to keep aware of developments on the system. Over time, for example, WordPress releases maintenance and security releases to make sure your website is as secure as possible. Keeping on top of these upgrades is important, as it ensures that you’re running the latest and most secure version of your software (as well as any new features they’ve bundled in which is, of course, beneficial).
The same goes for plugins and themes for WordPress. If you’re looking to modify your theme, be sure to use a child theme in order to facilitate easier theme upgrades. Regarding plugins, be sure to keep up with upgrades, as any outdated code on your web server could result in a security exploit. Keeping your WordPress-powered website up to date isn’t too difficult, provided you keep up with regular upgrades. Upgrading is one of those things one only realizes the true benefit of if/when something goes wrong or an exploit is made known online.
Up until now, we haven’t really looked into any code that can help to secure your website.
When maintaining or upgrading your WordPress-powered website, the wp-config.php file is one file that isn’t modified. This file contains your database settings and any other setup you’ve manually added to the file. Naturally, it’s possible to bolster this file a bit more, following a few guidelines available on the WordPress Codex’s section about the wp-config.php file. While this page explains each section of the file in detail, I’d like to focus on a few headings in particular that relate to security.
If you let WordPress create your wp-config.php file for you, you’ve no doubt seen the security keys section when opening the file in a text editor. This is a really great way to add further security to your WordPress installation. You can even use the online security key generator to create the code for you, which you’d then place in your wp-config.php file.
This setting, while incredibly useful in a development environment, should always be set to false on a live website. While this isn’t strictly a security measure, a PHP warning message displayed on your website could indicate certain aspects of your server configuration.
By default, WordPress knows to look for wp-config.php within your server’s public_html folder, as well as one folder up from that. Placing wp-config.php outside of the public_html folder ensures added security, as the file isn’t directly accessible to users who may be FTPing into the public_html folder with limited access.
There are several other advanced techniques listed on the WordPress Codex regarding custom table prefixes, etc. These are best handled when first installing WordPress. If you wish to implement this on an existing website, I’d advise erring on the side of caution, unless you are a more advanced user who is comfortable working on a MySQL database at direct database level. That being said, it doesn’t hurt to read the full page on the WordPress Codex to familiarize oneself with the possibilities. This is part of keeping oneself aware, as mentioned above.
In addition to the above, when installing WordPress, make sure to setup your default administrator as a username other than “admin”. This is a common starting point for hackers trying to get access to your website.
If your website receives a high amount of traffic, is updated regularly or is a primary source of income, your data has become even more valuable. If you are prepared to invest in a third-party security system, VaultPress by Automattic is a great way of making sure that your website is constantly monitored for vulnerabilities and that backups are made available to you, should anything transpire. With the price tag attached, this service may not be for everyone. If you feel it important to further secure your data, I’d recommend inspecting VaultPress further.
In addition, I’d recommend contacting the company hosting your website, asking what security and backup measures they have in place on your hosting account. Whether or not you ever need to use this information, it’s important to know the full scope of what is keeping your website secure.
On a final note, while website security can seem daunting and intimidating, it’s something that should be approached from a standpoint of keeping aware and in the know such that, if issues do arise on your website, you are able to calmly resolve the issue and get your website back to where it was, knowing full-well the scope of the security measures in place.