How to secure a WordPress Site – A Rebuttal
This is a rebuttal to a bad article by Smashing Magazine on how to secure your wordpress site.
Don’t follow anything on that page. It’s not going to help you secure anything, it’ll just give you a false sense of security, which in my opinion is worse
By no means is this canon, nor should you really use this as a checklist.. I just wanted to point out the bad advice in that article.
1. Prevent Unnecessary Info From Being Displayed So, don’t show error messages…
My Issue With It
Useful error messages that are hidden, are not going to make your site secure. They’ll just make things more confusing. Now when you mistype a password, you won’t know what went wrong. This is called “security through obscurity”.. it’s the wrong way to secure anything.
2. Force SSL Usage
My Issue With It
Forcing SSL does not secure your site, it just secures your connection to it. SSL does not equal security, many hacked sites are using SSL to this day.
3. Use .htaccess To Protect The wp-config File
My Issue With It
A little known thing about WordPress, you can have your wp-config.php one directory outside your document root, that’s a better way of ensuring people can’t get that file.. but.. hiding this file is not going to make your site secure.
4. Blacklist Undesired Users And Bots
My Issue With It
Maintaining a list of bad ips and bots in your .htaccess is just asking for trouble.. it can be done, but be aware of performance impact, and the importance of keeping that list up to date.
6. Fight Back Against Content Scrapers
My Response
This is not a “security” thing, it’s more of a don’t let people share your content thing, if you’re that concerned with it.. put a watermark on the images, or put the images behind a members only area of your website.
8. Remove Your WordPress Version Number… Seriously!
My Response
See #1, this is security through obscurity.. this has absolutely no value in “securing” your site.
9. Change The Default “Admin” Username
My Response
This should actually be, “don’t use 123456 as your password”.. WordPress 3 lets you pick your own username, which is fairly easy to guess with a default install of wordpress, but a secure password is not.
10. Prevent Directory Browsing
My Response
This is good advice, with mad medicine. adding a disallow to your .htaccess is not going to prevent a user from typing in the url itself and seeing your directory.
To disable directory browsing, add the following line to your .htaccess
Options -Indexes
Articles like these is one of the reasons why I started ZippyKid, there is a lot of bad information out there, that good people consume and apply, without knowing any better, which ends up giving them more problems than they should have.
If you’re interested in a secure WordPress Host, sign up with us, use the coupon code SECURITAH, and get 25% off your monthly bill for life.
FYI...
With regards to #2. Securing, at a minimum, your admin area over SSL will ensure that man-in-the-middle attacks aimed at your site will fail, as the SSL encryption will fail.
From the official WordPress Codex on Hardening WordPress:
http://codex.wordpress.org/Hardening_WordPress
"The ultimate implementation of this "2nd layer" password protection is to require an HTTPS SSL encrypted connection for your /wp-admin/ directory, so that all communications and sensitive data is encrypted. See Administration Over SSL."
So, he was right, you should.
Rob,
SSL by itself is not secure today. If I put up an SSL site, doesn't mean i'm authorized, people don't know how to verify identify of an SSL provider. So, SSL alone is not a good indicator of a site where you should be putting your password. That's what I was trying to get at.
Security - by definition - is relative. Why? Because the definition of security (according to Merriam-Webster) is "freedom from danger", and we all know that there's no such thing as total freedom from danger. Therefore security is in fact relative.
That being the case, this article, "WordPress Security Through Obscurity?" offers some clarity on the matter. It's written by 17-year veteran of Internet security.
To rebut your bebuttal...
1) Security though obscurity has some value, you make it sound like it has no value. It can help prevent you from being a target. I personally remove the generator tag from all my wordpress installs for this reason, as well as the fact that its pointless. I love how the comment by it says keep this for stats. When WP gets stats when it calls home checking for updates.
2) This is your most dangerous rebuttal. To say don't use ssl because it doesn't secure the site just the connection is like saying to a homeowner don't bother locking your door because someone can still climb in though your window. NO, just lock the door AND your window. Next you'll be telling us to to install security pathces because there may still be other unpatched security holes.
3) The wp-config file SHOULD be protected, whether you put it in the next directory up or use .htaccess it doesn't matter, in fact wordpress is not always in the root web directory so just moving it up one it could still in some cases be web accessable.
4) How is blocking such things a bad idea? yea you mention performance issues, but only if you are blocking tons of IP's
5) well your rebuttal here is more of a clairiication that for once is accurate.
6) see #1
7) For those who installed wp before 3.0 the admin name exists and YES it should be changed. Even in 3.0 it still defaults to admin if you don't change it. But yes use a good password too, hint zippykid is NOT a good password.
8) Ok wow 2 correct points, you could also just drop an empty index.php file in each directory. Ahhh silence is golden.
It's a little confusing that you're getting so worked up over Smashing's blog post. Yes, there are parts that are wrong, but you can easily point those out and look like an expert. Instead, you got angry and looked 12 years old. Doesn't take long to edit your post, buddy.
Your 'rebuttal' to 8 in particular is a little desperate. What if I really didn't like you, and looked up your WP version number on packetstorm or such like, to find an obscure exploit with your site that I wouldn't have known to look for otherwise? Right, it doesn't magically strengthen your code, but it does deter the average wronged script kiddie from googling "[your version number] exploits".
Just sounds here that you're being a little uppity. Relax, take a step back, and post a bit nicer to people (especially on sites you're writing 'rebuttals' to).
With respect,
Kris
It's a little confusing that you're getting so worked up over Smashing's blog post. Yes, there are parts that are wrong, but you can easily point those out and look like an expert. Instead, you got angry and looked 12 years old. Doesn't take long to edit your post, buddy.
Your 'rebuttal' to 8 in particular is a little desperate. What if I really didn't like you, and looked up your WP version number on packetstorm or such like, to find an obscure exploit with your site that I wouldn't have known to look for otherwise? Right, it doesn't magically strengthen your code, but it does deter the average wronged script kiddie from googling "[your version number] exploits".
Just sounds here that you're being a little uppity. Relax, take a step back, and post a bit nicer to people (especially on sites you're writing 'rebuttals' to).
With respect,
Kris
*targeted
Sorry Zippy - but you are completely wrong here.
Doing these 10 items WILL lessen the chances of your WordPress site getting hacked - end of story.
WordPress, with added "security through obscurity", is better than just standard WordPress.
As for hiding version numbers - it's one of the best added security tips around. When/if an exploit gets known for WordPress, it can taken several weeks for Core Code to release a fix. In that time, many hackers/spammers will do a search for websites containing that version number. Sites without the version number are LESS likely to get hacked.
Whilst I agree that these tips won't strengthen the application layer, they do successfully lessen the chances of your blog getting targetted.
And just to remind you, using a username and password for access to your website is also "security through obscurity", the obscurity of no one knowing your password.
This article seems like a personal attack on a good article, with the means being to drive traffic to your hosting service.
I'd be very interested to know what you do differently from my own webhost that makes you a "Secure WordPress Host" ... maybe you could write a good article on that?
Sorry Zippy - but you are completely wrong here.
Doing these 10 items WILL lessen the chances of your WordPress site getting hacked - end of story.
WordPress, with added "security through obscurity", is better than just standard WordPress.
As for hiding version numbers - it's one of the best added security tips around. When/if an exploit gets known for WordPress, it can taken several weeks for Core Code to release a fix. In that time, many hackers/spammers will do a search for websites containing that version number. Sites without the version number are LESS likely to get hacked.
Whilst I agree that these tips won't strengthen the application layer, they do successfully lessen the chances of your blog getting targetted.
And just to remind you, using a username and password for access to your website is also "security through obscurity", the obscurity of no one knowing your password.
This article seems like a personal attack on a good article, with the means being to drive traffic to your hosting service.
I'd be very interested to know what you do differently from my own webhost that makes you a "Secure WordPress Host" ... maybe you could write a good article on that?
*targeted
Glad no one at Smashing could be bothered to read the official docs on hardening WP:
Glad no one at Smashing could be bothered to read the official docs on hardening WP:
[...] He totally missed the official Hardening WordPress page and generated a lot of comment traffic. All of his tweaks were rebutted by commenter Vid Luther (Mobile Commerce and Technology Evangelist and ZippyKid owner) in a separate How to Secure a WordPress Site. [...]
[...] How To Secure A WordPress Site | The ZippyKid Blog This is a rebuttal to a bad article by Smashing Magazine on how to secure your WordPress site. (tags: wordpress security) [...]