In the last 24 hours, I’ve had two seperate phishing emails, pointing to dummy banking sites, as they do. Both had set up shop, so to speak, by commandering someone else’s site and setting up their replica pages in a deeply nested sub-directory – exactly like the parasites they are! Presumably, the site owners did not even realise there was anything afoot.
This prompted me to wonder how the perpetrators had gained access, and how secure my own sites are. So I did a bit of research, specifically in the area of securing WordPress (although many of the principles apply to other kinds of site too)…
What you can do to protect your site
There’s a lot you can do actually – some quite technical, some much easier. In reality it’s probably very difficult and beyond the ability of most of us to fully secure our sites, but unless you’re dealing with very sensitive (ie financial) information, you probably don’t need to.
When being chased by a lion, you don’t need to be able to outrun the lion, just the guy next to you! The same principle applies here: make it sufficiently difficult to get into your site, and the bad guys will be inclined to give up and move on to easier pickings.
- Stay up to date. As various vulnerabilities are exposed, upgrades are released to fix them, both to core WordPress, and to various plugins and themes. By upgrading, you don’t stop hackers finding new ways in, but at least you shouldn’t fall victim to known exploits.
- Make regular backups of your entire site – database and all the files that make up your site. This won’t stop you from getting hacked, but could make it a lot easier to recover from it. Also really handy if your web server goes up in flames one day
. - Use a decent password. This should be something that’s hard to guess, and should contain a mix of upper and lower case letters and digits. And no, “password” and “letmein” don’t qualify!
- Keep your finger on the pulse of your blog. Check your stats (probably not a problem for most bloggers – we’re generally pretty obsessed with this anyway); look out for unusual activity.
Find out more
If you’re interested in finding out more, I recommend you check out Wordprezzie‘s list of very practical security tips. BlogSecurity has a very good (but quite technical) free WordPress security white paper which you can download, and also has a scanner to check your site for vulnerabilities.
If that doesn’t satisfy you, do what I did: search Google for WordPress security.
Related posts:
actually i’m glad i just saw this post, until now, while i do take security seriously, i havent really taken a backup of it.. damn.. nice post.. cheers
Yup, it’s often not something you think of until it’s too late…
I wonder if it is best to upgrade at every single version change, or whether it is more reasonable to check for version changes that have more major alterations in them. The idea about getting a backup every once in awhile seems like a good idea, and takes a bit of initiative.
Armen: Often the minor releases plug security holes, so by not upgrading you potentially expose your site to being hacked. I agree somewhat though that it’s not always wise to be on the “bleeding edge”.