How Secure is Wordpress Installation?

[Kensamson]

If you are using the standard settings for your Wordpress installation there is a very high probability of your site getting hacked sooner than later, the reason for this is simple;

Wordpress is opensource so everyone has access to the source code, this is one of the reason there are so many updates to wordpress - to plug security holes. But did you know that are a few basic settings you can change to make it more difficult for a hacker to destroy your work?

When WP is installed via fantastico, there are common defaults, such as
admin username is admin
database is account_wrdp1
table prefix is wp_

These settings should be changed to maker it harder for hackers to guess what they are;
You can also nominate one or two IP addresses that are allowed to log into the Admin panel, all other IP's are blocked;
Always keep your WP install up-to-date, older version are easier to crack.

Do these few simple things and hackers will bypass your site and go to other sites that are easier to attack.

Ken

[fab145]

Thanks for this insightful post.
I've installed my blogs using fantastico. What I want to know is, can I rename admin username, database name and table prefix ?
Thanks in advance.

[asap916]

Thanks for the useful insight. - Hackers either love them or hate them.

[CoolyKid]

(02-04-2010 11:33 AM)fab145 Wrote:  Thanks for this insightful post.
I've installed my blogs using fantastico. What I want to know is, can I rename admin username, database name and table prefix ?
Thanks in advance.

Changing your admin user name is quite easy.

Once you are logged into your Wordpress admin area, create a new user with full admin rights. Logout of the Wordpress admin area and then login using the new administrator username and password (to ensure it works). You can then delete the old admin user.

I used to do all my Wordpress installs manually, setting up my database through cPanel and then specifying the table prefix (if any) in the wp_config file.

But after about 20 installs I became lazy and now do it through SimpleScripts - at least I can specify my username and passsword.

It is possible to rename the databases and table prefixes (do a Google search), but it is a real pain is the you know what and fraught with dangers. I don't attempt it any more, I simply rely on keeping my Wordpress installs up-to-date with the latest releases and do weekly auto backups.

Afterall, no system is 100% secure!

[heronfisher]

Here are two ways to deal with this problem:

1. Keep up to date with the latest WP version: The WordPress developers do not maintain security patches for older WordPress versions. Once a new version has been released or the vulnerability has been fixed then the information required to exploit the vulnerability is almost certainly in the public domain making any old versions more open to attack by a simple script kiddie. If you are an administrator in charge of more than one WordPress installation, consider checking out all copies of WordPress via Subversion Installing/Updating_WordPress_with_Subversion, and using an accompanying script to keep all checkouts up to date en mass
2. Report bugs: If you find what you think is a bug, report it -- See Submitting_Bugs. You might have uncovered a vulnerability, or a bug that could lead to one. If you think you have found a serious security flaw see the Security FAQ for information on how to report the flaw.

[CarlosAmigos]

My buddy has a full list of things to lock down WP he covers them in great detail. here is the resource.

http://www.bloglockdown.com (not an affiliate link) Craig is well known in the IM niche for over-delivering, and I have been helped him on a number of projects from a technical/design/CSS point of view for about 5 years now.

My suggestions to help lock WP down are:

- NEVER use "admin" as the user name (so many people in the IM niche do this) use an email address (which is a lot harder to guess than "admin")

- Use passwords that have UPPERCASE / lowercase / 123456 (numbers) and / !@#$% special characters - as this is harder to crack if they try and use bruteforce and standard dictionary terms to try and guess your password.

- Turn OFF directory browsing in your cPanel from the public_html directory

- change your password often (use something like ROBOFORM to keep track of your passwords)

- Keep your plugins updated (as these are often weak points for hackers to get access)

- Keep WP up to date (for same reason - plug the security holes)

- Change the name of the wp-admin folder

- Yes you can re-name the database tables (see craig's book on how to do that, he gives a step by step on how to do all that)

[thriftgirl62]

WARNING – WARNING — Custom Permalink Structure NOT Recommended for Large Blogs…..What is a large Blog? Over 100 pages? More than 200 pages? Long or short pages?

The Custom Structure will slow your page load times way down but you won't notice until it's too late to fix. The URL Permalink Structure should begin with a numeric field, not a text field. The 2nd or 3rd option under permalinks should be used, NOT the Custom option.

The Custom Option puts the category% or %postname% at the beginning of the permalink structure and that means all pages must include explicit rewrite rules, OR

extra queries have to be done every time permalinks are [http:] resolved to see if a page is being requested.

Under the Custom Permalink Structure, the .htaccess file is like a huge piece of Endless Brand Luggage overflowing with your collection of ebooks and downloads for the past 5 years. It's full but you still have to stuff more in with every page load until the lines of code are into the 10's of 1000's and gets bogged down reading all that code again and again for every page load.... the server is going to get overloaded and start to rebel against the load and then crash.

EXCEPTION: Small blogs will not be noticeably affected.

The structure recommended by WordPress has alway been correct. Matt Cutts and WordPress.Org use correctly structured Permalinks. So WHY does the rest of the WORLD think SEO Experts know better than both WordPress and Matt Cutts? Maybe because they were supposed to fix this issue over a year ago. Most Senior WP Programmers gave up after realizing another patch wasn't going to help the back-end.

Years of haphazard code by many "volunteer" programmers doesn't include plans for scaling. I'm sure they figured someone else was handling the back end but I don't know of any back-end web developers that even use WordPress. Those guys barely acknowledge WP exists and I think they are secretly laughing at SEO Experts right about now.


CONCLUSION: the .htaccess file will be huge with rewrite rules causing server overload because every line of code must be read with each page load making performance intolerable for large blogs.

SOLUTION: Follow WordPress instructions and use the option with Month and Year - the 2nd or 3rd option.

The Custom Option is NOT there for SEO experts unless they are Programmers. The two or three SEO/Programmers are the only ones NOT misleading WP Users down this path of slow page loads and Server Overload problems.

Personally I don't think SEO Experts are doing this on purpose. They simply don't care about Programmers and their problems. It's in their nature to believe Programmers will fix whatever is wrong because they better or look what's going to happen if they don't! Your SEO Expert has a job to do and no Code in some weird file that has no name is going to get in their way.

Why don't the WP Programmers say something? They have said enough by giving everyone the same instructions to follow. What about every WP Video that instructs something different? The person watching the Video is watching it because they obviously don't like to read so how are they going to know? They won't unless they are lucky enough to run into my long, letter like posts or go to SeoBullshit.com - Look for The Gypsy and Sebastian . . . they are worse than me!!