Hello I am pitching to build a wordpress site for a big client, I am capable in wordpress design and build, however I have always overlooked security thinking that the built in functions would be enough.
One of the questions my client has raised is:
<blockquote>Wordpress has a number of security issues. It is notoriously vulnerable to SQL injection attacks for example and the open source nature of Wordpress makes it relatively easy to gain unauthorized access to files. We would therefore like the site protected with security plugins such as Better WP Security.</blockquote>
I would like to know how you would protect a site, how and why?
Please let me know any plugins or custom edits you would do.
<blockquote>Wordpress has a number of security issues. It is notoriously vulnerable to SQL injection attacks for example and the open source nature of Wordpress makes it relatively easy to gain unauthorized access to files.
I don't agree if they mean the Wordpress core, it's well maintained, tested by millions and security patches are shipped out fast.
Here are some ideas for both wordpress and other cms:
- rule 1: always assume your site (wordpress or not) will be hacked, then you must have a recovery plan ;-)
- use the latest cms version
- use only quality hosting
- use htpasswd on the backend (wp-admin/* and wp-login.php)
- consider [[LINK href="https://www.cloudflare.com/overview"]]cloudflare.com[[/LINK]] to block threats and limit abusive bots
- don't use ftp
- use only "well tested" plugins/extensions
- consider the security plugins (like BWS for wordpress)
- don't forget the backups
Hope this helps
WordPress is a lot more secure the your clients remark, if we compare the number of installs and the number of exploits then the chance that you will get hacked is small. The list mentioned above covers 99% of the use-cases. Main points:
- stay up-to-date
- move wp-config.php
- don't use wp_
- don't use admin
- good unique passwords
- use good plugins
- reduce the rights of your users as low as possible, do they <strong>have</strong> to be admin?
If you run into trouble it will be because your install is out-of-date, has funky plugins (tim-thumb), your users use: admin:password, or tell somebody their password.
Some good links for further research:
- http://codex.wordpress.org/Hardening_WordPress (Must read, like the whole of the Codex)
- http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ (What kind of malware are we most likely to meet)
- http://blog.softlayer.com/2012/tips-and-tricks-how-to-secure-wordpress/ simple security measures
- http://www.wpmayor.com/plugin-reviews/top-10-essential-wordpress-security-plug-ins/ excellent list of plugins to test
Bonus: be as up-to-date as is possible without puling WordPress from SVN:
I completely disagree with your clients remarks. He may have a bad experience of open source scripts with sql injections but that does not make popular open source cms more vulnerable for sql injection and other security related issues. On contrary Active communities developed CMS always finds quick ways against latest vulnerablity.
as per my opinion wordpress is most secure among all open source scripts i have experienced.