How secure is WordPress?

Does anyone know how secure WordPress is?
I have no clue how to define “how secure”. But compared to other CMS systems, how secure is it?

Update:

Read More

To elaborate a bit on my project.
I’m gonna have a lot of users registering. Once logged in, they will have access to plugins which I’m developing. In about 6 months I will also offer paid services – I’m thinking PayPal. All sensitive details will be handled on PayPals https.

Update2:
(15.07.2013)
I found this article over at MOZ: The Definitive Guide to WordPress Security

Related posts

Leave a Reply

9 comments

  1. I don’t really know how to define how secure it is, but I can tell you a few things about it that should help you make up your mind.

    By default WordPress does not secure logins, so usernames and passwords are passed in cleartext. And most people use WordPress like that.

    That said, since version 2.6, you can force logins to be under SSL by adding this to your wp-config.php:

    define('FORCE_SSL_LOGIN', true);
    

    You can also opt for forcing SSL for all administrative tasks by using:

    define('FORCE_SSL_ADMIN', true);
    

    That should make it pretty good. And regardless of the version you are using, you can always force SSL for admin with mod_rewrite:

    RewriteRule ^/wp-admin/(.*) https://myblog.com/wp-admin/$1 [C]
    

    And, if you need a different folder for the SSL part:

    RewriteRule !^/wp-admin/(.*) - [C]
    RewriteRule ^/(.*) http://myblog.com/$1 [QSA,L]
    

    That would force everything under wp-admin to work under SSL and everything else would be forced to “regular” HTTP.

    Other things to consider is MySQL. If your blog communicates with MySQL over the Internet, you have one more thing to worry about. Most setups have MySQL inside a secure network, though. Even better if MySQL runs on the same machine as the web server, so you can communicate without relying on TCP/IP at all.

  2. Check your site on sucuri.net to get more info on malware, spam etc…

    1. Use security plugin

    I recommend to use Wordfence. Which has lots of features and is able to do

    • Scans over 44k+ malwares definitions
    • Detects phishing attempts
    • Removes Sh3lls
    • Backdoors
    • Trojans
    • Monitors
    • DNS security and many more…

    Better WP Security (aka iThemes Security) is also good plugin to secure your WP. Which has also great features.

    (both plugins works together – No doubt )

    Comparison of Better WP Security and WordFence

    2. Secure your .htaccess

    secure wp-config.php

    <Files wp-config.php>
        order allow,deny
        deny from all
        </Files>
    

    Disable directory browsing

    # directory browsing
    Options All -Indexes
    

    Protect .htaccess itself

    <files .htaccess="">
    order allow,deny
    deny from all
    </files>
    

    Disable hot linking

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?YourDomain [NC]
    RewriteRule .(jpg|jpeg|png|gif)$ - [NC,F,L]
    

    (lots of other can be found on the internet)

    3. Protect yourself

    4. Get yourself updated.

    • Use updated version of WordPress, Plugins, Themes.
  3. Install these four security plugins:

    Limit-login-attempts: Limit rate of login attempts, including by way of cookies, for each IP.

    Lockdown-wp-admin: Securing the WordPress Administration interface by concealing the administration dashboard and changing the login page URL.

    Wp-math-captcha: Math Captcha is a 100% effective CAPTCHA for WordPress that integrates into login, registration, comments, Contact Form 7 and bbPress.

    Better-wp-security: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.

  4. It partially depends on your threat model. If you want to run your own blog – it’s fine, just stay on top of upgrades. If you’re securing patient data, no it’s not secure. A lot of people bash it, but there haven’t been any big security holes in WP proper for a bit, to my knowledge. It’s plugins and misconfigurations.

    You’re going to be a target for people doing drive-by hacking, using one exploit on thousands of sites trying to drop in spam. That’s why it’s important to stay on top of updates. But overall, it’s fine for personal, or even corporate use. I’d recommend it over trying to roll your own, for sure.

    There are ways to increase it’s security:

    • lock down parts you don’t need/use like xml-rpc
    • stay on top of updates
    • don’t use plugins
  5. WordPress as it sits is not that secure. I know personally, I manage 10+ sites and they’re constantly getting hit by rogue servers from all over the world. (like this lovely individual from Korea http://www.ip-adress.com/ip_tracer/1.234.83.77)

    I’d HIGHLY recommend http://wordpress.org/plugins/better-wp-security/ .
    You don’t need to roll your own security, use what they provide, and hey, if you like it go pro! I’m not at all related to the company, but i’ve had A LOT of success with their plugins.

    Follow all of the steps, lock everything down, fix your file permissions and cross your fingers. If someone wants to get in, they’ll find a way. You can only attempt to mitigate all risk.

    Additionally if you’re on your own linux virtual host (rackspace/amazon/etc), I’d recommend linux ufw.

    sudo aptitude install ufw
    sudo ufw allow 80
    sudo ufw allow 22
    sudo ufw allow 443
    sudo ufw enable
    sudo ufw status

    One final suggestion fail2ban is an excellent resource, not for wordpress direct, but for any logins to your server. It will lock out individuals similar to Better WP Security.

    Best of luck, let us know what you decide!

  6. I have a list of recommendations and plugins over at secure-wordpress. A quick list of recommended plugins at a minimum post-install:

    ithemes security – set the /wp-login.php to be a different made up path and block xml-rpc attack vectors
    wordfence security – auto-ban fake crawlers, pingers, attackers – don’t forget to whitelist your ip address
    math captcha – add to login page
    wp slimstat – track visitors
    media vault – lock down attachments of all types
    download manager – track downloads
    disable comments – completely disable comments
    WP Plugins&Themes Auto Update – keep everything up to date auto-magically

    1. You must use security plugins to secure your WP site. There are many of plugins available. I have mentioned best 5 free plugins in my article here –

      http://www.technolizers.com/5-best-wordpress-security-plugins/

    2. Attackers first check for wp-login.php URL. You must hide regular login URL to something different. You can use wps hide login plugin for that.

    3. Never use username like admin, demo, admin123, demo123, abc. These are most commonly used usernames.

    4. Use strong password. You can generate strong password on this site absolutely free. https://passwordsgenerator.net/

    5. Never ever use free themes or. Free themes contains vulnerable scripts to enter into WP admin without knowing you.

    6. Always update all the plugins and themes up to date as they continuously updates security patches.

  7. Theres is no definitive answer to this. Due to its vast usage it is always catching the eye of the hackers. If you ask me, wordpress is both secure and not. Given that not all website owners are aware to deploy security measures to secure their WordPress.

    In all honesty, WordPress security is more in the hands of the webmasters than on its developers.

  8. Yes, Wordfence is a good cool for security reason. Also, this is a good plugin to fast check is something can be improved. The plugin checks is you have widely-used username, non-secure password, outdated PHP, etc.