Brooklyn Based Web Development

Wordpress Security Hardening

Feb
24
2015
Wordpress Security Hardening

Since Wordpress is open source software, one of the most important steps in creating a publicly used website is security. In fact, my earliest experiences with working on the Wordpress platform was dealing with hacked and malware infected websites. It was almost always just a bit too late, as the client had nothing in place to protect from these attacks. No backup, no one-click restoration of the site, no Login lockdowns, nothing. In some ways, it’s caused by a perfect storm of events.

Let’s look at what happened in December 2014:
Within a day google has banned 10,000 websites, and quickly this increases to a list of over 100,000 wordpress specific websites.

Then up goes this notice on 100,000 websites across the Internet


Caused by what? RevSlider. I know RevSlider is great, but I usually create custom sliders without the use of plugins, so fortunately it has not effected any of the sites I have had the pleasure to work on. On the other hand, RevSlider is probably the most popular gallery dynamic slider plugin used, and what’s the count on how many Wordpress based websites are out there?

http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Thanks to a variety of developers and providers, there’s a whole number of solutions out there to help protect your website and your investment. Some of the commercial options may sound pricey when you pay GoDaddy $8/month for hosting, but don’t look a gift horse in the mouth. When Godaddy and many other hosting companies don’t provide backups automatically with their basic hosting plans, these security options will save you the downtime and hours of frustration if the fat lady sings.

I won’t deploy sites without (at bare minimum) a security and db backup solution in place, in fact I would hope all developers building on the Wordpress platform build this into the cost of developing professional open source websites and web apps. It’s irresponsible to set your clients up to fail. Years ago, it was a site here or there being hacked, now it’s any website under the sun that is being targeted. If your website is searchable on the web, you can guarantee that there are robots and even individuals out there trying to find a way in.

Here’s a useful article on Security Hardening for Wordpress
http://www.hongkiat.com/blog/hardening-wordpress-security/

And if you want a company to handle these types of things for you, I’m happy to recommend companies like VaultPress.
VaultPress.com offers security, backups, and malware scanning for $99/year. Not bad for peace-of-mind!