WordPress security

So Twitter ate my homework blogging for the past six months. At least, that’s what I’m going to use as an excuse for not posting for ages. Sorry! I’m going to tentatively start writing again, and hopefully keep things going better this time. Anyway, here goes?

WordPress has received a lot of flak for its security of late. Matt Mullenweg, its creator, wrote about one alleged vulnerability recently and made several good basic security points: keep your software up to date (including plugins), use strong passwords, and keep your eyes open for anything suspicious. These practices should be common sense, but unfortunately many people don’t follow them, resulting in hacked blogs and WordPress taking unfair blame. WordPress have put a lot of work into making their software and installed plugins easily updateable, so hopefully hacked sites will become less frequent as people upgrade to v2.5.

For those that do care about their blog’s security and want to lock things down past the default configuration, the WordPress Security Whitepaper is worth a read. Note that it is quite technical, so if things like .htaccess and using SQL make your eyes glaze over then you’d be better just sticking to Matt’s straightforward advice. However, it does cover and mitigate a few particular points of interest: stop database injection into tables with default names (e.g. wp_users) by renaming the tables, changing the admin username to make brute-forcing passwords more difficult, restricting access by IP to the wp-admin directory and other *.php files, and using HTTPS to prevent sniffing of your passwords over the wire (e.g. while blogging from an open Wi-Fi access point). Most of it is above and beyond what is necessary for the average user, but if you’re running a high profile site and can forgo a little potential flexibility, you can really tighten things up.

Update: Also well worth a look: The WordPress Codex’s excellent section on hardening WordPress and Speck Boy’s list of his top ten security & protection plugins.


About this entry