Since my early days, i’ve always been the one to second guess what the majority of people think. I’ve always been the “pain”, you know where. When i hear most of the people saying “this is bad”, or “this is not right”, there always is a denial feeling jumping out. Over the past few days i’ve stumbled across many articles about how WordPress is not that secure and, many have suggested that it’s even easy to hack a WordPress. I have had some serious thoughts about this and today, through a blog post from Sire, i stumbled across an article titled “How to Stop Your WordPress Blog Getting Hacked“. It lays out the subject very seriously, but as always, i have serious objections. I will take the points one by one.
The first point he makes is “Removing Footprints – Stop Hackers Finding You“. Here is my serious first objection. I’ll use the very basic concept of cryptography which states “don’t rely on hiding the algorithm, rely on the randomness of the internal state”. To be exact, most of the cryptographic algorithms are open source and freely available. My point is, don’t hide the fact that you are using WordPress, make sure it’s secure. By removing all the references to WordPress from your blog, the only thing you are doing is removing attribution to some people which strive to provide you with top notch website software and support.
The next point is one that i agree with, “Disabling Indexes“. As the author states:
Disabling indexes means that when someone navigates to a directory on your server, it will not give them an output of the folders and files in that directory.
If i might add, you can “disable” that one using another way, adding an empty “index.html” file in each folder. But, there is a possibility for you to forget to do so when you add a new folder or when downloading a plugin that doesn’t have one. So, the author’s suggestion is more than fine with me.
Next on the list “Blocking Server-side Directories“. I find this a bit unnecessary. The author’s concerns are valid but highly unlikely to happen. And if they do, i would say that being concerned of your top level security, that is your WordPress installation, will not be a priority.
Another point he makes is “Hiding the Admin“. As mentioned, you don’t want to hide the platform but make sure it’s secure. Since you will be proud to tell the world you are powered by WordPress, you might as well keep the default admin directory. One more problem would be future updates of WordPress which will be a pain to do (especially now that are automatic).
The next one on the list is “Move the Config Data“. The purpose is to make sure that your database username and password is not exposed to the open in case something goes wrong and someone gets to read the file. But here is my objection. Even if i get to know the database credentials, they will be completely useless to me! Here is why. All serious hosts, when creating a username that can access your database, define a constrain on the location of where a connection can be made to the database. To be exact, if the database is on the same machine that the scripts are running, then the username that you use to connect to the database is only allowed to make a connection from the local machine. That means that if i use your username and password and try to connect to your database from my computer, or any computer for that matter, the access will be denied since i am not connecting from the local machine! On clustered hosts, where databases are on different machines, the username is granted access to connect only from the IP that the scripts are running, in other words the machine that hosts your website. So, still, credentials are useless. One would say “what if the attacker finds a way into my machine and can execute scripts?”. Well, that situation can be called “FUBAR“, and believe me, whatever you do is worthless.
For the next one, “Database Encoding“, i had to make a small research. As it turns out, WordPress is SQL injection vulnerable, when the database encoding is not set to UTF-8. I had no idea about it and this alone is a serious problem. So, make sure it’s UTF-8.
Next on the list is a precautionary measure, “File Permissions“. Well this is something i would suggest doing even when you are not hosting a WordPress installation. This way you make a more secure directory environment for your installation. No guarantees, but it’s “better safe than sorry” tactics.
Finally, i couldn’t agree more with the last one, “Themes and Plugins“. I’ve said before that you must take care what plugins and themes you are installing. You never know which one is mallicious and, even worst, which one is vulnerable.
At this point, i would like to thank David for giving me food for thought. Also i would like to tell him not to take me wrong here, i am like this with anything, especially with things that are worth mentioning and debating about them. For all you out there, all i have to say, is take care but don’t be paranoid. Check out both our arguments (and any more you might find) and decide which steps are better for your security.