Splash of Style...Macs, Photography, Design, and other Passions

WordPress Security

August 31, 2009 by debbie T | WordPress

Slowly, I am working through all my WordPress blogs and trying to make them more secure. I have found several web site articles and WordPress plugins that have been very helpful.

New blog article from Matt – UPGRADING is the only way to keep yourself safe!

There are 4 comments

  1. Obviously we don’t want our blogs hacked – or anything else. But I’m really not sure you’re getting value for time here at all. If someone hacks your blog they have full control so a plugin listing file changes is pointless because the hacker has full control over the plugin once they have entry! Same goes for a vulnerability scanner. You can’t use WordPress to monitor wordpress, if wordpress has been taken over, so have your monitors!

    As for the 10 tips – honestly, it’s mostly security by obscurity, and pretty much pointless. It’s a lot of work for almost no gain. Also – the name is utterly miss-leading. Those steps no more make your wordpress hack-proof than touching wood prevents bad thing happening! This is more about feeling safer than being safer as far as I can see.

    A much much better approach is to use a very secure admin password, and to always keep your wordpress fully up-to-date. Subscribing to the WordPress security RSS feed is a much better idea than all this voodoo IMO.

    What REALLY frightens me about WordPress is that the new norm seems to be to make the wordpress program files writeable by the web server so you can click that auto-update button. Talk about a hackers dream! The one non-standard thing I do like to do is not give the server write access to anything but the wp-content/uploads folder – and even that makes me a little uncomfortable to be honest.

    Bart.

    Comment by Bart B on September 1st, 2009
  2. wow, thanks Bart!! I know I can always count on you to tell the straight truth on security.

    haha, well I can’t say that I did all that work for nothing, because even though I had a good password, I changed all of them to be even stronger.

    And there is an option from one of the plugins to check the permissions on the WP files and change them to 755 or 644. I had a few as 775, so that was a good change.

    I don’t think I have any files/folders as fully writable (777) and I can use the auto update option. It works by using sftp now. I think the older way was to make the files writable. But I might be way off on that.

    I do have a question, is there a way (through terminal or sftp) to check through all your files/folders and see the permissions on all of them, or better yet, list only the ones that are set at 777?

    I tried googling, and I can’t seem to find the right search phrase.

    Thanks again, Bart!

    Comment by debbie T on September 1st, 2009
  3. …and I know you say that the monitors are useless, but I think in some cases it can help, especially when you have a less seasoned hacker.

    I also have a good hosting service, they are on top of any and all security issues. I think that goes a long way too.

    Comment by debbie T on September 1st, 2009
  4. http://wordpress.org/development/2009/09/keep-wordpress-secure/

    blog article from Matt. Upgrade upgrade upgrade!!

    Comment by debbie T on September 6th, 2009