Reducing WordPress Blog Hacking Risks

There have been many articles written recommending that real estate professionals use WordPress for their blog, but little published about how to protect the site against hacking. There’s no such thing as “perfectly secure”, especially given the limited control most people have over their WordPress web and database server environments let alone the underlying operating systems, but this article provides at least a starting point to improve WordPress security.

The most important thing to do is to keep your software up to date. Though it may not be your responsibility to keep the servers patched, it’s usually your responsibility to log in regularly and keep the WordPress installation and plugins updated. Every year there have been major vulnerabilities that hackers have taken advantage of because patches were not deployed. A chart, from the National Institute of Standards and Technology, showing the number of High Severity WordPress vulnerabilities by year, shows that there’s more than one major security hole per month in the core WordPress code that could result in a security breach! Each widget and plugin you add to your site may carry additional risk.

While it’s important to keep your website patched, because upgrades and plugins sometimes conflict and cause site disruption it’s important for you and/or your web host to make a back up of your website files and database before making changes. Good web hosts do this at least every night. If you want an even better backup system, I recommend VaultPress (http://vaultpress.com/), which costs some money and takes some work to configure correctly, but but can back up your site automatically whenever you make a major change and makes restoring an old version fast and easy.

The next most important thing to do is to protect the login. If using a standard username and password combination to log in, be sure to use a long and complex password, unique to the WordPress login, and never shared. Don’t login from a ‘public’ computer since you won’t know if someone is ‘capturing’ your keystrokes.  But someone on the network with you can still capture your login information because WordPress doesn’t, by default, encrypt sensitive information using TLS (which replaces SSL) encryption (when your browser shows “https://”). To add encryption capability to your website, you will either need to have access to an SSL certificate (so you can access https://yoursite.com) or to a shared TLS certificate (your web host will have to provide you those details).

Then you can install the “Admin SSL” plugin (http://www.kerrins.co.uk/blog/admin-ssl/). Follow the installation instructions from the plugin website carefully to make sure your installation is effective. Note that most plugins can be found and installed from your blog’s plugin administration page, rather than going to the individual websites listed in this article.

To add some extra security to the login, use the “Login Lockdown” plugin (http://www.bad-neighborhood.com/login-lockdown.html). This tool helps protect against someone trying to guess your password by disabling login attempts from a network for a period of time if more than a certain number of failed logins are detected within a short timeframe from that network.

Then, use the “WP Security Scan” plugin (http://wordpress.org/extend/plugins/wp-security-scan/). This tool scans your WordPress installation for a wide variety of security issues and suggests fixes,many of which you can implement without the help of your web host. After you fix identified issues you can either keep the plugin disabled and use it occasionally to test security – or keep it enabled for additional benefit. A similar plugin, which is more complex to use but adds additional protections including those similar to “Login Lockdown” is Bulletproof (http://wordpress.org/plugins/bulletproof-security/). [UPDATE: “WP Security Scan” has not been updated in some time – the current security plugin of choice is “Wordfence”, but there are many other fine ones out there.]

To address the vulnerabilities inherent in allowing people to post comments to your website, I generally suggest using the “Disqus” plugin (http://disqus.com) and Akismet (http://akismet.com/) rather than loading up your built-in WordPress comment system with additional security plugins.

There is so much more that can be done to secure WordPress if you are technical and have access to the underlying system (see: http://codex.wordpress.org/Hardening_WordPress) – and new Facebook and plugin vulnerabilities are found regularly – so there’s no way to ever 100% secure your blog. But, at the very least, try to take these reasonable steps.

About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.