Last week it was discovered that Tim Thumb, a PHP image resizing utility used in many WordPress themes, had a security vulnerability. Some popular themes including Thesis and some Woo Themes use this utility. WP Candy has been doing a nice job covering this issue and has extensive links about how to fix this for various themes.
If you manage your own WordPress website, you should have this book. If you have someone else manage your WordPress website for you, they should have this book.
WordPress 3 Ultimate Security by Olly Connelly is a comprehensive guide, not just to WordPress security, but to Internet security in general. My initial thought when buying the book was that it would compile a bunch of WordPress-specific security best practices into one concise resource. It does indeed do that, but as it turns out, having a secure WordPress website goes way beyond just securing your WordPress installation. Olly Connelly does a superb job of laying out a comprehensive overview of Internet security to help you set up and maintain a clean WordPress website that is as hacker-resistant as possible, from securing your own personal computer, your access point to the Internet, to your web server and of course the WordPress package itself.
In dealing with recent WordPress hacks, I was left wondering, who are these hackers that have hacked my site and how did they do it? The book starts off with an introduction to the overall threatscape including who the hackers are, including how they work, their basic methodology (reconnaissance, scanning, gain access, secure access, cover tracks) and tools that they use. This is important in being able to assess your risk, which is the result of vulnerability times threat.
After having introduced us to the hackers and their ways, Olly covers securing your own computer, with a detailed analysis of tools and techniques for securing your PC, especially, Windows PCs. In a logical progression he then covers security related to accessing the Internet, including local networks, Wi-Fi and browsers and security related to connecting to your web server. These are not WordPress specific issues, but they all represent potential vulnerabilities that hackers can exploit to gain access to your WordPress site.
After five chapters and 150 pages covering these topics, Olly jumps into the WordPress-specific issues. In chapter 6, he outlines 10 must-do WordPress tasks. Then in chapter 7 dives into more WordPress specific tips for hardening your WordPress installation.
Chapter 8 is dedicated to a subject that many might not have considered a security risk – securing your content from scrappers and copyright theft.
The remaining chapters are dedicated to some advanced techniques for locking down your web server. A lot of the content in these chapters will probably overwhelm those who are not technically inclined, but it is important and relevant and the book would be incomplete if it were omitted.
Overall, I give the book very high marks for its comprehensive nature and easy-to-follow style. Being a fan of visual communication, my only quibble with the book is that I would have liked to have seen more illustrations. There’s a lot of technical material in the book and Olly does a very good job of explaining in a way that even the technically-challenged should be able to grok. But, I spend a fair bit of time consulting with technically-challenged clients on WordPress issues and my sense is that visual illustrations are very useful in helping to demystify and explain complex technical issues.
Nevertheless, I still highly recommend the book for anyone who has a WordPress website. It may not be a fun topic and yes it is a bit scary, but if you have a WordPres website you are a definite target for hackers and I have no doubt that your site will come under attack at some point, if it hasn’t already. The more you know about security the more you’ll be able to make it less attractive for the hackers to bother with. Buy the book and be informed.
I’ve had the misfortune over the last few weeks to deal with some WordPress sites getting hacked, which has moved the topic of WordPress security to the front burner. The threat to WordPress sites from hackers is very real and unless you take precautions with certain security measures and backup your site, you run the risk of dealing with the unpleasant task of ridding your site of whatever malware the hackers have inserted and or totally rebuilding your site.
I wrote a quick little summary with links to several resources to learn more. One of those resources was a blog post by The Guvnr, Olly Connelly. It turns out Olly has just written and published a book on the subject, WordPress 3 Ultimate Security, from Packt Publishing. I just downloaded the ebook version of this and my initial impression from just skimming through the table of contents and a sampling of pages is that it looks to be a very thorough treatment of hacking and security related to WordPress. Dealing with hacks these last few weeks has made me a bit paranoid about WordPress hackers and that I need to step up my game on WordPress security. This book looks like it’s just the ticket for that.
I’ll be doing a more comprehensive review of the book once I’ve gone through it in more detail, but on first impressions I’d recommend it to anyone interested in learning more about securing their WordPress site.
Having spent most of my morning cleaning up a WordPress hack, the value of WordPress security is on my mind. Make no mistake, there are people out there, who, for whatever reason want to hijack your WordPress site. Being the most popular content management system and blogging platform out there has it’s disadvantages. It makes WordPress a target for hackers. There are a lot of things you can do to harden the security of your WordPress site. Rather than write my own article on the subject though, I’ll reference a good article written by Hawaii Web Group. Check out their Keeping Your WordPress Blog From Being Hacked article for changes you can make to make your site less attractive to hackers. There’s a lot of technical details but there’s also some simple advice that you can incorporate like deleting the admin user, using strong passwords as well as some security plugins to help monitor and secure your site.
WordPress Security Articles for Reference:
Most importantly, make sure you do regular backups of both your database content and your files. If your site gets hacked, you might be left with no other choice than to delete WordPress completely, re-install a fresh, clean version and use your backup to import your content. You’ll also need backups of your images other media you’ve uploaded as well so make sure to backup your files regularly as well.
There’s a new book out on WordPress security, WordPress 3 Ultimate Security by Olly Connelly, aka, the Guvnr who wrote the blog article, 10 Tips To Make WordPress Hack-Proof. The Ultimate Guide. I’m hoping to get ahold of a copy soon to review here.