Securing WordPress

You’re likely a WordPress user, admin., or, know someone who is. With it powering roughly 23% of the web, it’s both popular with users, developers & hackers alike. Yay, WordPress is great (and powers this blog).

Securing WordPress is difficult, but not impossible. We’re not experts on the topic by any stretch, but, given we host a few thousand websites powered by it — we’ve got a few ideas on how to keep it secure. Some of these are fairly generic, and, others might give you a few ideas on howto keep your own install hack-free.

Much of this advice is tangible, and, will help with other aspects of WordPress site management as well (like performance).
If you prefer to read text, scroll down below the image. There’s a few other additional notes below as well.

Securing WordPress

Securing WordPress
Link your friends to: https://www.fused.com/blog/wp-content/uploads/2015/04/securing_wordpress.jpg

First, why should you secure your WordPress install? Who cares, right?

For starters, your site could be used to send spam to others. Worse, infect others & their systems with malware. Neither of those are going to make you any friends, and worse, it could impact your reputation.

Secondly, a hacked site will be quickly stopped by google & blocked from being viewed in chrome. You’ll lose visitors & revenue, particularly if you operate a business.

Lastly, to be a good netizen. Nobody likes spam, exploits, or DDoS attacks — and all of these can originate through your WordPress installation. There’s many of us that end up having to stay awake sleepless nights to mitigate things like this, and, there’s not enough whiskey to go around.

Update, update, update.

It goes without saying, the first step to keeping any piece of software secure is by updating your software as quickly as feasible when an update is released. This applies heavily to WordPress where a potential exploit might reside in a theme, plugin or the core software itself. As of 3.7, WordPress can automatically update itself. Managing these updates is trivial, often using a plugin. To just keep the core WordPress software in check, add this to your wp-config.php file (on it’s own line): define( ‘WP_AUTO_UPDATE_CORE’, false );

Caveat: Some software within your installation might need updated manually, but, we’ll talk about that more shortly.

WordPress Themes

Everyone loves themes, &, if you’re anything like me you change your WordPress theme several times a year. Who doesn’t love a fresh pair of clothes, but, let’s not make it a hay-day for hackers, bots, & script kiddies alike.

Leaving a WordPress theme installed after you’re done with it is akin to building an addition onto your home & forgetting a wall. You’re leaving yourself open to attack. Less is more, & that applies more & more each day with WordPress.

Third-party theme websites

Acquiring the latest & greatest theme off of Themeforest & some of those great sites is wonderful, but, it leaves a few things left undone — and this is frequently the number one source of attack aside from out of date installations.

First, and foremost: Often, anything you install manually will frequently need updated manually. If you install something outside of the WordPress interface, you’ll need to update it manually.

You’ll want to subscribe to any updates/newsletters the theme developer has. You’ll be relying on them for many security updates for software that might be included in the theme, that may not have an easy-update method.

Secondly, despite my note that you’ll be relying on them for security updates: Don’t rely on them for security updates! Someone who has just a few themes out there might not be around to fix the latest-greatest-exploit in their theme. If murphy’s law has anything to do with it, they’ll be on a remote island sipping pina colada’s while some good friend from afar is sending a few emails on your behalf, to all of your good friends :)

If possible, catalog what ‘extra’ functionality (3rd party code, besides the theme itself) might be in a theme, if at all possible (or, ask the developer when you acquire the theme) and keep an eye on releases to those pieces of software.

That’s an awful lot of work, and, as much as I appreciate 3rd party theme developers — it’s (in my opinion) better choice to use themes available within WordPress itself via Appearance > Themes (Or, https://wordpress.org/themes/commercial/) , rather than venture out on your own. The themes available there will still need to be updated, but, the process is slightly more streamlined.

WordPress Plugins & Security

Avoiding plugins altogether would be great, but, impossible of course. If at all feasible, avoid adding plugins that add minuscule functionality like an image carousel, for example. Far too many exploits originate from plugins. Less is more.

Secondly, removing any unused plugins is quite possibly the best thing you can do. Disabling them isn’t sufficient, but deleting them altogether — like themes — will keep you a bit more secure.

Backups

Backups are by no means a way to prevent exploits, but, they make it easier to revert back to a “good” copy of your website in the event of an exploit. Frequently backup your website & wordpress installation (database & all) via your host’s control panel & the ‘Tools > Export’ section of WordPress.

The more backups you have, the merrier. Rebuilding a website from scratch is no fun, and, in some cases (like my own blog I started in ’03) would be absolutely impossible without backups.

Your web hosting provider should be backing things up, but it never hurts to have a couple of extra copies of your data floating around — don’t trust their backups in a bind.

And, lastly, here’s an infographic to link your friends to:
Enjoy!

Advanced & misc. cruft

If that article bored you to death, my apologies. We’re finding the average-joe/jane is getting their WordPress installed hacked left & right. There’s some advanced & more generic tips below, in addition to our lovely image you can share with your friends.

Read only: Disable writes to any folders that won’t need it.

We frequently come across someone using something like gravity forms to upload an executable PHP file and exploiting the installation. This, among many other exploits could easily be prevented by disabling writes to any folder by default, and, only allowing the ones that need it (cache folders, for example). We personally disable all writing by default, though, someone keen could still exploit it.

Reenabling writes for updates & such will be necessarily, but, can be automated (a cron. that reenables writes to folders, and, simultaneously updates wordpress, for ex.)

Lock down wp-admin

Disable logins to wp-admin to a certain IP addresses, and no more. Brute forcing installations is less popular for something like WordPress, but, frequently we’ll see someone’s password leaked through some other hack, and, that password being used on their WordPress installation.

Don’t recycle passwords

It’s 2015. Use 1password or keepassx. Avoid recycling passwords, however unimportant some of them may seem — it often takes only a single account being exploited that results in a domino effect of hacks against your accounts.

The death of voicemail

Phonecalls can solve problems in seconds: They are amazing. There are honestly few things I enjoy more than the refreshing sound of a human voice. To be able to respond with a simple “Mmhm.”, “Absolutely!” or something in between. I love them (and the clients, friends and family behind them), and, honestly it’s one of the few reasons I continue to operate fused after well beyond a decade.

Voicemails, on the other hand? Voicemails are awful in every imaginable way. I can’t even begin to list all of the reasons why voicemails are tragic.

Perhaps it’s because if you’re anything like me — you often leave two voicemails instead of one, because you failed to include some snippet of extremely important information, often even your callback number. At best, you fumble over a few words and feel like a bumbling idiot. During a live call that somehow never happens, or, the human on the other end helps you up. Robots on the other hand are heartless, and respond with nothing but a painful empty silence.

At fused, we don’t miss many calls — yet, we still somehow end up with hundreds of voicemails, and every single one is absolutely painful to trawl through. More often than not, the only reasonable response to a voicemail is to call back, defeating the whole purpose of their meager existence.

Ugh. All of that could be settled with a single text, or, email even — it’s 2015. But, we love phone calls, regardless of how ugly voicemails are.

The future of voicemails: Their death, preferably

So, back in early 2014 we launched our phone call request system.

And it’s amazing. You request a call, we get an email with a link — simple. It cuts out the middleman, and saves us hundreds of dollars a month on phones & phone systems, to boot. Instead of any of us having to drone into empty space (or, listen to it), we’re live instantly. There’s some sincere benefits too, which I could rave on about endlessly — I’ll save that for another post.

Sure, once in awhile there’s the odd game of phone tag, but, not having to listen to another voicemail has improved our lives significantly.

And that’s why today, we’ve turned off our voicemail for good.
(And, better yet, we’ll be opening sourcing this whole thing soon so you too can be free of voicemails — follow us on twitter to keep in the loop.)

How to save time and money on web hosting

Web hosting is important in this day & age, and quality web hosting can be prohibitively expensive. I’m going to provide a few helpful hints on how to pick a cheaper web hosting solution & still get reasonable uptime and performance.

Saving time & money:

First, a short story. I’ve been involved in web hosting now for more than a decade: In internet years, that means I’m on a porch shouting at you from an antique rocking chair.

We all want similar things in life: But, most importantly we want to choose how we spend our time. My goal is to spend as little time sitting in lines, and as much time as possible with my kids & family (Particularly when they’re not screaming). Many companies interrupt our time like clockwork. My bank for example, which will will remain anonymous (It rhymes with ‘rank of blahmerica’), which undoubtedly almost weekly does something that warrants yet another phone call, sitting in their phone queues, as though my time were infinite, and infinitely worthless. Yesterday, I spent a total of roughly one working hour resolving what shouldn’t have been an issue at all, and next week it’ll happen again. On the contrary, my local internet provider instantly picks up the phone, resolves the issue (without hold times) and I’m on my merry way (EPB, in Chattanooga — gigabit internet for everyone!).

I’ll try not to get off topic, but it warrants a few paragraphs. You’re a business owner, or, someone who has better things to do than spend time contacting companies for something that is often their mistake, or something they could have readily resolved proactively. But, these are computers: Things happen — stuff breaks, errors are found, problems arise. The difference between a mediocre company, and a great company, is how much of your time they’ll waste. Think of great web hosting like insurance. Great web hosting tries to ensure that you’ll spend as little time dealing with web hosting as possible, and as much time on your business as possible. Mediocre web hosting makes no guarantees, and, ultimately, will cost you time in exchange for saving a few dollars a month.

The math is entirely up to you and your circumstances. I too have been an extremely poor student, living in whatever walk-in closet I could afford at the time: Sometimes, you need to save money. As a business owner, I’d recommend you don’t skimp on web hosting, but, if you have to, here are a few options:

Expect downtime

With a cheaper hosting provider, expect downtime. There are likely some great cheap hosting providers out there, but, they’re likely cutting some corner that will ultimately result in website problems. To counter that, use something like cloudflare to at least cache your site when it is offline. Your visitors will still get to your content, and you’ll save on web hosting.

Horrible web hosting support

With a cheaper web host, support might be unavailable. An inexpensive provider might cut corners on their team size or availability, leaving you to resolve things on your own most of the time. Learn to wield the web for common problems by googling error messages, more often than not you can resolve them on your own once in awhile. Teams are easily the number one budget line item for a quality hosting provider: To put that in perspective, 75% of fused’s revenue goes towards covering our support & development team. A meager 10% of our monthly revenue covers hardware & infrastructure.

Unreliable email

Another common issue experienced with cheap web hosting is unreliable email. Consider using a 3rd party like gmail to offset some of the damage that could be caused to your communications. Gmail offers service with custom domains for a meager $5 a month per account.

Database issues

If your website relies on databases heavily, like for example, one built on wordpress or drupal: Cache as much as possible. Caching properly can result in your website being available even though the related database goes offline. Often there are plugins available for some content management systems that will cache an entire site, giving it a higher chance of being online. Databases being unavailable, or overloaded, is often a common problem of overloaded web servers. Often with cheaper companies, they might be forced into trying to host as many clients on single servers as possible due to their limited budgets.

Ultimately, it might be more costly, timewise, to pick a cheaper web hosting provider.

It’s worth weighing the options, and, if you’ve found a great, inexpensive hosting provider, don’t hesitate to leave them in the comments.

Internet fast lane? Toll roads, you mean.

You may have heard some of the recent debate on net neutrality. If you haven’t, here’s a quick review.

Some have been referring to it as the internet fast lane, others, the slow lane: I’m of the opinion that internet toll roads is a hint more precise. The fact of the matter is, most of the arguments against net neutrality are originating from extremely biased sources. Those very companies that argue against it tend to have two things: An invested interest in television or telephone service.

Those two items are extremely critical in the net neutrality debate. Most of our communications, telephone or otherwise, now travel via the internet. Public utility companies that offer these services, say, AT&T for example, do not send your communications via the airwaves until their destination. Instead, your communications reach the tower, and, at that point are (more than likely) sent across the internet.

Television companies are similar, in that they too wield the internet heavily for their content.

Now, why are either of these two points critical? The internet gives new players (Say, Netflix, voice over IP services, or, whatever’s next) a direct method of competing with these older television and telephone companies. In addition, if those same public utilities companies are making heavy usage of the internet for their infrastructure, shouldn’t we have that same benefit as a society? I’d like to think so, considering much public money went into funding those same very networks.

Sadly, we’re now at a point where the old monopolies involved are being given a legal avenue in which they can stifle competition and retain control of their massive marketshares for the foreseeable future: Afterall, why would they be lobbying for it so heavily, for the good of their customers? What’s next — a youtube or skype tax? Absolutely.

Here’s why I think giving anyone the ability to implement internet toll roads is bad:

Stifling competition: It’s 2014, and, just about everything is internet based. Digital advertising just surpassed advertising on broadcast TV.

Giving anyone the ability to directly tax their new fledgling competitors is unwise. It stifles competition, in addition to impeding innovation. That’s not what America (or, any nation, for that matter) should be about.

The internet has become such a prolific aspect of our lives that adding any impediment, economic or otherwise, would sadly contribute to reducing our ability to compete on a global scale. My job, amongst many others, could be done from anywhere.

Ultimately, we as adults, have an obligation to the next generation to lay the stepping stones for their innovation and future. Let’s make internet a public utility & resource, even if it’s so we can avoid this:
null

Footnote: If you’re looking for a great example of what we should be doing, look towards EPB & Chattanooga. The local power company took a small federal grant, in addition to their own funds and there’s now gigabit to almost every home in the county through the power lines. There’s no reason your city shouldn’t also be a gig city.

The Internet: The great equalizer

Things are changing. Many of our parents grew up in an era where last names, skin color & ZIP codes may have defined, to an extent, their future. Many overcame these limitations, many didn’t. I grew up in an era where some of those things, although less relevant, still impacted my future to some degree.

Today, someone from Charlottetown, Memphis, or even in distant lands like Manila, Rio De Janeiro, and Delhi, all have the same potential through the internet. The internet has changed everything.

I realized all of this fairly early on. My formative years were spent crafting online personas, whether in a virtual game world, internet (relay) chat, or even going as far as building projects & businesses. The diversity of the people I interacted with daily, many of whom originated from locations I could barely pronounce the names of, scaled well beyond my greatest imagination. That, fairs in comparison to seasons during grade school where our teacher urged us to find penpals. I connected with a young girl from somewhere in Europe, & told her all about how little I knew about Canada (Sadly, I likely know far less still).

Today, my company has clients in so many countries, that even if I tried, I’d likely be unable to visit them all in my lifetime. Our team operates out of multiple timezones, and I haven’t met any of them.

Kids these days, of any origin, of any location, can launch something online & reach the entire planet; That’s a far reach from dragging dusty tables across our lawns in hopes of selling a few glasses of lemonade. Gone are the days of insane phone bills to connect to someone in a far away land for a few brief moments.

The internet is the great equalizer.