How to give your WordPress site a security checkup

Are you responsible for a self-hosted WordPress site?

If so, one of the most important things you can do to keep it healthy is to give it a security checkup and make sure you’re maintaining it in accordance with all of the recommended best practices. That way, its likelihood of being hacked by the Internet’s hive of scum and villainy is reduced.

Here’s a step-by-step guide to giving your site a security checkup. (Most of these steps are adapted from the Hardening WordPress presentation that I’ve been giving to members of the WordPress community for several years.)

Step One: Backup your site!

There are several ways to manually back up. From within WordPress, backing up can be done with one of many plugins available from the WordPress repository. If you have shell access, making a manual backup is as easy as running a couple of commands. For example, from the directory above your site root, you could run:

bash:~$ tar -zcvf MONTH-DAY-YEAR-Site-Backup.tar.gz public_html/

Then, to make a snapshot of the database (presuming you’re using MySQL):

bash:~$ mysqldump -h hostname -u username -p databasename > MONTH-DAY-YEAR-Site-Database-Backup.sql

If wp-cli is installed on your server, exporting a database becomes even easier:

bash:~$ /home/user/path/to/wordpress/ wp db export

A few words of caution: Do not keep backup files in your publicly accessible web space unless your host doesn’t give you access to the directory above your web root. Leaving backup files in your publicly accessible web space jeopardizes the integrity of your site and is a surefire way for your credentials to leak. If backups must be stored in your web space, make sure access to that folder is restricted. On a server running Apache, this can be done by setting directives in an .htaccess file.

For bonus points, verify the integrity of the backup by using the archive files you made to create a local copy of your WordPress installation.

It’s nice to be able to know how to make a backup on demand, but the key to ensuring backups get made is automating them. This saves time and ensures that a copy of the site is being made at regular intervals.

To automate backups with shell commands, simply create a cron job by editing crontab or using your host’s cron job manager. With a plugin, you’ll need to visit the configuration page to specify how often backups should be made, and where they should be stored. You should have a set of backups stored locally on the server, and another set stored offsite in a secure cloud repository. That way, in the event disaster strikes and your host’s datacenter is beset by a catastrophe, your data is safe.

For most WordPress users, a plugin is the easiest and best way to automate and manage backups. I recommend UpdraftPlus.

Step Two: Install pending updates (if any)

Once your backup is made, you should install any pending updates to WordPress, your installed plugins, and your installed themes. You can do this using wp-cli, or from within WordPress using the built-in Updater. If you have plugins or themes installed that you bought from an online marketplace, you should go back to that marketplace and see if there are updated versions available. If there are, download them and install them by deactivating the version on your site, deleting the old code, and uploading the new version.

Some premium plugins and themes can be automatically updated from within WordPress just like ones installed from the WordPress.org repository, but access to automatic updates usually requires a license key from the developer. Consider renewing any subscriptions to premium plugins that have expired — it’ll make installing updates much simpler in the future.

Step Three: Scan your site for problems

With backups made and updates installed, it’s now time to scan your site for problems. There are several security suites available for WordPress; my favorite is BulletProof Pro. (There is also a free version of BulletProof, and that’s better than nothing, but it doesn’t have all the features of BulletProof Pro.)

Install BulletProof Pro if you don’t already have it in your site, and put the scanner to work to see if there are any issues that need your attention.

If your site has been around for a few years and has a bunch of plugins installed, chances are good that you’re using one or more abandoned plugins. This is a common security issue with WordPress websites.

There’s no need to panic if you discover you’re using a deprecated plugin, but you should take steps to switch over to alternatives that are currently maintained. If you are notified of an abandoned plugin (which is one of the most common results I see in a scan of an otherwise healthy site), head over to the WordPress.org repository to look for a replacement.

Again, chances are, you’ll find one that does pretty much the same thing as the one that is no longer maintained.

Step Four: Make sure your site is protected by a firewall

One of the capabilities you get with BulletProof is the ability to deploy a firewall. Deploying a firewall is one of the most important ways you can protect your site.

Usually, deploying BulletProof’s firewall is as simple as clicking a few buttons and running the setup wizard. At other hosts, some intervention on your part may be required to enable extended protection mode and realize the full benefits of the firewall.

Step Five: Change your passwords

Since you’re giving your site a security checkup, take advantage of the opportunity to change all your hosting-related passwords now.

Consider installing a password manager like Dashlane or 1Password to securely generate and store your new passwords. A manager greatly reduces the complexity and anxiety involved in coming up with strong passwords and keeping them safe. You should have unique passwords for:

  • your hosting control panel
  • your database (MySQL, MariaDB, etc.) user
  • your WordPress account(s)
  • any additiontal shell accounts or FTP users you have

Step Six: Turn on multi-factor authentication (MFA, also called 2FA)

Many hosts will let you add another layer of protection to your site by turning on multi-factor authentication (MFA), also called two-factor authentication.

To find out if your host will let you set up MFA to restrict access to your control panel, check their support center or knowledge base for an article about “MFA” or “2FA”.

With MFA, access to your online accounts is secured by something you *have* in addition to your password. That something could be a mobile device (the most common second factor), or a hardware authentication module like a YubiKey.

If you’re using your mobile device, I recommend using an authenticator app instead of using SMS (short message service) if possible, as authenticator apps are more secure.

The three most popular authenticator apps currently available are Google Authenticator, Authy, and Duthio.

Do you use Jetpack? Turning on multi-factor authentication at WordPress.com will help protect your site from the nasty Jetpack remote management attack that’s afflicted a lot of WordPress websites recently.

To turn on multi-factor authentication (also misleadingly called cell-phone sign in by some) for your WordPress installation’s administrator accounts as well, there’s a nfity plugin simply called Two Factor, by George Stephanis. Unlike other plugins purporting to provide 2FA, George’s supports YubiKeys, so you can use a physical key as your second factor. Physical keys are the most secure 2FA method, followed by smartphone authenticator apps like Twilio’s Authy.

Step Seven: Configure and use HTTPS on your site

Help encrypt the Web by configuring and using HTTPS (HyperText Transfer Protocol Secure) on your WordPress site. When you make the switch to HTTPS, you’ll no longer be sending your username and password in the clear when you login to manage your site, and your users’ comments and form submissions will likewise be encrypted while in transmit between their computer and your site’s server.

Switching to HTTPS is one of the most important ways you can protect your WordPress site. Switching to HTTPS now will also ensure you’re prepared for the day when Google Chrome (and other browsers) begin marking non-HTTPS pages as “Insecure”, which is due to happen this September.

The process for configuring HTTPS varies by host, so as with the previous step, you’ll want to check your provider’s documentation.  You will need to obtain a secure certificate from a certificate authority to securely access your site in a browser without triggering a scary-looking warning.

Certificates can be obtained for free through Let’s Encrypt or for a fee from a number of traditional certificate authorities. Note that some hosts require you to buy a certificate through them in order to set up HTTPS on the server that serves your website.

After you’ve configured HTTPS, you’ll need to make changes to your site to enforce its use. First, modify your site’s wp-config.php file to require HTTPS for all administrative sessions by adding this constant:

// Require encryption for administrative sessions and logins
define('FORCE_SSL_ADMIN', true);

This is the recommended way to force HTTPS on your site’s backend because it doesn’t depend on a plugin being active.

Note that setting this constant does not require HTTPS on your site’s frontend… the public-facing part of your website.

To force HTTPS on the frontend, start by going to your site’s Settings (you’ll want the General screen) and changing the site and Home URLs to begin with https:// instead of http://. You will be immediately logged out once you save this change, and will have to login again.

You’ll then want to use a plugin like Velvet Blues Update URLs to replace all the hard-coded http:// URLs in your site with https:// URLs. If you don’t do this, some of your site’s resources, like images and scripts, may not load securely.

Always make a fresh backup of your site (repeating what you did in Step One) before you run a plugin like Update URLs.

The last step is to browse around your site and look for any mixed-content warnings. You may need to modify your theme files or theme settings to get rid of a final http:// reference or two.

Made it through all that? Good work!

Completing the steps above is the ticket to a safer, happier WordPress site. If you’d previously completed some of the steps, congratulations on completing the remaining ones. And if you’ve never done work to strengthen your site’s security posture before, but have been inspired to do so, I hope this post helped you take action.

Don’t let an injury to one become an injury to all: Strategies for safely managing multiple sites

If you’re adept at building websites, chances are excellent that you have more than one of them in your care, whether you own them yourself or whether you simply manage them on behalf of a friend or a business/nonprofit/community group that you have a relationship with.

Ensuring that all the sites you’re responsible for are well maintained is no easy task, especially when it’s a large number.

But it’s really important, because maintenance and administration go hand in hand with security. A neglected site can become a serious liability — and not just to the entity that it’s associated with. Since a hosting account is only as strong as its weakest link, it’s very important to ensure that no site gets left behind when it comes to regular maintenance and administration.

Here are three strategies you can use to minimize your risk of an injury to one site becoming an injury to all sites in your hosting account.

Strategy #1: Isolate your sites from each other

The first strategy you should consider to protect multiple sites that are sharing a hosting account is to isolate them from each other to the fullest extent possible. This way, if one site gets infected, the ability for the infection to spread is minimized. This strategy only works for sites that reside at different domains or subdomains (for example, mysite.tld and subsite.mysite.tld, or mybusiness.tld and hobbysite.tld).

You need to do several things to effectively wall off sites from one another:

  • Use unique, strong passwords for each site’s WordPress accounts
  • Associate each site with its own unique database and database user
  • Run each site under a separate shell or FTP/SFTP user (be aware that some hosts will not allow this) 
  • Make sure your shell/FTP/SFTP users do not have access to each others’ files (check with your host to ensure this is the case)

Again, to properly compartmentalize your sites, make sure you do all of the above. If you’ve got sites that “live together” in your hosting account and are not compartmentalized, they will all need to be cleaned in the event that one of them gets hacked.

Strategy #2: Use a manager to collectively administer your WordPress sites

If you are responsible for more than one WordPress site, you can greatly simplify your administrative workload by using a site manager to keep an eye on all of your sites at once.

Perhaps the biggest benefit of a site manager is that it will allow you to install updates in tandem without having to log in to each and every site you’re responsible for separately.

For example, suppose the WordPress development team releases a new version of Akismet, the spam catching plugin that ships with WordPress, as they did a few weeks ago. With a site manager, you can install that update across all the sites you have with just a couple of clicks, saving a lot of time and ensuring that no site gets left behind.

Connecting your sites to a site manager is as simple as installing a plugin and completing the pairing process by providing the site URL and a key to the manager.

When it comes to site managers, you’ve got choices. Two of the most popular managers currently available are InfiniteWP and MainWP. Both of these managers integrate with security plugins. And both can be installed in your existing hosting account at no cost to you. (Like your client sites, run your manager under a separate shell/FTP/SFTP user as described above.)

Do note, though, that many advanced capabilities you may want, like scheduled backups or security plugin integration, will require the purchase of an add-on.

Since your manager will be connected to all of your sites, you’ll want to log in often to ensure the manager itself is up to date, and protect it with a strong password. It’s also best to run all of your sites — your manager included — over HTTPS only.

Strategy #3: Convert dormant WordPress sites to static sites

If you’ve got a WordPress site in your hosting account that is no longer being updated with new content, but that you don’t want to take offline, consider giving it a proper retirement by converting it to a static site.

It’ll load faster, and there will be one fewer application in your web hosting account that you need to worry about updating and securing. This is a great alternative to deleting a site altogether and having the content disappear from the Web.

To convert your site, you can use the Simply Static plugin. It will generate a snapshot of everything you’ve got — posts, pages, images, scripts, and all — preserving your permalink structure in the process. Pretty cool!

Once your archive has been successfully created by Simply Static, move it out of your web root. Then, take the WordPress site offline by making a backup of the site and deleting the filesystem.

Keep in mind that depending on the size of your website, the archive could take a while to build, and be quite large.

Unpack the archive file you created in place of the filesystem you deleted, and verify that your posts and pages are still accessible at the URLs they had when the site was a WordPress site.

Note that when you retire a WordPress site by converting it using the process described above, comment threads, forms, and other interactive functionality will no longer work. You may wish to edit your now-static contact page and other pages where forms were present to remove them and make it clear to site visitors that they are viewing an archived site which isn’t accepting new form submissions. You can always put in a link to a currently-maintained site where they can reach out to you.

Part of staying secure involves recognizing and rejecting bad advice

A couple of days ago, I came across a blog post by former Mozilla developer Robert O’Callahan that harshly criticized makers of antivirus software. “[I]t’s safe for me to say: antivirus software vendors are terrible; don’t buy antivirus software, and uininstall [sic] it if you already have it (except, on Windows, for Microsoft’s),” O’Callahan declared in his opening paragraph, going on to contend that many Internet security and antivirus suites don’t add value, are not themselves kept updated, and prevent the browsers and operating systems they’re supposed to protect from running smoothly.

By the time I got to the end of O’Callahan’s first paragraph, I was appalled. Urging people to avoid using or installing Internet security and antivirus solution is terrible advice. Left undefended, a typical Windows or Mac installation is susceptible to all kinds of threats, including viruses and ransomware. I make a point of telling my clients that having a best-in-class Internet security suite installed is one of the most important ways they can mitigate their risk.

Notice I said “best-in-class”. Contrary to what O’Callahan says in his post, not all antivirus and security products are created equal. Much of what’s available for sale or download would not earn my recommendation.

I advise clients that it’s not enough to just have any old Internet security product installed; it should be an application that independent testing has shown can actually offer a user valuable protection.

The two firms whose software has generally performed best in the the independent tests I’ve seen are Kaspersky and Bitdefender. I prefer Kaspersky’s Internet Security suite, and am a paying subscriber.

Kaspersky nowadays sells multi-computer subscriptions as part of a package deal for a reasonable price, which means you can get all your family’s computers protected by buying just one plan. Their suite includes a robust firewall and antivirus engine, plus some other extremely useful tools, including Safe Money, which can stop you from falling victim to phishing attacks.

The latest version of Kaspersky Internet Security for Windows has a killer feature that I absolutely love: it scans my Windows operating systems for outdated plugins and third-party applications and offers to update any it finds without my having to do anything.

I keep a lot of what I have installed updated with Ninite, but Ninite won’t update *all* the non-Microsoft software on my computer. Kaspersky is now flagging updates I can’t install through Ninite and allowing me to install them with a couple mouse clicks. I love that.

Kaspersky Internet Security is well-behaved and generally does not get in the way of my other applications. I do not use the Kaspersky add-on for Firefox because I already have NoScript, CookieSafe, RequestPolicy, Privacy Badger, uBlock Origin, HTTPS Everywhere installed. These add-ons collectively serve as my browser armor and help protect me as I surf on a daily basis. But I consider Kaspersky Internet Security essential, too.

In my own testing, the scanner and antivirus engine have done very well. If I mount a volume with malware specimens on a virtual machine Kaspersky is installed on, it will quickly notice the specimens and warn me that it’s found malicious objects that should be quarantined or deleted.

Kaspersky’s Alexey Malanov saw O’Callahan’s post too, and took issue with it here. His criticisms of O’Callahan’s criticisms are spot on, and worth reading.

“In 2016, Kaspersky Lab solutions repelled 758,044,650 attacks launched from online resources located all over the world,” Malanov notes. “Web antivirus components recognized 261,774,932 unique URLs as malicious and detected 69,277,289 unique malicious objects (scripts, exploits, executables, etc.). Encryptors targeted 1,445,434 computers of unique users. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 2,871,965 devices.”

O’Callahan’s post includes a number of sweeping generalizations that are not backed up with any evidence, like this one:

AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security.

Towards the end of his rant, O’Callahan does link to a 2012 post by Nicholas Nethercote criticizing McAfee (now owned by Intel) for getting in the way of Firefox. But he never calls out McAfee specifically in his own post.

I am not a McAfee fan either, and would not suggest anyone use their products. Fortunately, there are superior offerings available from firms like Kaspersky and Bitdefender that have earned “Outstanding” ratings in independent tests due to their effectiveness in thwarting threats.

If you’re not happy with your current Internet security suite, you should look into getting a better one as opposed to going unprotected, as O’Callahan unwisely recommends. Merely installing updates from Microsoft and Apple as soon as they’re available won’t protect you from ransomware, viruses, or phishing attacks. But a best-in-class Internet security suite can. Be sure that you have one installed on your computers and those of your loved ones.

Ad-blocking is good from both a security and privacy standpoint

Every now and I then, I come across a story which reaffirms my long-held belief that ad-blocking is good from both a security and privacy standpoint. That happened again recently when I saw this article in The Register:

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.

Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.

As the article goes on to explain, malvertising has simply exploded in recent years, and is now an extremely serious problem. But unfortunately, big players in the web advertising business aren’t doing enough to combat it:

The industry’s top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to no attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.

The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.

What can users do to protect themselves from malvertising? The answer is simple: Block ads and block JavaScript from executing by default.

There are ad-blockers available for all major browsers, notably AdBlock Plus, which has extensions for Internet Explorer, Firefox, Safari, and Chrome/Chromium. All the major browsers also contain controls that are capable of turning off JavaScript execution, but since most of us want sites to trust to be able to run scripts (for example, I want to allow JavaScript to execute my own domain and my credit union’s domain), it’s better to install a tool like NoScript, which allows JavaScript to be selectively turned on for trusted sites. (NoScript has 2 million users and maintains an average review of five stars. It’s well-deserved).

Using these and other tools (like HTTPS Everywhere, RequestPolicy, Better Privacy, and Cookie Controller) can greatly improve our security and privacy as users. The tools I’ve mentioned essentially act as browser armor, and can safeguard against all sorts of threats on the Web, not just malvertising. We all stumble into bad neighborhoods on the Internet from time to time, often by accident. Having browser armor in place greatly minimizes the risk of harm to our computers. Prevention, as they say, is the best cure of all.

I’ve heard some people make the argument that ad-blocking is unethical. I disagree. I believe that as users, we all have the right to decide what content we want to come into our homes and workplaces through our personal computers, tablets, and smartphones. That means having the freedom to block JavaScript, cookies, cross-site requests, ads, images, or anything else. We all ought to be able to control our own computing and decide how the Internet connectivity we pay for gets used.

This is especially important in the context of mobile Internet access, because most of us are on plans with fixed data allotments.

I understand the economics of publishing and content creation, and I agree we need to support artists and writers. The best way to do that, though, is to purchase a subscription to a favorite publication, or put money in a site’s tip jar.

Tips for crafting a strong password for your Wi-Fi network

Recently I had an opportunity to evaluate the latest incarnation of Actiontec’s MI424WR (GigE) router, a workhorse designed for use with FiOS service offered by Verizon and Frontier Communications. While navigating through the administration console of the router, I noticed that the security settings page now incorporates a long list of useful tips on crafting a strong Wi-Fi password. (WPA2 is also now the default security protocol, which is great, because WPA and WEP are flawed and easier to compromise). Here are the tips I found, which concur with the guidance I offer to clients:

User Guidance on Password Selection

Your wireless network security depends on having a good password. A good password contains Sixteen (16) or more letters or numbers, with each letter or digit chosen at random. This initial password shipped with your router is an example of a good password. The initial password is printed on the serial number sticker under the router. The Letters in the password are case sensitive and the initial password provided on your router is in Upper Case
If you wish to change your wireless password, try to pick a password similar to your router’s initial password. You must include at least one letter and at least one number in your password. It is recommended that the password should be at least sixteen letters and numbers, with no spaces or special symbols. However, you can shorten the password at your own risk. At a minimum there has to be 8 characters and a maximum of 63 can be used.

Here are some suggestions to help you choose the safe password:

  • The password should be 8 to 63 ASCII characters long, and it is highly recommended to use 16 or more.
  • Characters that are upper case. ASCII is categorized as Alpha and Numeric characters.
  • DO choose each letter or digit at random. Try one-finger typing with your eyes closed.
  • DO use a longer password, and write it down somewhere safe. A short password is easier to remember, but also much easier for attackers to guess. It is OK to let your PC save your wireless password so you don’t have to remember it.
  • DO NOT use anything directly related to you, such as your street address, phone number or car license plate.
  • DO NOT use the name of any person or place in your password. The attackers know all the common names.
  • DO NOT use any word from the dictionary. The attackers have dictionaries, too.
  • DO NOT use a phrase or sentence. Once an attacker learns any portion of the phrase or sentence, the rest is easily guessed.

This is great advice. I often find when asking for the Wi-Fi password at a particular location that it is just a couple of words, the telephone number of the establishment, or the address (spelled out).

A secure password should not include any personally identifiable information. Birthdates, license plates, phone numbers, addresses, Social Security numbers, and other sensitive data should never be used in any password, ever. Length is good. Random characters are good. Mixed-case letters are good. Punctuation, if allowed, is great. Here is an example of a weak, bad Wi-Fi password:

555-567-8095

The following, courtesy of the Strong Password Generator, would be a strong Wi-Fi password:

Ay#{$.}n7 s$Q~sM*;.}73*CS

It’s easier to remember as ALPHA yankee # { $ . } november 7 [space] sierra $ QUEBEC ~ sierra MIKE * ; . } 7 3 * CHARLIE SIERRA

Do yourself, your family, and your business (if you have one) a favor and set a strong Wi-Fi password, using the WPA2 protocol. You’ll be glad you did.