WordPress site security is a hot topic these days.
But what’s all the fuss about, why do you need to care, and what can you do about it?
Why is WordPress so vulnerable?
WordPress sites are particularly vulnerable to attacks and security breaches… not because it’s inherently insecure. Far from it!
When you’re running the latest version of WordPress, you have quite a secure platform on your hands.
The problem is ubiquity. WordPress is everywhere, and it makes the potential surface area of attack much larger… and therefore more appetizing to attackers.
As a hacker, if I want to do a mass, non-targeted attack against a lot of sites, I want to maximise my chances of success – so I try to find a weakness in a platform that is practically everywhere.
By using WordPress you don’t make your site less secure, you just make your sites more vulnerable to being the target of an attack.
How can you make WordPress more secure?
This particular article will cover methods for keeping your site secure… the scope of that topic exceeds what a single article can cover.
Fundamentally, security of your WordPress sites falls into 2 broad categories:
- Explicit / Enforced Security
- Passive / Obscurity Security
We recognise the need of many people, and ourselves, to add explicit security principles to our WordPress sites.
To this end, we created our own WordPress security plugin – The Shield Security plugin.
Shield Security Plugin – What does it do exactly?
The Shield Security plugin works primarily by analysing the request parameters that have been sent to your WordPress site, looking for certain patterns in the values.
For example, when you submit a form to a site, you normally submit things like your name, email address and things like that. We normally call this POSTing to a site, and the alternative method is GET, and this plugin handles both.
Some attack vectors attempt to submit values that contain dangerous content, that bypasses the “normal” processing of the forms to achieve the attack it wants to make.
Shield Security analyses all these values for some of these dangerous elements and when it finds one, it blocks the request.
It’s that simple.
There are around 6 different types of values that the plugin checks for, and you can turn on and off each one individually. You see there’s no way to be completely 100% compatible with every website configuration and many plugins themselves can use forms to submit values that might trigger the firewall.
The Shield plugin allows you to see clearly what has been blocked using its logging feature. In this way you can see what part of the firewall is being triggers, and you can turn on/off the plugin easily from the configuration page – you don’t need to disable the whole plugin.
Other features the plugin includes:
- Add a list of accepted, whitelisted IP addresses that are never subject to the firewall rules
- Add a list of restricted, blacklisted, IP address that are always blocked – a ban list.
- Restrict access to wp-login.php to whitelisted IP addresses.
- Full firewall activity logging so you can review visitor access and debug the firewall.
- Turn on and off the firewall with a single plugin option (no need to disable the plugin).
- Option to force turn-off and turn-on the firewall using FTP – very useful feature in case you can’t access your WordPress site directly.
- Option to change how the firewall block responds – it can die (kill the request), send a 404 page, or redirect to home.
- Option to send an email to the blog admin when a block occurs.
This is just version 1.0 of the plugin… there’s more coming!
Why did we build the Shield plugin?
Simple… because ultimately we will integrate it into our iControlWP service to provide a centralized security management dashboard.
Configuration security principles on individuals sites is fine, if you only have a few sites to manage, but how about when you have 10s and 100s of them?
Would it be ideal pool the data from all your sites together into 1 place? Setup whitelists and blacklists in 1, centralized control system? That’s exactly where we’re headed…
Grab the Shield Security plugin and let us know what you think, and what you’d like to see. We can only make the best WordPress security management system with your help.