Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of directories, and some useful plugins. I’ve glanced over it, and I have mixed feelings. Here’s a quick list of notes, off the top of my head:
- There is detailed information about granting the minimum privileges necessary for the MySQL login. This is a good idea that many people probably don’t think about.
- Creating a less privileged WordPress account for posting, separate from your blog admin login, is also a good suggestion.
- The notes on password enumeration are important. I didn’t even realize that we were giving different error messages depending on whether the username or password was incorrect. This is a definite no-no, and something that we should correct in the WordPress core.
- For folks using Apache, and who can create
.htaccessfiles, there is a good section on limiting access to
- The WPIDS plugin sounds useful. This plugin will try to detect certain types of potentially harmful activity, log it, and possibly block further attempts.
- There is a lot of space spent talking about changing the table prefix. This security-by-obscurity is probably going to be useless. If an attacker reaches the point that they can access your tables by name, then they’re most likely going to be able to figure out the names of the tables.
- The section about restricting admin access by IP should probably be more detailed, and make it more clear that it is for advanced users, and probably not applicable for most users.
- There is a section about the using the WordPress Plugin Tracker to make sure that your plugins are up-to-date. As of WordPress 2.3, there is built-in plugin version tracking, which isn’t mentioned in the paper. Granted, there are limitations (the plugin must be hosted in the wp-plugins.org repository), but I expect it to become more flexible in the future.
- There is no mention about using SSL (
https://...) for logins and admin functions.
Since WordPress doesn’t support SSL out of the box, maybe that’s not surprising. But I think that I’ve seen some rumblings about supporting SSL in a future version.
Despite being a little light, I think work like this is important and useful. I’m hoping that the authors will take the constructive criticisms to heart and use it to update their paper, making it better and more thorough.