Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of directories, and some useful plugins. I’ve glanced over it, and I have mixed feelings. Here’s a quick list of notes, off the top of my head:
Pros:
- There is detailed information about granting the minimum privileges necessary for the MySQL login. This is a good idea that many people probably don’t think about.
- Creating a less privileged WordPress account for posting, separate from your blog admin login, is also a good suggestion.
- The notes on password enumeration are important. I didn’t even realize that we were giving different error messages depending on whether the username or password was incorrect. This is a definite no-no, and something that we should correct in the WordPress core.
- For folks using Apache, and who can create
.htaccessfiles, there is a good section on limiting access towp-includes,wp-content, andwp-admin. - The WPIDS plugin sounds useful. This plugin will try to detect certain types of potentially harmful activity, log it, and possibly block further attempts.
Cons:
- There is a lot of space spent talking about changing the table prefix. This security-by-obscurity is probably going to be useless. If an attacker reaches the point that they can access your tables by name, then they’re most likely going to be able to figure out the names of the tables.
- The section about restricting admin access by IP should probably be more detailed, and make it more clear that it is for advanced users, and probably not applicable for most users.
- There is a section about the using the WordPress Plugin Tracker to make sure that your plugins are up-to-date. As of WordPress 2.3, there is built-in plugin version tracking, which isn’t mentioned in the paper. Granted, there are limitations (the plugin must be hosted in the wp-plugins.org repository), but I expect it to become more flexible in the future.
- There is no mention about using SSL (
https://...) for logins and admin functions.Since WordPress doesn’t support SSL out of the box, maybe that’s not surprising. But I think that I’ve seen some rumblings about supporting SSL in a future version.As of version 2.6, there has been support for SSL for logins and administration in WordPress.
Despite being a little light, I think work like this is important and useful. I’m hoping that the authors will take the constructive criticisms to heart and use it to update their paper, making it better and more thorough.
Pingback: La Biblia de la seguridad en WordPress | Mangas Verdes
Pingback: SecondVersion.com - Creating A Secure WordPress Install
Pingback: Creating a secure Wordpress install at they made me do it
Pingback: WordPress Intrusion Detection: How to Block Hacking Attempts | WordPress Designpraxis
Pingback: Hardening Your Wordpress Blog
Pingback: Wolly’s Delicious » Blog Archive » links for 2007-11-01
Pingback: Liquidmatrix Security Digest » New WordPress Security Whitepaper
Pingback: Andy Wibbels » WordPress Installations: How to Be Secure in an Insecure World
Pingback: JustJace.com » Blog Archive » Creating a secure WordPress install
Pingback: WordPress Security Whitepaper Spanish Consejos de Seguridad Wordpress Descargar Gratis Full Megaupload Rapidshare Download Free Informatica Hispa-Digital.net
Pingback: ????????????? ???????????? ??????? ??????