If you’ve been paying attention to recent tech news, you’re well aware of the security attacks over the past few weeks. Most notably, there was the massive botnet with over 90,000 IP addresses running systemized attacks on WordPress sites across all hosts. Basically, the botnet is brute forcing its way into WordPress sites with common usernames (like “admin”).
The botnet is not set up to exploit a vulnerability inherent to WordPress Core (those are hard to find these days). It’s exploiting weak passwords and username combinations. WordPress Core is remarkably secure, particularly for an application with more than 70 million installations. With that volume of installations, it makes sense that some of the user-selected usernames and passwords might be a weak link.
With all these issues going on, we think now is a great time to do a series of blog posts on security. We’ll cover some of the foundations of good security, and illustrate how they apply to the end user and to developers. We’ll also hear from some noted WordPress security experts to learn how they approach securing WordPress.
The goal is to educate and have a dialogue about security best practices that are applicable, regardless of whether you are hosted with WP Engine or another provider.
Some of the best practices we’ll cover include the following topics:
- Staying on top of core updates (using this plugin can help)
- Being proactive about plugin and theme updates
- Knowing the code that’s running on your site
- Enforcing strong passwords – WP Engine does this for our customers
- Blocking and logging pending attacks – Also done by our systems
- Separating customer sites via filesystem roots – Shared hosting companies often do not do this
- Isolating database access – They also may not do this either
- In-house vulnerability scanning performed quarterly
- Contracting with 3rd Party providers for remediation as well as auditing
On the topic of recent security attacks, it’s worth noting that WP Engine has seen very little impact from the botnet due to our high additional security measures on all accounts.
Security Measures WP Engine Employs Include:
- Forcing of strong and secure passwords (this plugin works on the admin and password reset fields)
- Limit of login attempts (plugin)
- By default, we don’t create “admin” usernames on our installs
What else goes into maintaining high security for WordPress?
Well, a lot of things. There’s never any one step to setting up a secure system.
Managed WordPress hosts like WP Engine have been able to learn from hosting demanding, large-scale websites. We’ve been able to pass this experience down to our customers at all account sizes and types. In the coming posts, we’ll share many of these security best practices with you all.
I had just switched to WP Engine about a week before the botnet dropped, and since I was on WPE, my mind was at ease. 😛
Very much looking forward to the series on security.
I believe that security does not have to make life more difficult. It might be of interest that we have recently published a plugin for strong authentication. It prefers usability to security so you can either login with a password or with one-time code.
If you’re on a secure network, you may want to use just your password but open your smart phone when connected through an insecure WiFi (cafe, train, …).
We tested it with a few smart phone apps: Google Authenticator, Pledge, DS3 OATH, AWToken so you don’t have to rely on Google completely.
Try to search for S-CRIB OTP Authenticator in the list of WordPress plugins or directly http://wordpress.org/extend/plugins/s-crib-otp-authentication/ .
Does that also mean blocking xmlrpc.php as well? We have been blocked for a day and your firewall seems to be coming up w/ new ways to block our own wpengine xml feed to our own site.
thank you so much for these security tips
I use the better wp security plugin on all my sites, but now that I’m on wpengine do I really need it if I’m doing what you suggest above?