Interview with Deutsche Welle on WordPress Security

I recently did a short interview with Deutsche Welle about WordPress security. Listen to it here.

To expand on the topic, here are some of the details that didn’t make it into the final cut of the interview:

If your blog is compromised, you should install the latest version of WordPress, but first you should remove your old files. This is to prevent a hacker from leaving a back door (something like wp-give-hacker-access-forever.php in your WordPress directory. Just dropping the new version over the old version wouldn’t replace a new file that a hacker may have added, which is the reason for getting rid of the old files. Once you’ve done that (being careful to back up your wp-config.php and all your wp-content files), upload a clean install of WordPress. Restore your custom files. Next, look for any user accounts that weren’t there before, or that have higher access than they should. Sort that out. And lastly, scan through your theme/plugin files looking for backdoors or hidden links. This is mostly a manual process, but there are some common things to look for. Most backdoors use the eval() function, so be on the lookout for that!

The best way to keep your blog safe is to stay updated with the latest WordPress version! We’ve tried to make it as easy as possible to update (one-click!), and we have big plans for making it even easier in the future.

I’ve never had one of my WordPress blogs compromised, and I don’t do anything “fancy.” I just stay updated.

Reminder: if you’re using WordPress.com or another “hosted” blog solution, they take care of security updates for you. The only thing you need to worry about is choosing an unguessable, complex password.

23 thoughts on “Interview with Deutsche Welle on WordPress Security

  1. When you say;

    “We’ve tried to make it as easy as possible to update (one-click!), and we have big plans for making it even easier in the future.”

    Are you guys planning on making WordPress updating itself? I can’t think of anything that should make updating even more easy!

    • WordPress has been able to update itself since version 2.7! One of the improvements we’d like to make is unified core/plugin updating, including advisement about incompatible plugins.

    • Okay Mark, that’s not really what I meant to say. I was suggesting a automatic (no clicks required) updating function. Off course, I use (and love!) the automatic update functionality that is provided now.

      On the updating plans and advisement about incompatible plugins; can’t wait, it’s sounds good!

    • I think we’re going to leave automatic updating to plugins for now, at least until we have a system set up to gather user data on plugin compatibility. Upgrading someone automatically and breaking their blog is going to make them really angry at us.

  2. I can only add one great plugin “WordPress File Monitor” that already have saved my bacon once! It simply scans your WP files time stamp and notifies via email and in dashboard when any changes done to files.

    You learn very quickly about hack and exactly which files were compromised – beats manually checking your plugin files in my book🙂

    It is very configurable and allows exclusion for commonly modified files such as error_log, etc. I recently wrote about it among a few others that work great for overall WordPress security approach.

    Cheers!

  3. Steve Bank says:

    My issue with this being the standard response is that updating WordPress the amount of knock-on-affects it has on systems working side by side.

    Generally speaking, themes/plugins/bbpress/forums etc. all get updated after wordpress; and generally there is some time delay between a wordpress update and updates of those systems that connect to it.

    If you take BBpress for example, one of Automattic’s products no less, we went through 4 versions of WordPress before a BBpress release came out that worked with WordPress (and that release went through 8 days of alpha testing and No beta testing of the bug fixes). This left us with the dilemma of upgrading versus taking down the website.

    For me, and i might be alone on this, the biggest issue i have with “you should install the latest version of WordPress” is that it doesn’t take into account older versions of WordPress that are working fine.

    I have 3 websites that run on WP2.5. The sheer amount of work required to upgrade these to Wp2.8 and all the coding changes makes it not worth it, but the flip side of it is, i’ve no idea how ‘safe’ WP2.5 is because only the latest point release gets patched.

    WordPress is wonderful, but look how many major updates we’ve had in the last 2 years, or more importantly the number of HUGE changes we’ve had to layout / functionality / coding, it becomes more and more of a chore to keep every site updated to the very latest version.

    • Although I agree it is a pain to keep up with the latest WP revision, you can take steps of backing up your WordPress install incase the latest revision does not work with your plugins and themes.

  4. Awesome interview Mark, thanks for sharing. I have been using Login Lockdown the past several years to stop hackers from performing brute force attacks on the wp-login screen.

    I have not been hacked yet which is always a good thing! I don’t think there is such a thing as too much security.

Comments are closed.