After maintaining my own self-hosted wordpress install for a while, and a few business ones prior, I’ve run in to some things that aren’t often discussed in the usual literature. Hopefully they will be useful to you.
Don’t install a lot of plugins
Almost everyone falls into this trap at first. I want this feature, oh look a plugin! But they become a nightmare after a while. You have to keep them updated, they get abandoned, many are sticking ads or promoting their pro version in your admin panel, some introduce very nasty security holes (see “wpscan” below), and if the situation gets really bad they start making your blog’s markup look like html-vomit.
In direct contravention of this point I’ll be suggesting some basic plugins along the way. All of these will be highly rated, fairly basic, single-task and fully-free. With a bit of luck, these will be all you need.
Keep everything up to date
Wordpress’ greatest vulnerability is the ease with which it’s neglected. It checks for updates on its own, but unlike a desktop application, it has no way to notify unless you visit it.
WP Updates Notifier will email you when plugins, themes or WordPress itself needs updating.
Use WPScan on yourself
WPScan is a well maintained and comprehensive tool for finding vulnerabilities and configuration problems with WordPress installs.
You can see an anonymized scan here. Most of the output is due to WPScan not being able to determine plugin versions, but the vulnerability listings should give you a good idea of why it’s important to keep things up to date.
Double-check your settings
- Don’t notify linked blogs: This one’s more of a personal preference than anything, I just don’t like peppering other people’s blogs with links to mine just because I mentioned them – this ain’t Facebook.
- Disallow pingbacks: The flip side of the above.
- Disable signup: Unless you’re expecting people to sign up to the site for some reason, it’s definitely worth disabling open signup.
Spam spam spam
No silly, I’m not encouraging you to spam. WordPress out of the box is incredibly susceptible to spam, primarily via comments. Here are some things you can do to curb it:
- Enable comment moderation: If you’re like me, you might prefer to hold any comments for approval just in case something nasty gets through.
- Enable comment notification: You want to be notified when someone posts a comment, in case they get past whatever you put in their way.
- Disable comments: This one’s a bit of a last-resort type thing, but it’s preferable to leaving them open if you don’t want to moderate.
- Put a captcha up for comments: I use WP-reCAPTCHA for this. It uses the modern check-mark type captcha from reCaptcha.
- Enable Akismet: Automattic run a network which aims to detect WordPress spam. You need to grab an API key, but it’s definitely worth it if you’d rather not use reCaptcha or disable comments entirely.
Don’t use “admin” as your username
Wordpress used to create a default user called “admin”, with admin level access of course, and thus just about any brute-forcing technique uses admin at the outset. Newer ones will enumerate blog users from the slug in your posts, but as always we’re just trying not to a piece of low-hanging fruit.
You can put a captcha on login, but I prefer to block IPs after a number of failed logins. Limit Login Attempts will do this with notifications too.
Use a basic theme
Some of the biggest messes come from interdependency between plugins and themes, particularly when they don’t update in unison. Use as basic a theme as you’re happy with, preferably without any dependencies on unrelated plugins and such.
Start out with a child theme
At some point there will undoubtedly be some minor annoyance with your theme, and you’ll wish you could sneak in a single line of css or just add one quick filter. You can’t do that to the theme directly, because it will all be gone after the next update. This is why WordPress has child themes. They’re basically a theme that inherits everything from the parent, but you can override anything you like by modifying the child theme. Very quick and easy to make, and you’ll thank yourself later.
Start out with the URL and scheme you intend to use long-term (and make it TLS!)
You’d think WordPress would be pretty flexible when it comes to domains and TLS vs unsecured, but you’d be wrong. Changing either after you’ve been up and running for a while is a huge pain in the ass. You’ll either be running half a dozen pretty scary queries against your DB or be dependent on a plugin rewriting your output for the life of your blog. Make sure you pick the right domain, decide on www vs no www, and get yourself a TLS certificate all in advance.
Install WordPress with least privilege and as isolated as possible
On shared hosting providers it’s very tempting to have everything run as the same user out of the same home directory and the like. Since WordPress is so highly targeted, it’s best to isolate it from your other websites and databases as much as possible.
I mean…duh. If a particularly nasty asshole finds his way into your install, he’s just as likely to wipe it clean as he is to install some driveby malware bullshit, and nothing’s worse than losing that post you just spent an hour of your life on, let alone all the rest. Backup often and keep them as far away from your install as possible.
Yeah this one probably is mentioned just about everywhere, but it’s really worth it. Simply, WordPress is a dog. Every request, no matter how vanilla, runs through thousands of lines of PHP before it gets to the browser. What’s best here is if you have a host that provides varnish and memcache or something along those lines to take the load off your install. If you don’t have such a host, there are a couple of very popular plugins that can get you some of the way there: W3 Total Cache and WP Super Cache, but I really wouldn’t recomment either.
Sort out your email
By default, WordPress’ email functionality is (notoriously?) extremely limited. This is primarily because Automattic expects your host to configure the way outgoing email is sent through PHP, and not through WordPress itself, which seems a little self-defeating to me. You’ll find that shared hosting providers (often managed hosting providers also) typically don’t configure email settings for your account so they can more readily keep track of what you’re sending with authenticated means. Unfortunately, this all means that your email is likely to be of very poor deliverability out of the gate, and plugins will once again need to come to the rescue. WP Mail SMTP is by far the most widely deployed SMTP plugin for WordPress and should have you up and running with a host, username and password in no time. I recommend mail-tester.com for testing the deliverability of your emails once configured.
Beware the plugin repository
Plugins are surely one of WordPress’ biggest selling points, but much like Google Play and Microsoft’s App Store, can harbor some pretty nasty shit. What’s worse, the plugin repo doesn’t seem employ any kind of reasonable search result ordering, nor does it allow filtering or sorting beyond the basic search term. Be very careful that any plugin you install has a good rating (across many actual ratings) and a large install base. There’s also a quite a number of freemium type plugins in there that offer basic or crippled functionality and constantly prompt you to upgrade.
Use PressThis for linking
If you post links to your blog, a great tool somewhat inconspicuously located under the Tools menu (which otherwise has basically nothing of interest in it) is brilliant. It’s a bookmarklet that will pop up a compose window pre-populated with some content (at least a link, and maybe the content of the description meta tag and maybe some images) from whatever page you were on, making posting links real fast.
Use the WordPress Codex
When searching on WordPress issues, it’s tempting to click articles that specifically describe your issue, but the Codex will almost always give you a far fuller understanding if the topic you’re searching on, and you’re more than likely to learn something entirely new along the way. The Hardening WordPress guide is a great example.
Security is of paramount concern
I think it’s reflected fairly well in this post that security is an important consideration when running wordpress, if for no other reason than it’s such a popular target. Consider reading the Codex’s Hardening WordPress article, and OWASP’s WordPress Security Implementation Guide. Some of the more paranoid security precautions might include:
- Disabling file editing by adding
define('DISALLOW_FILE_EDIT',true);to wp-config.php. If an attacker gains access to your admin panel, they don’t be able to edit any files that are part of your plugins, themes or WordPress itself.
- Move your wp-config.php out of the web root. WordPress will look for wp-config.php in ../ if it can’t find it in the web root, and this will prevent your config (and secrets) from being exposed if your host ever accidentally disables PHP.
- Delete readme.html and wp-admin/install.php. readme.html exposes your WordPress version publicly, and wp-admin/install.php should never be needed again beyond the initial install, and could be found to be vulnerable in the future.
- Add index files to directories you wouldn’t want to display indexes for (primarily plugins, uploads, themes etc) so that no one can peek in there if indexes are ever accidentlly enabled on your server.
define('FORCE_SSL_ADMIN', true);to wp-config.php to ensure admin is always accessed securely (assuming you have TLS enabled).
- Choose a random SQL table prefix (
$table_prefixin wp-config.php) so that anyone who finds SQL injection vulnerabilities in your installation will also need to determine table names before they can exploit them.