Being one of the most widely-deployed blogging engines around, it’s no surprise that WordPress holds the interests of a wide audience. Unfortunately, not everyone is out to become the next rockstar blogger or tech pundit; the sad truth is that many WordPress installations exist simply to generate revenue through AdSense or other advertising platforms, and many of the “readers” are either just search engine spiders being duped into indexing duplicate content cleverly disguised as something new, or hackers and spammers trying to piggy-back off hard work for a quick buck. There are plenty of ways that this can happen, but today we’ll go over a bit about what you can do to keep your blogs safe.
The most important thing you can do for WordPress security is to keep your blog updated. If you keep up with WordPress at all, you’ve probably heard this advice plenty of times, but it’s worth repeating because it’s such a simple and effective step in protecting your blogs. WordPress.org even offers a release notification mailing list that will let you know when an update is available. We highly recommend signing up for this and updating all of your blogs within 24 hours of an update, preferably sooner. WordPress is so heavily-used that within minutes of a security vulnerability being disclosed, exploits that can compromise your entire site are generally available to anyone who cares to look enough. Over the next few hours, security researchers and other less-polite users will work to release updates to popular exploit software that can take control of now-out-of-date WordPress installations with very little work.
Updating WordPress is covered in enough places that I’ll spare you the details here, but it’s typically a “just click next and wait a minute” procedure. Our WordPress Optimized Blog Platform plans even support completely web-based updates for WordPress, so mucking about with FTPing files here and there isn’t typically required(but if you’re into that type of thing, we can hook you up with SSH access and get you on subversion-powered updates to really make updates a breeze…just ask!) If you follow all of the instructions on the official WordPress documentation, there is very little chance of something breaking (and we’re here to help if it does.)
Another really good idea is to follow the CVE (Common Vulnerabilities and Exposures) updates for WordPress. In their words, “Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures.” The NVD (National Vulnerability Database) is also a great resource for staying up on WordPress security. You can find information on the latest WordPress security issues on the NVD by just searching it, but to a casual user, this information can be pretty overwhelming and hard to parse, so we’d recommend that you just stick to the WordPress update notification mailing list unless you’re a developer (or really curious.)
There are a few “WordPress security” plugins available that may help to some extent, but we haven’t evaluated any of them, although theoretically they could provide some solid reactive protection against unknown vulnerabilities. CloudFlare has security built-in which can provide additional security against primarily things like DDoS attacks, but also common attack patterns (SQL injection, XSS, etc.) We also utilize web application firewalls for all of our services that provide some degree of protection against exploits of all types, but they can’t and don’t catch everything.
All of these tools and services can be combined in many different ways to meet your individual security needs and protect your sites and visitors. If you have any additional questions about WordPress security or our platform/services in general, please don’t hesitate to contact us!