Copywriter Michel Fortin tells a harrowing tale of how his blog was compromised and subsequently blacklisted by Google. This comes on the heels of the highly publicized attack on Al Gore’s web site.
Unfortunately the details on what exactly happened with Fortin’s and Gore’s blogs are scant. But here are some general guidelines for keeping your WordPress blog safe.
Update to the latest secure version
No software is free from bugs and security holes. Make sure that you are running the latest secure version. For WordPress – as of this writing – that means versions 2.3.1, 2.2.3 or 2.0.11.
Since WordPress gives plug-ins and themes full access to your blog, you also need to keep your plug-ins up-to-date. With the latest 2.3 series of WordPress you are notified in the admin screen when the plug-ins that you have installed are released in new versions.
Only download and install trusted code
Just like you shouldn’t click on email attachments coming from people you don’t trust, you shouldn’t install software on your blog from untrusted sources. Only download code from the authors’ web site.
Since WordPress and most themes and plug-ins are released as open source, anyone can modify the code with malicious intent and put up the badware for download to unsuspecting web surfers.
Don’t be the guinea pig for the latest plug-ins. Take a cautious approach and wait until you see a plug-in being used by many other trusted bloggers.
Ad networks also pose another problem if you don’t have control over who is allowed to advertise on your network. Google applies the guilt by association principle: If you are advertising for a site that has badware on it, your site may be blacklisted too.
Write-protect your themes directory
There appears to be an exploit going around that modifies installed WordPress themes to add spam links or malicious iframes. One way to make this exploit more difficult is to modify the file permissions of your WordPress themes directory to 755. The drawback is that you will now have to ftp modified files to your web server each time you want to make changes to your theme.
Unfortunately you cannot apply the same write protection to the plug-ins directory since many plug-ins write data to the directory where it’s installed.
Use strong passwords
This is an obvious good security practice, but too often forgotten. Make sure all your passwords are strong: your admin account, the ftp account and any other WordPress accounts that have any edit privileges.
There are numerous articles online about selecting good passwords so I won’t repeat that information here. Just make sure that you follow the advice in these articles and don’t copy the actual passwords they list.
View the HTML source of your site often
Should you abandon WordPress?
I love the WordPress platform because it’s so powerful, flexible and extensible. The downside to all these extensions is that it only takes one weak link to compromise your blog. Even though the core WordPress developers mostly follow good security practices for the code they write, that cannot be extended to all the thousands of WordPress theme and plug-in developers.
Since WordPress is the most popular blog platform, they suffer the same problem as Microsoft does with their products: they’re also the most popular target for security exploits. Therefore we are going to have to live with constant security vigilance. If you are not willing to at least follow the six steps in this article, then WordPress is probably not the best blogging platform for you.
Are you practicing safe blogging?