Follow @BPSPro

WordPress Blog Security – Blog Security, WordPress Blog Website Security

Comments Off RSS Site Feed Author: AITpro Admin
Published: April 12, 2011
Updated: March 28, 2012

WordPress Blog Security – First off WordPress Blog software is very secure and has the highest website security standards.  WordPress Blog software is continually improving on those high security standards with each new WordPress version release.  The lastest security improvements to WordPress 3.1.1 focused on a very complex Cross-site Request Forgery (CSRF) hacking method.  See this Wiki post Wiki cross-site request forgery and specifically look at the “Limitations” section of that Wiki article on CSRF exploits.  You will see that in order for a hacker to successfully exececute a CSRF attack, several complex conditions must be achieved.  What the latest security improvements to WordPress demonstrates to me is that the WordPress folks are not only very experienced and knowlegeable, but that they are looking at any and all possible security risks, no matter how obscure or unlikely they might be. 

Kudos to WordPress Core Developer Jon Cave

AITpro was contacted by WordPress core developer, Jon Cave and informed that the BulletProof Security plugin could be exploited by CSRF hacking methods.  We quickly wrote new code for BPS to patch this exploit and released BulletProof Security version .46.  I can’t say enough good things about Jon Cave.  Jon is top notch and he genuinely cares about the WordPress community as a whole in a selfless way.  Kudos to you Jon Cave for being such a stellar person!  And of course Kudos to all the other awesome peeps at WordPress and WordPress contributors who have made and continue to make WordPress such an exceptional web software application.

WordPress Blog Security, Web Host Security and WordPress Blog Website Owner’s Security Responsibilities

If you are not familiar with WordPress Blog software and would like to know more about what WordPress Blog software is and the history of WordPress then check out this Wiki page >>> Wiki page about WordPress.  The traditional use for WordPress Blog software has been used as a blogging platform, but WordPress can be used as a Content Management System (CMS) with very little modification.  WordPress continues to do their part in providing a secure Blog software application.  Your Web Host is responsible for providing a secure website environment that should generally protect your Blog website overall with a certain level of security.  The final responsibility to secure an individual WordPress Blog website (or any type of website for that matter) falls on the individual Blog website owner.  An analogy would be, let’s say you buy a new car and leave the doors unlocked with the keys in the ignition and the car gets stolen because of this.  You can’t really blame the car manufacturer or the dealer who sold you the car for the car being stolen.  This simple analogy helps to put things in perspective when it comes to Blog website security in general.  It is the individual Blog website owner’s security responsibility to make sure his or her individual WordPress Blog website is secured.

Another thing to consider to keep things in perspective is that if the Department of Defense and NASA can be hacked then it is safe to assume that there isn’t a system, application or website built that can’t be cracked.  DoD and NASA were hacked by individuals who focused all their attention and probably worked pretty hard to break into those systems.  Fortunately the majority of website hacking attempts are done in an automated fashion on a massive scale.  A hacker discovers a vulnerability and writes a program (Bot program – short for “robot”) that will automatically search out any websites that have this vulnerablity and the program will exploit that known vulnerability and execute a payload on those websites.  If a hacker discovers a security vulnerability with a server on a web host he / she can target the web host server directly instead of targeting individual websites.  If a MySQL server was compromised on your web host and your WordPress Blog website database is housed on that particular server then your WordPress Blog website could be compromised and be a victim of the bot’s payload. 

WordPress Blog Security – The Web Host Security Responsibilities

So that brings me to the security responsibility of you web host.  Your Web Host is not responsible for providing website security for each individual WordPress Blog website or any individual websites for that matter.  Most people get a shared web hosting plan because it is much more affordable.  Shared web hosting comes with more security risk because you are sharing website space and servers with other people.  It is the web host’s security responsibility to provide a secure environment by implementing security measures that are either built into or available for the hardware and software of the servers that they use.  The PHP server and MySQL server programmers designed their software with built in security features, but that security must be implemented correctly (server configuration) in order to be effective.  See this Wiki Shared Web Hosting page for more general information on shared web hosting.  If someone on your particular shared server has a security vulnerability that can be exploited on their WordPress Blog website then it could affect the server itself and in turn then effect your WordPress Blog website if the web host server is not properly secured.  So basically it is web host’s security responsibility to make sure their servers are properly secured and thereby creating a secure shared environment that is secure for everyone on the particular server or servers (MySQL, etc.) that are shared by multiple website owners.  I assume that most of the major web hosts have security scanning software that is constantly scanning domains for security vulnerabilities, but you can imagine that scanning millions of website domains that are constantly changing (being updated by website owners) on a regular basis is a monumental ongoing task.

WordPress Blog Website Owner’s Security Responsibilities

Assuming that your web hosting provider has done their part in providing a secure hosting environment and you are using WordPress Blog software then the final responsibility of adding website blog security for an individual WordPress Blog website falls on the WordPress Blog website owner.  An Apache Server running the Linux Operating System is the most commonly chosen web hosting plan.  If you have Linux web hosting then WordPress Blog website security is implemented by adding a secure .htaccess file for your WordPress Blog website and configuring your php.ini and / or php5.ini file with the website security options that you choose.  If you want a one click WordPress Blog website .htaccess security solution then you’re in luck if you came across this article because you have found the BulletProof Security WordPress Blog Plugin.  There is nothing magical about the WordPress BulletProof Security Blog plugin.  It is simply just making the job of securing your WordPress Blog website with .htaccess website security simple and fast.  The .htaccess filters in the BulletProof Security .htaccess files will protect your WordPress Blog website from external XSS and SQL Injection attacks on your website and even provide your WordPress  Blog website some internal website security protection from lateral or internal security attacks in your shared web hosting environment.  If you do not choose to use the BulletProof Security WordPress Blog plugin, at least take the secure .htaccess files out of the plugin files and use them to secure your WordPress Blog website manually.  The .htaccess files in BPS are not exclusive to WordPress Blog websites.  They can be used on HTML websites by simply changing the RewriteRule to HTML instead of PHP.  Example:  change RewriteRule . /index.php [L]  to RewriteRule . /index.html [L].

The scope of this article does not cover Windows IIS web hosting security measures for WordPress Blog website owners.  For WordPress Blog website owners who are using Windows IIS web hosting check out the IIS.net website for more information on adding security for your WordPress Blog website hosted on a Windows IIS server.

WordPress Blog Security Summary

WordPress Blog software is very secure website blog software that is continually improving.

Pick a good neighborhood.  If you have never heard the term “bad neighborhood”, then what that term is referring to is a shared hosting environment that is either not well secured or allows “risky” domains to exist on those servers.  It is tough on the smaller web hosting outfits to get into the game because they may not have an established reputation yet like the big brand name web hosting companies have.  In my personal experience it takes time and sacrifice to build a solid rep.  If you don’t have a web host yet then look for unbiased reviews on the web hosts that you are considering.    Any decent web host should be checking to make sure that the domains they are allowing to be hosted on their servers are reputable.  Reputable in the sense that they are not causing problems for other people sharing the same resources either indirectly or directly.

BulletProof Security is a WordPress Blog security plugin that makes adding .htaccess website blog security for an individual WordPress Blog website hosted on a Linux server fast and simple.  WordPres Blog website owners should utilize either the BulletProof Security WordPress Blog plugin for website security or use the individual .htaccess files contained in the BPS plugin or create their own custom secure .htaccess files for blog website security.  Also the php.ini and / or php5.ini files should be configured with the best website security options.


Tags: ,

Categories: Wordpress Tips - Tricks - Fixes

Skip to toolbar