{"id":2688,"date":"2011-04-12T17:07:09","date_gmt":"2011-04-13T00:07:09","guid":{"rendered":"http:\/\/www.ait-pro.com\/aitpro-blog\/?p=2688"},"modified":"2012-03-28T11:38:44","modified_gmt":"2012-03-28T18:38:44","slug":"wordpress-blog-security-blog-security-wordpress-blog-website-security","status":"publish","type":"post","link":"https:\/\/www.ait-pro.com\/aitpro-blog\/2688\/misc-projects\/wordpress-tips-tricks-fixes\/wordpress-blog-security-blog-security-wordpress-blog-website-security\/","title":{"rendered":"WordPress Blog Security – Blog Security, WordPress Blog Website Security"},"content":{"rendered":"

WordPress Blog Security<\/strong><\/span> – First off WordPress Blog software is very secure and has the highest website security standards.\u00a0\u00a0WordPress\u00a0Blog software is continually\u00a0improving on those high security standards with each new WordPress version release.\u00a0\u00a0The lastest security improvements to WordPress 3.1.1 focused on a very complex Cross-site Request Forgery (CSRF) hacking method.\u00a0 See this Wiki post Wiki cross-site request forgery<\/a><\/span> and specifically look at the “Limitations” section of that Wiki article on CSRF exploits.\u00a0 You will see that in order for a hacker to successfully exececute a CSRF attack,\u00a0several complex conditions must be achieved.\u00a0 What the latest security improvements to WordPress demonstrates to me\u00a0is that the WordPress folks are not only very experienced and knowlegeable, but\u00a0that they are looking at any and all possible\u00a0security risks, no matter how obscure or unlikely they might be.\u00a0<\/p>\n

Kudos to\u00a0WordPress Core Developer Jon Cave<\/span><\/h2>\n

AITpro was contacted by WordPress core developer, Jon Cave\u00a0and informed that the BulletProof Security plugin could be exploited by\u00a0CSRF\u00a0hacking methods.\u00a0\u00a0We quickly\u00a0wrote new\u00a0code for BPS to patch this exploit and released BulletProof Security version .46.\u00a0 I can’t say enough good things about Jon Cave.\u00a0 Jon is top notch and he genuinely cares about the WordPress community as a whole in a selfless way.\u00a0\u00a0Kudos to you Jon Cave for being such a stellar person!\u00a0 And of course Kudos to all the other awesome peeps at WordPress and WordPress contributors who have made and continue to make\u00a0WordPress\u00a0such an exceptional web software application.<\/p>\n

WordPress Blog Security, Web Host Security and WordPress Blog Website Owner’s Security Responsibilities<\/span><\/h2>\n

If you are not familiar with WordPress Blog software and would like to know more about what WordPress Blog software is and the history of WordPress then check out this Wiki page >>> Wiki page about WordPress<\/a>.\u00a0\u00a0The traditional use for WordPress\u00a0Blog software has been used as a blogging platform, but WordPress can be used as a Content Management System (CMS) with very little modification.\u00a0\u00a0WordPress continues to do\u00a0their part\u00a0in providing a secure\u00a0Blog software application.\u00a0 Your Web Host is responsible for providing a secure website environment that\u00a0should generally protect your Blog website overall with a certain level of security.\u00a0\u00a0The final responsibility to secure\u00a0an individual\u00a0WordPress Blog website (or any type of website for that matter) falls on the individual Blog website owner.\u00a0\u00a0An analogy\u00a0would be, let’s say you buy a new car and leave the doors unlocked with the keys in the ignition and the car gets stolen because of this.\u00a0\u00a0You can’t really blame the car manufacturer or the dealer who sold you the car for the car being stolen.\u00a0 This simple analogy helps to put things in perspective when it comes to Blog website security in general.\u00a0\u00a0It is the individual Blog website owner’s security responsibility to make sure his or her individual WordPress Blog website\u00a0is secured.<\/span><\/p>\n

Another thing to consider to keep things in perspective is that if the Department of Defense and NASA can be hacked then\u00a0it is safe to\u00a0assume that there isn’t a system, application\u00a0or website built\u00a0that can’t\u00a0be cracked.\u00a0 DoD and NASA were hacked by\u00a0individuals who focused all their attention\u00a0and probably worked pretty hard to break into those systems.\u00a0 Fortunately\u00a0the majority of\u00a0website hacking attempts\u00a0are done in an automated fashion on a massive scale.\u00a0 A hacker\u00a0discovers a vulnerability and writes a program (Bot program – short for “robot”) that will automatically search out any websites that have this vulnerablity and the program will exploit that known vulnerability and\u00a0execute a\u00a0payload on those websites.\u00a0 If a hacker discovers a security vulnerability with a server on a web host he \/ she can target the web host server directly instead of targeting individual websites.\u00a0 If a MySQL server was compromised on your web host and your\u00a0WordPress Blog\u00a0website database is housed on that particular server then your WordPress Blog website could be\u00a0compromised and be a victim of\u00a0the bot’s payload.\u00a0 <\/span><\/p>\n

WordPress Blog Security – The Web Host Security Responsibilities<\/span><\/h2>\n

So that brings me to the security responsibility of you web host.\u00a0 Your Web Host is not responsible\u00a0for providing\u00a0website security for each individual WordPress Blog website or any individual websites for that matter.\u00a0 Most people get a shared web hosting plan because it is much more affordable.\u00a0 Shared web hosting comes with more security risk because you are sharing website space\u00a0and servers with other people.\u00a0 It is the web host’s security responsibility to provide a secure environment by implementing\u00a0security measures that are either built into or available for the hardware and software of the servers that they use.\u00a0 The PHP server and MySQL server programmers designed their software with built in security features, but that security must be implemented correctly (server configuration) in order to be effective.\u00a0 See this\u00a0Wiki Shared Web Hosting<\/a> page for more general information on shared web hosting.\u00a0 If someone on your particular shared server has a security vulnerability that can be exploited on their WordPress Blog website\u00a0then it could affect the server itself and in turn then effect your WordPress Blog website if\u00a0the\u00a0web host server is not properly secured.\u00a0 So basically it is web host’s security responsibility to make sure their servers are properly secured and thereby\u00a0creating a secure shared environment\u00a0that is\u00a0secure for everyone on the particular server or\u00a0servers (MySQL, etc.) that are\u00a0shared by multiple website owners.\u00a0 I assume that most of the major web hosts have security scanning software that is constantly scanning\u00a0domains\u00a0for security vulnerabilities, but you can imagine that scanning millions of website domains that are constantly changing (being updated by website owners) on a regular basis\u00a0is a monumental ongoing task.<\/span><\/p>\n

WordPress Blog Website Owner’s Security Responsibilities<\/span><\/h2>\n

Assuming that\u00a0your web hosting provider has done their part in providing a secure hosting environment\u00a0and you are using\u00a0WordPress Blog software\u00a0then\u00a0the final\u00a0responsibility of adding website blog security for\u00a0an individual WordPress Blog website falls on<\/span>\u00a0the WordPress Blog website owner.\u00a0 An Apache Server running the Linux Operating System is the most commonly chosen\u00a0web hosting\u00a0plan.\u00a0 If you have Linux web hosting then WordPress Blog website security is\u00a0implemented by adding a secure .htaccess file\u00a0for your WordPress Blog website and configuring your php.ini and \/ or php5.ini file with the website security options that you choose.\u00a0 If you want a one click WordPress\u00a0Blog website .htaccess security solution then you’re in luck if you came across this article because you have found the BulletProof Security WordPress Blog Plugin.\u00a0 There is nothing magical\u00a0about the WordPress BulletProof Security Blog plugin.\u00a0 It is simply\u00a0just making the job of securing your WordPress Blog website with .htaccess website security simple and fast.\u00a0 The .htaccess filters in the BulletProof Security .htaccess files will protect your WordPress Blog website from\u00a0external XSS and SQL Injection attacks on your\u00a0website and even provide your WordPress\u00a0 Blog website some internal website security protection from lateral or internal security\u00a0attacks in your shared web hosting environment.\u00a0 If you do not choose to use the BulletProof Security WordPress Blog plugin, at least take the secure .htaccess files out of the plugin files and\u00a0use them to secure your WordPress Blog website manually.\u00a0 The .htaccess files in BPS are not exclusive to WordPress Blog websites.\u00a0 They can be used on HTML websites by simply changing the RewriteRule to HTML instead of PHP.\u00a0 Example:\u00a0 change RewriteRule . \/index.php [L]\u00a0 to RewriteRule . \/index.html [L].<\/span><\/p>\n

The scope of this article does not cover Windows IIS web hosting security measures for WordPress Blog website owners.\u00a0 For\u00a0WordPress Blog website owners who are using Windows IIS web hosting check out the IIS.net website<\/a> for more information on adding security for your WordPress Blog website hosted on a Windows IIS server.<\/span><\/p>\n

WordPress Blog Security\u00a0Summary<\/span><\/h2>\n

WordPress Blog software is\u00a0very secure website blog software that is continually improving.<\/span><\/p>\n

Pick a good neighborhood.\u00a0 If you have never heard the term “bad neighborhood”, then\u00a0what that term is referring to is a shared hosting environment that is either not well secured or allows “risky” domains to exist on those servers.\u00a0 It is tough on the smaller web hosting outfits to get into the game because they may not have an established reputation yet like the big brand name web hosting companies have.\u00a0 In my personal experience it takes time and sacrifice to\u00a0build a solid rep.\u00a0 If you don’t have a web host yet then look for unbiased reviews on the web hosts that you are considering.\u00a0\u00a0\u00a0 Any decent web host should be checking to make sure that the domains they are allowing to be hosted on their servers are reputable.\u00a0 Reputable in the sense that they are not causing problems for other people sharing the same resources either indirectly or directly.<\/span><\/p>\n

BulletProof Security is a WordPress Blog security plugin that makes adding .htaccess website blog security for an individual WordPress Blog website hosted on a Linux server\u00a0fast and simple.\u00a0\u00a0WordPres Blog website owners should utilize either the BulletProof Security WordPress Blog plugin for website security or use the individual .htaccess files contained in the BPS plugin or create their own custom secure .htaccess\u00a0files for blog website security.\u00a0 Also the php.ini and \/ or php5.ini files should be configured with the best website security options.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

WordPress Blog Security – First off WordPress Blog software is very secure and has the highest website security standards.\u00a0\u00a0WordPress\u00a0Blog software is continually\u00a0improving on those high security standards with each new WordPress version release.\u00a0\u00a0The lastest security improvements to WordPress 3.1.1 focused on a very complex Cross-site Request Forgery (CSRF) hacking method.\u00a0 See this Wiki post Wiki […]<\/p>\n","protected":false},"author":167,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[13],"tags":[386,388],"class_list":["post-2688","post","type-post","status-publish","format-standard","hentry","category-wordpress-tips-tricks-fixes","tag-wordpress-blog-security","tag-wordpress-blog-website-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/users\/167"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/comments?post=2688"}],"version-history":[{"count":0,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2688\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/media?parent=2688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/categories?post=2688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/tags?post=2688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}