A month in advance of the major 3.2 release scheduled for the end of June, WordPress released version 3.1.3 yesterday, which includes several new security features that harden the code against hacker threats. Two in particular caught my eye, and one matches the trend of unusual hits I’ve seen in my site statistics. See why these updates are important and what other measures you will want to take to protect your site.
Is Your Host Safe?
The new security feature that caught my eye first, and should send a chill down everyone’s spine, was “Improves file upload security on hosts with dangerous security settings.”
Since hackers can clog the pipeline on any server so that nothing can get out (read Why so Many Websites Have Been Down Lately), you would think that they would take every precaution necessary to secure WordPress installations. But they don’t. I never cease to be amazed at how many hosts defer to the 1-click installation process, knowing full well that it is not secure (read WordPress 1-click Installation is not Secure).
Securing your installation requires a real geek. Not a pseudo, pretend geek, or even a designer trying to sweeten the deal by giving you a discount on a hosting package. Purchase the hosting yourself and get a pro to install WordPress. (Shameless self-promotion – BlogAid offers fully secure, turn-key installations and you won’t get either of those things from the 1-click way of doing it.)
Login Page Security
A few weeks ago, while digging deeper into my site’s analytics, I noticed that my login page was getting an unusually high number of hits. I assumed it was from failed hacker attacks, and that notion was confirmed by this WordPress release.
One of the security features in 3.1.3 is the introduction of “clickjacking protection in modern browsers on admin and login pages,” according to the summary note from WordPress.
In March, I wrote a post titled Invite Hackers and Shun Viewers with Bad Meta Data where I provided screen shots of how some folks are literally advertising to hackers that they will only have to figure out half of the login security to break into the site. But, at least you had to be a hacker to do that. This new browser clickjacking thing makes it possible for the not-so-savvy hacker now too.
So, this is also a good example of why you need to install and actually read your Google Analytics once in a while too. (There’s a plugin for that and you can install it yourself or hire BlogAid to install and configure it for you.)
Backup and Update
Keep your site updated. Back up your site first! There are lots of free backup plugins available. My fave free one is WP-DBManager. But most all of them only backup your database, which contains the content of your pages and posts. What they miss backing up are your theme, plugins, and any special sidebar content you’re using. The best plugin I’ve found to do it all, and still be simple to use, is BackupBuddy. It’s a premium plugin, but certainly worth paying for. And, it now includes a Malware scanner to check your whole site for malicious code that may have come hidden in a cheap or free theme.
And, consider this. There are a lot of different ways you can loose your whole site. A hacker could take it down. A host server could crash and leave unrecoverable data. A WordPress update could break your theme. How much money and time would you loose if that happened? Suddenly, making a couple of clicks to backup your site doesn’t seem like such a chore, huh?
Maybe I’m like the Internet police and I just see this happen a lot more than most folks, but sites get hacked and scrambled all the time. Do yourself a favor and keep WordPress, your plugins, and theme up to date.
“Purchase the hosting yourself and get a pro to install WordPress.” Or let your designer recommend secure and reliable hosting. Don’t reject it because it “costs more.” Of COURSE it costs more. You get what you pay for.
Spot on, Angelique. Wish more folks saw the value in it without having to learn the hard way.