“Delete my WordPress blog? You can’t be serious!”
Well, yes I am. If you aren’t using it.
WordPress is the world’s most popular blog, CMS, framework, magic trick – however you classify it, it’s behind almost 20% of the world’s self-hosted websites, and that’s a lot of sites. More than 75 million, they say. So odds are you’ve installed WordPress at least once, if not half a dozen times, over the years.
But where, oh where are those WordPress installations?
We find a lot of them in /test directories, or in abandoned /blog directories. We find them there because they get compromised, and we’re called in to clean up the resulting mess. And that mess can go very deep, and spread out well beyond the WordPress directory.
Since WordPress is so popular, it’s also the target of more compromises than any other third-party application that you can install. So what often happens is someone installs WordPress to try it or test it, and then they forget about it. But they don’t delete it. So there that old installation sits.
And the longer it sits without being updated, the more vulnerable it is to compromise by the bad guys. If you think they’ll never find it because you cleverly installed it in a random directory that you don’t link to from anywhere, think again. The bad guys have bots – lots and lots of bots – and spiders, and all they do, all day every day, is look for wp-admin pages to exploit.
If you are actively using WordPress, that’s great, all you have to do is keep it up to date and your chances of being compromised are vastly reduced (they don’t go away, but they’re reduced). If you use WordPress but you’re not someone who logs in to the WordPress admin back end every day, you might consider setting up automatic updates.
Another thing you can do is delete the “admin” user that’s created when you first install WordPress. Give your everyday user admin permissions and delete that admin user. I know, it’s scary, but do it! That will make it harder for the bad guys to exploit you using a brute force attack on your admin password.
Active WordPress installations aside, the best thing you can do is look around for old, unused WordPress installations and get rid of them. And while you’re in there digging around, you might want to delete any other applications that you aren’t using. Look at it like a kind of year-round spring cleaning. It will make your domain more secure and potentially save you from a real headache down the road.
There are several highly recommended wordpress plugins as well that provide brute-force protection and notify you of updates, etc. If you search for “wordpress firewall”, there’s quite a few out there with many high reviews. Use them.
Oh, and please don’t use a simple password that will take 2 tries to brute force. Get a password manager. Use it.
Douglas, yes, there are some good WordPress security plugins (we use one on this blog). We’ll do another post on general WordPress security, because there are a lot of things that can be done to tighten up your installation.
A common problem with brute force password attacks is not a simple password, but rather a complex one. That seems counter-intuitive, but a difficult-to-crack password causes the attack to go on for a longer period of time, and depending on how the attack is carried out, it can bring your site down while it’s happening. Best thing that can be done to prevent that is the removal of the admin user, and doing some kind of login attempt limiting (which many of the security plugins can do).
WordPress is NOT a CMS and should never of been popularized to become one it is an over-glorified blogging system that has become way too big for its boots.
You and I may not consider it a CMS, but a lot of people do. It became as big as it is through simple persistence. If you think of what it was like when WP started 13 years ago – there were a lot of downloadable blog apps to run on your own site, but they’re all long gone.
A CMS though? No. But I’m not sure the people behind it even intended it to be.