20 Sep Risk management
Last summer, I had company visiting from England. My cousin Mike works as a risk analyst and security specialist for a large firm in the UK that has some high-profile clients - including government. Naturally, I asked him some relevant questions about web servers, WordPress, hackers and other fun stuff like that. (We refrained from having the conversation over dinner though.) I will say it was nice to talk to a family member who not only know what WordPress is, but is familiar with servers and hardware infrastructures.
So I not only got a quick overview of how analyze the risk and likelihood of different scenarios, I got to spend some quality family time not in front of the computer. Win/win. It also benefits you to, dear reader, because I got to discuss WordPress-specific and server specific security with someone fully versed in calculating the likelihood of hackers wrecking havoc on your site.
The added bonus is a client also emailed me some security questions right around the same time, so I took those two hints to write a post about security and hopefully allay some fears.
There are fairly standard and common procedures for securing WordPress. Our buddy Brad Williams frequently talks about security at various WordCamps. All his tips are excellent.
It also has less vulnerabilites that many other popular softwares on your server.
So, that takes care of WordPress. Many people stop there and think they are covered.
But you're not.
You still have to secure the server itself. Most times, a good webhost will have this taken care of, but a recent spate of attacks targeting WordPress and other php-based applications exposed a few hosts who got sloppy.
Note that targeting WordPress is not the same as hacking WordPress. In the above cases, the servers themselves were compromised, and the hackers had access to the file system or database. If they can get to your files the same way you do, those files are toast - no matter how secured.
In a couple cases I have heard of, the person's local home computer had a virus that lifted their ftp passwords and transfered hacked files to the webserver.
Clearly, the risk here isn't WordPress. Making sure you have correct file & folder permissions is definitely step one, and a step up from that is folder ownership. The other is making sure that any program on the server - phpmyadmin or database management tools, centos and other operating systems, cpanel or other account management tools - is also updated to the latest. Outmoded versions of php are also a larger risk.
Not to put too fine a point on it, if you're obsessing over WordPress secirty and ignore the server itself, you've locked all the windows and left the front door open.
Specifically to running a network, if a user account gets hacked, they can do far less damage (if anything) than if they'd hacked the ftp password. And it's too easy to crack many of the common ftp programs. Your ftp password is transferred in plain text across the internet. Somene who breaks into your network is already prevented from editing files in the backend. They'd have to be a Super Admin to do that, so they'd need to crack yet another password. If you're not using the "admin" username, put it on the banned list of names as I've seen hackers try and register with that name, or give it a super hard and secure password.
Consider I talked to a site owner recently who was unable to upgrade WordPress or much of anything else because their host hadn't scheduled updates for php yet - it was troubling. I strongly suggested they find a new host.