I’ve just finished reading WordPress 3 Ultimate Security by Olly Connelly, which aims to help you make sure your WordPress installs are as protected as you can make them. Security is often one of the most intimidating pieces of running your own site, which is one of the major contributors to the popularity of shared hosting since many people are not comfortable managing their own server. Unfortunately though, shared hosting is often a false sense of security and can expose you further than a more segmented environment.

That doesn’t take away from the importance of being a responsible and reliable source of information for your clients. It’s very likely that your clients have no idea how their website works or how it’s even online, they just know who to call when something isn’t working properly. If you’re in charge of that environment, it would be a disservice to your client to cut corners or take a quick way out when it comes to their server setup. WordPress 3 Ultimate Security aims to help you harden your WordPress installs, resulting in a more stable, longer lasting website powered by WordPress.

Content summary

WordPress 3 Ultimate Security is quite a comprehensive guide. I wasn’t sure what to expect when reading the first chapter but it quickly became apparent that the content was going to sprawl the entirety of security as much as it were applicable. The chapter list is as follows:

1. So What’s the Risk?
2. Hack or Be Hacked
3. Securing the Local Box
4. Surf Safe
5. Login Lock-Down
6. 10 Must-Do WordPress Tasks
7. Galvanizing WordPress
8. Containing Content
9. Serving Up Security
10. Solidifying Unmanaged
11. Defense in Depth

Each chapter is further subdivided into a number of dense subsections covering a multitude of topics. The breadth of coverage impressed me from the start. Additionally, the tools and topics covered were modern, up-to-date, tried, and tested. I’ve read a number of security books and it’s rare to find one with comprehensive coverage of tools that will all be useful as you read through the chapters. Chapter 2 is especially interesting in this regard, as you’re guided through the process of analyzing and scanning a possible target as though you yourself were the hacker (or cracker in this case).

Chapter 3 provides extensive coverage on securing your local machine, which is a significant portion of every good security policy. Many times people forget that the biggest security vulnerability could have absolutely nothing to do with your server or the network it’s on, but instead your local computer. The one that insecurely stores you WordPress administrator login information.

WordPress-specific content doesn’t really ramp up until Chapter 5 of the book. SSL and security-oriented Apache modules are the focus of the chapter, leading up to Chapter 6 which outlines a number of smaller tasks that can help with WordPress security through obscurity.

The book moves into the server side of things in Chapter 9. The author gives advice on choosing the right host based on a number of criteria, outlines the pros and cons of popular control panel software solutions, explains how users and permissions work, all the way down to implementing a useful logging system.

The book gets even more detailed from there by discussing lower level server administration steps that can be taken in an effort to minimize the various ways a cracker may be able to obtain unauthorized access to your system. Through Chapter 11 I became increasingly impressed with the level of detail the author went to in discussing the vast number of responsibilities required when it comes to server administration tied into ways they can be exploited and ways you can thwart those attacks.

While I couldn’t consider this title to be the last one you should read on modern server security, I would highly suggest it as a starting point for things to look into as time goes on.

Overall reaction

After making it through the nearly 400 pages of content I was honestly impressed with the amount of content offered in the book. The author does a fantastic job of covering an extremely wide variety of angles which makes complete sense with such a diverse topic as security. If you were to follow the advice offered in the book you’d be left with not only a strong server environment, but a more secure local environment as well.

If you’re the person responsible for your client’s WordPress installs, or responsible for your own, taking a read through WordPress 3 Ultimate Security by Olly Connelly will very likely teach you a few things in a number of areas concerning your install. My take home message is an overall feeling of being impressed with the volume of content covered in under 400 pages. That said, the book may prove to be a bit overwhelming to some people who are less technical, but if that’s the case, unmanaged hosting might not be the place for you.

Advertise here with BSA

WordPress has had security breaches in the past, and there will be more in the future. That’s just the way it is. Attempting to classify any piece of software as completely void of security holes is a lost cause, and no software should be held to that standard. It’s up to the end user to take it upon himself to analyze the software and make an educated decision to use it. While it doesn’t remove responsibility completely, to WordPress’ credit, this most recent issue took hold only on outdated versions of WordPress. If you have been keeping your WordPress install(s) up to date, you were already covered when the incident first became widespread.

To me, the issue here lies with end users. WordPress is an extremely popular content platform. Millions of users happily publish their content to the world using the system, and that’s the extent to which they know about it. If I had to venture a guess, I would speculate that the majority of WordPress users have never actually installed the system, or are even aware if their version is the most current. Therein lies the problem, but that problem is in no way limited to WordPress itself. That is an issue with any piece of self-hosted software; there is an issue of responsibility on the owner himself.

There’s always a tradeoff

A larger segment of backlash directed toward WordPress revolves around the fact that it’s self hosted, that most of the end users wouldn’t know how to upgrade or even that it were possible. That’s not WordPress’ fault. That’s the fault of either the site owner, or the Web firm who set up his website. Someone needs to retain the responsibility of maintaining the install, it can’t be left to rust. If you’re handing over the keys to a client, you need to make him aware of the ramifications of your decision to use a self-hosted application. You’ll need to explain that the software will need to be maintained and kept up to date, if for nothing else, to avoid security issues. That puts the pressure on him. The other option is to make sure your client WordPress installs are kept up to date. That puts the pressure on you. One way or another, that decision needs to be made along with the original analysis regarding whether or not WordPress will effectively facilitate the project.

I use WordPress for the majority of my work. I know WordPress inside and out, I love the system, and I love the community. I know and expect there to be issues from time to time, and I take the time to make sure my WordPress installs are kept up to date. Not to toot a horn or anything, but I’ve never had a security issue with WordPress, and if that’s simply from keeping my installs up to date in reasonable intervals, I believe that’s a tribute to the WordPress team and community.

I realize that I’m running a risk by self-hosting my platform of choice, but there is no way I’ll ever return to a hosted solution simply because there are too many hoops to jump through. I prefer to hit the ground running, know what I’m doing, and get the job done in the fastest (most custom) way possible. Hosted solutions simply aren’t my choice solution, and as far as I can tell, it’s going to be some time before that’s the case (if ever). That’s a super opinionated statement, but I feel it’s important to convey that I do keep up to date on hosted solutions and consider each in comparison to WordPress as updates are rolled out.

Don’t be lazy

It’s tough to hear the integrity of WordPress be put in question because of lazy admins. To me, that’s what it comes down to after all. I’ve heard excuses left and right about why people don’t upgrade, right down to it being too time consuming, but it all comes down to laziness. The WordPress team has made the upgrade process a literal “click of a button” in the past year. It doesn’t get much easier than that. If your theme might break with a plugin upgrade or an upgrade to WordPress itself, write better themes. Your code should revolve around the fact that WordPress (and her plugins) are going to update, and it’s going to happen often. To moan about maintenance work is just a lazy excuse in my opinion.

I understand that there are other systems out there that don’t demand such care-taking, but I’m the type of person that wouldn’t simply let a version of software sit simply because I don’t take the few minutes to perform some maintenance. I would wonder why anyone would take such a stance to be honest with you, at least anyone in this industry for that matter. Why would you want to knowingly settle down with an expired piece of software?

Taking it for what it is

We know the issue of ‘Windows syndrome’. Crackers will spend most of their time and effort on the most popular system; you get the most bang for your buck. Not only is the software everywhere you look, it’s maintained by an exorbitant number of under qualified people. Unfortunately, WordPress fits quite snug in this classification, and that’s a major reason you’re seeing security issues get so much attention.

On top of that, WordPress is open source. Crackers have been given potential security issues arranged beautifully on a silver platter. More often than not, that works for the benefit of the community, and security issues are squashed before so much as a photon of light can provide exposure. In the eyes of security, this could be looked at as a con in comparison to a hosted solution. Without direct access to source code, malicious intent is much more difficult to bring to fruition. That’s why you aren’t seeing these security announcements from other self-hosted or hosted solutions, the access and desire just isn’t there.

I’m not trying to make excuses

Of course I would prefer to not read these security bulletins about WordPress, but I take the responsibility associated with my decision to use WordPress and this comes with the territory. If you’re a WordPress user, just make sure you understand that this is part of the job, and if it’s not something you’re interested in, you should start examining other solutions. If you’re not a WordPress user, take the experience for what it’s worth, and give your application of choice another rundown solidifying your decision to use it.

I’m also not trying to start a flame war here, it’s just disconcerting to hear the instant dogging of a system that many of the nay-sayers aren’t even using. I suppose that’s the way of the Internet and will always be the case, I just hope that many people take the high ground and realize this, like everything else, is both a learning experience as well as a reminder.

Remain educated. Don’t take software for granted. Make sure your scheduled backup systems are in place, make sure your software is up to date, and don’t be a lazy Web designer.

Advertise here with BSA