Austin WordPress Meetup Notes — 5/9/11
This month’s Hands On WordPress meeting focused on WordPress security. Nick Batik explained that the good news is that WordPress is the most commonly used platform for websites on the web – 14% of all sites, and nearly 55% of those site that use a Content Management System. He noted that it is also the bad news because big targets attract hackers. Nick demonstrated some known types of WordPress vulnerabilities. He walked us through the mind and methods of a hacker, the most common mistakes WordPress users make when installing and maintaining your WordPress site, and then demonstrated a series of easy and common sense steps to make your WordPress safe and secure. It’s not hard, and it’s not scary once you know how. The meeting closed with a #WPATX member Q&A. Nick has posted the responses to those FAQs in a series of short blog posts both here and on theAustin WordPress Meetup site wpaustin.com.
WordPress Security FAQs
Why would someone hack my WordPress site, I don’t even have a lot of visitors yet?
A basic tenant of WordPress Security is that these individuals are not targeting your WordPress website – your site is just one of thousands they probe for vulnerabilities. You need to understand that in the mindset of a hacker, this is strictly a numbers game, and some day your site’s URL number just comes up — it is not personal.
In WPATX meet-ups I have demonstrated some of the of the ways a hacker finds vulnerabilities in WordPress websites. I will not include that information here because all I want to do is illustrate the no one is immune, and every WordPress site can have a vulnerability — not teach you, or others how to hack.
Most often hacking is a crime of opportunity – like an open gate or unlocked car door. In general the hacking process involves three steps:
- Find a point of entry
- Compare the website / server information to know vulnerabilities
- Have fun
The hacker doesn’t even have to know what he or she is doing. There are many programs that can be found on hacker sites that go through this process automatically. These are popular with novice, juvenile, or dilettante hackers. Because they often don’t require any sophisticated understanding to operate, the people who use them are held in very low regard by the “real” hacker community, and are referred to by the derogatory term “script kiddies.” That does not mean that a persistent Script Kiddie can’t do some very real damage to your WordPress website.
To learn more about common entry points for hackers see Nick Batik‘s answers to other WordPress Security FAQs
- WordPress Security — How to Prevent Directory Browsing
- WordPress Security – How to Prevent Brute Force Attacks
- WordPress Security – Locking Down Your Site
- WordPress Security – Backing-Up Your Site