I’ve written a fair bit on the topic of securing WordPress based sites and blogs however, it seems that no matter how much I write, it still is less. There is hardly any week that goes by where I don’t hear about the horror stories from our clients and various other friends in the trade whose sites get infected with malware. After handling lot of such cases and doing some research about it, I found out that one of the major reasons why the sites get infected is because its webmaster’s own computer was infected with a malware.
I’ll be also listing various resources that can be used to further strengthen the security however, firstly I would like to put forth my views on the topic of why web-masters should use Mac or Linux. I would only list those points that are logical and none of them are influenced by any sorts. So here’s why I suggest so and how its easy to switch too -
1. To keep yourself safe from viruses : I’ve used all three OSes and I’ve personally experienced that Mac & Linux aren’t prone to viruses as Windows is and the simple fact is that the market share of Windows is more than 90% and thats why almost every virus is targeted towards Windows Users. So, if you are using any of those two OSes you’d be safe from viruses and thus you reduce the chances of getting your website hacked.
2. For keeping others safe : As I’ve said that majority of cases that I’ve dealt are those where the webmaster’s computer was compromised. Moreover, once the sites are infected, they infect those computer who visit that site and that’s how they spread so quickly! Now, if at the first place the webmaster would have been using linux or mac, it would have ensured that at least they are not making the situation worse.
3. Switching is pretty easy – Most of the users give a reason that they won’t be able to switch because of the incompatibility issue and that they think that it would be pain to switch the platforms because of unavailability of ssoftware. I agree at one time it would have been difficult for most of the people, however web-masters specifically won’t find any issues in choosing these two platforms as most of their tasks are done online, else most of the software required have either a worthy alternative or if you are an open-source fan then you’d surely find most of them available for all three platforms. Here are some of the resources -
- A wonderful guide you can follow to make the easy switch.
- Various Windows Software alternatives for linux.
- Various Open-source software for Mac.
Try a gradual switch and start using these OSes and if you really want to run a windows software then you can try WineHQ or CrossOver (commercial) and most likely the software will work fine for you. If the software still doesn’t work and you don’t find any alternative then you can simply use VirtualBox or Parallels to run Windows inside Linux or Mac.
So when we know that for web-masters it can be easy to switch to Mac or Linux then why not use either of those two operating systems and keep yourself and the world safe from those malware? Anyway, enough of ranting – as I said that during my research, I did read quite a bit about security websites, so I would like to share that with you :
How to strengthen the security of your WordPress blog?
- Don’t forget to read my articles that I wrote a while back on the topic of securing wordpress.
- If possible switch your OS as soon as possible – Don’t think it as a stupid suggestion. Consider this one for sure!
- Restrict WordPress admin use by IP Address.
- Learn to restrict the FTP server access for specific IPs using VSFTPD – I know that not everyone gets a static IP address from their internet service providers, however use of VPN can certainly [I use StrongVPN] help you get over that problem.
- More security steps that can be done through htaccess file, here are some 11 more steps that you can use.
- Jeff Starr has created wonderful instructions for securing servers via htaccess and blocking the know malware techniques.
- Blocking spam is equally important – Chances are that some spam comment will have the URL to a site that is infected, so its important to ensure that no spam comment passes through.
What else can be done other than IP address, Htaccess tricks?
Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images. In short we are talking about CHMOD settings of the server.
All files should be owned by your user account, and should be writable by you and any file that needs write access from WordPress should be group-owned by the user account used by the webserver. Of course, learning this can surely take some time, but if you really want to secure your server, then this is one thing you should focus on!
/— the root WordPress directory: all files should be writable only by your user account.
.htaccessif you want WordPress to automatically generate rewrite rules for you
/wp-admin/— the WordPress administration area: all files should be writable only by your user account.
/wp-includes/— the bulk of WordPress application logic: all files should be writable only by your user account.
/wp-images/— image files used by WordPress: all files should be writable only by your user account.
/wp-content/— variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
/wp-content/themes/— theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
/wp-content/plugins/— plugin files: all files should be writable only by your user account.
- other directories under
/wp-content/should be documented by whatever plugin / theme requires them. Permissions may vary.
Plugins that I prefer for securing WordPress
1. WordPress File Monitor - Think of it as a watch dog! It monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. So even if you add files using FTP, it will let you know. This is a fantastic way to ensure that no compromised file will go on server without going through its nose.
2. WordPress Firewall – I personally love this plugin. Of course, using this plugin means that you’d lose out on WordPress theme/plugin editing capabilities and few things here and there, however this plugin will ensure that everything will be super secure.
3. Block Bad Queries – Another gem from Jeff Starr. This plugin will ensure that your WordPress site will be safe from known vulnerabilities.
Well there have been countless number of posts on the topic of security and the worst part is that things aren’t improving a little bit. Its important to choose the right web-hosts as well. If this post of mine was a request towards web-masters, Mark Jaquith has asked web hosts to become more secure and to help web-masters in understanding the security of blogs/websites. It is one interesting read, so even if you are not a web host, I would suggest you to read it.
What are your thoughts about changing the OS for ensuring safe and secure website? Do you think that one should go ahead and change their OS to ensure that their site will remain secure from malware to a large extent? Please share your thoughts in comments.