V is for Vigilant
keeping careful watch for possible danger or difficulties
Yesterday I began talking about security through the routine installation of upgrades. This is probably the biggest single thing you can do to secure your self-hosted WordPress site. You need to be vigilant about upgrades to any software you use or have loaded on your computer, host, and mobile devices.
Upgrade WordPress to the current version. Why? Because these new versions have bug fixes and close security gaps. Most malware that can get onto or into your site comes through holes that bad guys have previously used. Of course there is always the time period between when a problem is discovered and when it gets fixed, and maybe there is nothing you can do during that time period. But after the fix is available you need to take advantage of it. If you don’t, a bad guy will sniff out your vulnerability and exploit it. You might as well be playing the poor damsel in distress and broadcasting, “Yoo hoo, hackers, come on over and f*** my site.”
When you log in to your WordPress dashboard, you should see a notification if there is a new version of WordPress available. If there is a newer version than the one you are using, you need to do a site or blog backup and then install the newest version. The current version as of this writing is 3.3.2 that was released on April 20th, 2012. There is another planned update on May 9th, 2012. How do I know this? Besides my brilliance and psi powers (Not!) there is a WordPress page that tells you all the release info in a nutshell: http://codex.wordpress.org/WordPress_Versions
Do backup your site first though, before you upgrade. If there is something incompatible on your site upgrades can “break.” It does not happen often, but it can happen. The most likely cause of an upgrade breaking something, according to what I’ve been told by trusted, informed guru-ish and nerdy sources is that incompatible plug-ins will not work and play nicely with the new code in the upgrade.
So how do you take care of that mess and prevent it from happening if at all possible. Plug-ins have upgrades too. Use only trusted, absolutely necessary to your purposes plug-ins. Plug-ins add some sort of functionality to a program that you use. In this case it is WordPress. Before you install any plug-ins, do your homework. You wouldn’t put just anyone’s doo-whichy into your doo-whatchy would you? Well, don’t do it with your computers, laptops, notebooks, iPads and mobile devices either! Geesh, it is just basic hygiene!
The best plug-ins don’t just do neato-keen things, they save you heartache from unwanted gifts that keep on giving, just like in the biological world. Akismet is my favorite plug-in that protects me from spam. It acts as a trap and catches comments that have some of the characteristics of spam. Even if you have clicked the Settings – Discussion options to have visitors leave a name and email and have a previously approved comment before you automatically allow comments, which is one thing that regular visitors and comment givers really like, bad guys and gals who are trolling for click-throughs or access to lesser secured areas of your site, may seem like sincere comment leavers at first. They are just waiting for you to let your guard down and then they will spam you with viagra ads or tempt you with wonderful sounding offers (often about security) but Akismet catches these and holds them for you to evaluate. At first glance nothing seems unusual in this real example of a spam comment:
I really like what you’ve done with the thmeme but I was asking myself if you are the one that created it or you just bought it and customized it?
This was a gateway spam comment. No links in it, but if I allowed this comment by the author there would have been another post that wasn’t captured through the discussion settings and then the spam would have hit. So how did I know it wasn’t real? Well for one thing saying nice things about your site is a standard way to try to gain trust through flattery. But I have WordPress and Elegant Themes links at the bottom of my pages so anyone actually interested in my changes would have said something more in depth. That and I checked the email address of the poster and it ended in .ro. Not that many people in Romania read my blog, and lots of attacks originate in the Eastern Bloc and former USSR states, so I will block those IP addresses that have sent spam. Often the originating site of the spam is only up and live for a day or two. That is how these hackers work. Akismet gets most of these and every few days, ideally every day, I check my Akismet spam folder and allow real posts from recognized readers through. Better safe than sorry.
So yes you have to update your plug-ins too. New versions of plug-ins most often fix holes just like with your platform. They are also noted on your WordPress dashboard.
This is such a huge and not fun to think about topic that I totally understand why lots of bloggers just don’t want to think about all the details involved in security. But like anything else in life, just work it into your routine and eventually it becomes second nature.
That is probably enough to leave your head spinning, so I will end this post. There are another few areas of basic site security that I want to make sure my readers know about, so there will be another installment in this “series” of posts. I want to talk about theme updates, some other easy fixes that minimize your risks, and I want to share a bunch of web resources at which you might want to take a look.