One of the more obscure things Venture Skills does is Forensic reinclusion or reconsideration requests. This is when a site has been removed from Google and other search engine indices and we are asked to help determine why and fix the problems. The usual reasons are:
- Bad SEO work – hidden text etc
- Other Penalty related – a growing issue
- Hacked site
Now in 2007 the rough breakdown was 80% bad SEO work with the remaining 20% being some sort of security compromise. In 2008 these figures have changed dramatically with Bad SEO work accounting for less then 30% while other penalty (normally paid link) accounting for another 15% with the rest being hacked sites.
Disclaimer – This post is not designed to frighten merely to inform, I am not saying plugin x or y is insecure but potentially could be. Remember security is something you have to deal with you cannot put your head in the sand!
Another Disclaimer – A Hacker is not someone who breaks into systems, however for the sake of simplicity I will use the term as such. Shoot me later
Who is coming to see us?
Most of our clients have several things in common, they are normally running WordPress and the first indication they have been hacked is either a sudden loss in rankings or the stop badware notice appearing for their name.
Now WordPress is not inherently unsecure but with popularity comes greater risks, as there are more sites using WordPress it provides a greater opportunity and scope for any potential attack, WordPress simplicity and scalability through plugins make it very popular with all sorts of people. So it should be no surprise we are seeing the majority of sites through our doors which are hacked are WordPress.
Google does give warnings and notices normally of problems via Google Webmaster tools, but to be fair how many people log in to their account every day? Well you are the exception to the rule, most people do not!
How do these attacks happen?
WordPress like any modern CMS is complicated code which is bound to have bugs and holes which can be exploited. Normally these exploitation is quite minor very rarely is a hole big enough to allow a hacker to access your admin or system normally they aim to add links or files to the server (with files the goal is normally to remotely execute them) Normally Google throwing you out of the index is because of links being inserted into your pages.
The official line from Automatic (the people who write WordPress) is these hacks occur because people to fail to upgrade and their maybe some truth, most WordPress upgrades include security and bug fixes. Of course there are many reasons not to upgrade from training and compatibility issues.
What can we do to stop a visit to Tim?
So what I want to do is really open peoples eyes and stop them visiting me, by not having had their sites compromised, we are never going to stop it entirely but we can take steps to prevent it. But first I would like to tell you two stories:
One day an IT technician upgraded their software to the latest version he did it late Friday night the whole upgrade took 5 minute and went smoothly the technician went to the pub. On Monday morning he logged into the support ticket system and found literally hundreds of tickets. He was confused what went wrong the upgrade went fine? Except for the fact no one was told of the upgrade, no training was given for the new interface and several plugins no longer worked. The next Friday he is standing looking at the job board outside the Job Centre.
No IT technician would ever upgrade software without testing it first, checking it was compatible and organising training for users if they did they wouldn’t be surprised to be out of work. Most companies understand that you can’t simply upgrade software and so provide two streams of updates, updates which effect users and security patches which allow technicians to secure their software without effecting their users. Big open source projects that are geared towards Businesses like Drupal also follow this pattern, providing updates, but also making sure bug and security patches are available for previous releases.
Automatic could and should take this on board, WordPress is not suitable for business until it recognises that businesses cannot just upgrade software. Users on the other hand cannot blindly upgrade after all just look what happened to Shaun and many others who upgraded to WordPress 2.5 recently to find themselves in real issues because of an incompatible plugin. WordPress 2.5 was a major change for WordPress but it also included important security updates so now WordPress users are put between a rock and a hard place deal with the changes and upgrade or pray they don’t fall victim to the holes that had been patched.
My second tale is one designed to remind you that not everything that glitters is gold
Disclaimer – I am sure wp-scanner is highly secure and this is not meant to dissuade people from using it but it is the obvious plugin to highlight!
One of my previous places of employment had a very secure network but one day came under a very intense denial of service, the security technician was scratching his head, the target of the attack shouldn’t have been easy to find externally and the network had more obvious targets. Eventually the problem was tracked down, one member of the IT staff had downloaded a piece of software to help find a route through firewalls for P2P software the software called an external scanner and the combined information was being sent (unknown to the member of staff) to a third party and was used to attempt to breach the network.
WordPress is an amazingly powerful piece of software it has a nice API system allowing plugin designers to expand it. But this system can be easily abused, how hard would it be for me to add a simple function that when called created a user called backdoor? More importantly when plugins are calling home do you know what they are sending? Take wp-scanner imagine if it in fact makes 7 security tests not 6?
But Tim how do I secure my wordpress install!
On the whole keeping your WordPress install up to date is a good idea, however it is always good to have a test blog, always test upgrades and plugins on your test site first. Don’t rely on other people to do your testing!
Having a mirror of your current blog is very useful it not only allows you to test upgrades but also provides a safe backup should the worst occur.
User control
Roles
Even if you have only one person writing on the blog, have two accounts 1 which is set with the user role of author which you use day to day for writing posts this will be account #2 normally. While an admin account is a full administrator account which is just used for administration purposes this is normally the #1 account. You can change the default username from admin, this can be done by using PHPMyAdmin or similar the table your looking for is wp_users where wp is the prefix you selected. Change the first user from admin to something else.
Enforce Password Strength
The new WordPress 2.5 does have a password strength to indicate password strength but its education that really is needed to explain why complex passwords are required and a complex password is more then 6 characters with both alpha numeric and symbols. Df%34g8b is a secure password iamgod is not!
Security by obscurity
Not something people should rely on but did you know most WordPress blogs announce not only they run wordpress but also the version? It’s a bit like having a sign on the front of your house saying the safe inside is a “sidebox 724 9 button version”
You can remove the version number by editing your theme template pre 2.5 or using Replace Version Plugin post 2.5
Secure your admin area
If you have SSL shared or dedicated make of use it by Securing your admin login area. Given that only a few users are accessing admin area look at locking it down to a small group of IPs with Admin Protect.
General tips
Do not do mysql or wordpress backups name them backup.sql and leave them in the root folder, you laugh this is quite the norm, backups should always be out of the public_html folder. Indeed backups are really only useful if they are not in the danger area so look to keep them in a secure third place away from your server.
Look at plugin code before executing it, and read the read me files particularly if it involves changing file permissions. Make sure your wp-admin, wp-content, and nearly all the wp-includes file permissions are set to write only to user not group. This will mean you will not be able to edit the theme via the admin area but this is not a huge lose, however you may wish to make wp-content/uploads writable if you often upload images for posts.
And if it’s to late!
If the worse case happens and something goes wrong you have two choices, call in the experts (sorry shameless plug) or DIY recovery. Presuming you want to got the DIY route here is a quick checklist:
- Take your site down, don’t delete files simply modify your htaccess to redirect to an error page.
- Take a copy of your entire system as it is, don’t delete or modify anything
- Repeat for mysql DB
- Use your backup with something like winmerge to locate the physical files that have been changed.
- Delete the files
- Change passwords on all parts of the site
- Use the backup to redeploy the site, take your posts from your original DB unless your backup is very new. It may seem harsh but losing comments is not as problematical as posts and indeed have to be treated as suspicious.
- Patch your system, if a patch or upgrade is available patch it before uploading and take any steps you failed to take to harden the system.
- Change all password again
- Leave it a day and if no issues have occurred, apply to google via webmaster tools for reconsideration, tell them it was a hack.
Ok this is a simplified list what you shouldn’t do is leave the files up on the server and just upgrade to the latest version in a blind panic. Until you have identified how the hack was occurred you have no way of knowing the implications. Just because you can see a pile of links in your code doesn’t mean that’s all it did.
Is WordPress suitable for SEOs and Internet marketers?
This blog uses WordPress and I really like WordPress but I do not recommend it to my commercial clients we simply do not think it is compatible with modern IT solutions and until the development team leave the Update or Die philosophy it will stay inappropriate and will lose out to mature systems such as Drupal. Drupal is not more any more secure indeed there are more security bulletins for it then WordPress but it has a patch and upgrade path which provides support for earlier versions in the form of security patches. I will leave you with one final question/anecdote:
If Microsoft announced they were not going to supply security patches to XP because Vista was better on the launch day of Vista how would people react? What about the idea that security patches would not be compatible with XP sp2 users the day after a new service pack was released?
Is WordPress a mission critical system in your organisation? How do you cope with upgrading?
29 comments
An authoritative piece Tim. Excellent post!
Great article – its not only wordpress, we use Drupal and I know many people working with Plone – and Tim really seems to know about the particularities which start to arise, once you use an open source CMS in a production environment with corporate clients. It´s something one should know and has to keep in mind that this is completely different to having a personal blog, where the only one affected is oneself and not a whole operation which has to be productive.
Both Plone and Drupal do have a different attitude though, both provide 1 if not 2 version earlier patches, both have dedicated security bulletins and both have the emphasis firmly in the large scale camp. Plone in particular while a pig to set up is well respected by people tasked with maintain it.
WordPress was never meant to be anything but personal blogging system and as such its fantastic, innovative and “cutting edge” but people and businesses are moving away from the lone blogger model and WordPress needs to adapt but so do the people.
A while back this was made available to much hoopla but haven’t heard much about it since.
http://www.knownow.com/products/wordpress_enterprise_edition/
Interesting, the problem is when you do a project like that is that you either fork from the WordPress core and maintain your patches and security separately which is fine but you lose the developer community that is behind WordPress.
Or you simply rebadge versions as they come out in which case you are no better of then before.
Ultimately I’m not sure business would be any better with a re-badged WordPress except for the fact it would probably help to calm any QA framework that a company has in place.
Still I would be interested to see how it progresses and if it is a simple rebadge job how it will cope with version 2.5
I would assume it is based upon WPMU which last I heard hasn’t be revised fully for 2.5 yet, though I haven’t been paying full attention like I should.
Nor have I its currently WPMU 1.3.3 on wordpress.org but wordpress.com recently updated to WordPress 2.5 base code so I guess a WPMU update will follow a similar pattern pretty soon.
Indeed 1.5 RC1 has just been released http://mu.wordpress.org/forums/topic.php?id=8028&page
Tim, thanks for sharing in public what you charge customers for in your day to day practice. I’ve been forwarding the article all morning.
Tim, a really nice insight article you have written. My compliments. I’ve learned some new things too watch out for. Looking forward to see more of these kind of posts!
Thank you so much for writing this! I’ve been putting this information together for users for a while and some just don’t want to believe it, because WordPress is so popular, and there are so few articles like this. Great work!
Tim,
Thanks so much for such detailed information about the cons of using WP.org for commercial enterprise.
My free blog at WP.com is fun and I am learning lots, plus getting my many handwritten travel journals into printable form, with the goal of a book getting published later.
I have three distinct business ideas I wish to implement over the next nine months to a year, and would appreciate feedback on:
suitablilty of using Site Build It and maintaining my sites myself
suitability of using Bluehost’s website building package and maintaining sites myself
probablility of being able to figure out plone or drupal with no computer experience beyond blogging…and also maintain myself
Thanks for your time.
Diane – Barring what I read on Andys blog I have never really looked at SBI, from what I have seen its a CMS crossed with a cult. So if you go down that route you are while not locking yourself into that system certainly likely to be limiting your options. That said from all the info I have seen it seems very user friendly.
I don’t know anything about Blue Host but all CMS require hosting so you will need at some point to purchase some sort of web hosting.
Drupal is complicated (Plone is worse) Plone also written in Python rather then PHP making it harder to find some one to host it. The advantage of Drupal is it can do almost anything you want the developers describe it as a framework as much as a CMS.
My Advice if you are serious about your business plan is to budget for a developer to assist you and be guided by them.
- Everyone else, thanks for the comments and feedback, I really want to emphasis that I think WordPress is great and if I didn’t it wouldn’t be running this blog! But for larger commercial projects or for anything with a quality assurance framework I think its not suitable.
Drupal can be complicated, but its modules vary from fairly user-friendly to less so. And not only was it designed with SEO in mind, it scales very well.
Plus, as a long-established and very well thought-out framework, it has a number of extremely useful properties and modules. For example you can handle multiple domains from one install, have advanced mailing list management, and choose from nearly 3,500 modules in all.
Tim,
A very well put together and informative post.
I disagree with your conclusion though. There are plenty of high-profile, successful blogs that use WordPress without any of the problems you discussed.
techcrunch.com, for example, uses wordpress. there are many more. keep with the current updates and you wont run into these issues very often.
Every web application and software is going to go through upgrades. There is no avoiding this if you want to keep up with technology and security. 3rd party plugins to open source platforms like wordpress will always have to be modified from time to time.
the hidden cost of open-source software is keeping up with it’s updates, vulnerabilities, etc.
I think people have misunderstood my goals and reasoning, I’m not suggesting people shouldn’t use WordPress or that companies don’t or shouldn’t indeed Yahoo and Ebay are mentioned on WordPress front page as users. But a blog like Tech crunch is not the same as corporate blog being written by non or limited computer users who think Microsoft Word is complicated application to use! While every software has upgrades no serious corporate software including open source software would have Upgrade or be hacked culture.
By not providing security patches separate from upgrades Automatic are clearly saying they are not committed to their users or users sites and couldn’t give a stuff about security and that is very sad. A stable system security comes first features second, dull as that sounds.
On Drupal I am a huge fan
and think it is one of the most versatile CMS I have come across. But I never recommend it without having some experience in Web Development or having the support of a Drupal Developer to hand.
I’m a huge fan of WordPress, having tried all the others and not being impressed. The caveat to that – WordPress does need to be completely up-to-date to minimize the risks. Great for solopreneurs and online marketers, not so great for the enterprise, as you stated.
This is a great post!
Maria Reyes-McDavis
One thing not mentioned, except indirectly: It’s getting worse all the time, and not all exploits are caught by those being exploited. I don’t have a trendline of data to back that up with, but some there are some pretty famous WordPress blogs that have been hacked, and more stories all the time. As WordPress gets more popular, it’s of course going to suffer from more hack attempts.
It’s frustrating to be in the bullseye of hackers, but that’s where WordPress is. Hackers are always going to try to find ways to exploit it without you knowing about it, besides the more direct approaches.
sounds a lot like microsoft windows to me
True! While my primary business is supporting Windows, it’s getting easier and easier to recommend Mac to new users who mostly seem eventually to one day screw up their malware protections one way or another. (Been recommending Firefox for some time for similar reasons, though you always have to have IE for some sites.)
Many PCs and business networks are infected and don’t know it. Here, there IS a lot of data. A favorite example:
http://www.networkworld.com/news/2007/071707-government-contractors-hit-in-targeted.html
Knowing how strongly Windows is protected by most enterprises, seeing that they are being badly hit makes me think WordPress is worse than most realize. Pure speculation, but I think a valid concern.
My point was that the most popular and most used OS, Windows, is ‘hacked’ (for the purposes of this article) daily.
If you don’t update, you are likely to be exploited, much like a older version of WordPress.
I guess the real issue I have with your argument Tim is that you are recommending another open-source solution with probably just as many vulnerabilities.
It would be altogether different if you were recommending the Mac OSX equivalent of a blogging platform, but I don’t think Drupal is it.
http://www.google.com/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=drupal+vulnerabilities&spell=1
Jim I think you should reread the article and comments as at no point did I ever recommend Drupal over WordPress I did say Drupal has a more mature approach which from an IT point of view probably makes it a more likely choice.
What I did recommend was WordPress developers to adopt a similar mentality to that of Drupal/Plone both of which are open source application and of which have both patches and upgrades, lifecycles and indeed some basic roadmap as to the future. Indeed to quote myself from the article…
Sounds and reads like a recommendation to me.
Your article suggests that there are better options out there than WordPress. You mention Drupal. Even without explicitly saying Drupal is better than WordPress, the article and comments suggest this fact. I doubt I am the only one to walk away form this article with this impression.
It’s a great article for what it’s worth, I just disagree with your conclusion:
My point regarding Windows “vs.” WordPress is that Windows is exploited (leaving aside the word “hacked”) even when updated and protected by anti-malware solutions. And staying updated—which isn’t always possible, as Tim points out—is not a 100% secure defense.
Very interesting post & discussion. For a new client, I’ve been trying to decide between using Drupal and WordPress and the comments made above are very useful, although I’m still undecided. Most of the websites I create are for small businesses up to say 25 pages or so. I’m looking for ease of use mostly but of course security is very important too. I’ll have to read a bit more about it. Thanks for the insights provided above though.
I’m not going to lie, I have never heard of Drupal. I am building some smaller sites alongside my main site. I use wordpress, I hope I won’t regret this.
I should have done some research first. I was very naive.