Comments on: WordPress Hacked? Total Security Lockdown

By: DailyManila

DailyManila — Thu, 17 Dec 2009 16:09:21 +0000

For those who run their own servers (dedicated, virtual private servers, or cloud instance), it’s also good to secure the underlying operating system (e.g. filesystem, host firewall, etc.) and related applications like the web server and database server. Any security you put on WordPress will be useless if the system it’s running on is compromised.

By: Mathdelane

Mathdelane — Tue, 08 Dec 2009 13:42:30 +0000

This happened to me once this year, index.php was deleted by some nasty hackers who were able to signup as admin back in those days when I’m very much a newbie because I retained the default “admin” username “as is” instead of changing it. I’ve learned my lesson and hopefully it won’t happen again.

By: Tim Nash

Tim Nash — Tue, 08 Dec 2009 12:36:09 +0000

Its a huge drain, as a plugin author, when ever we make a code change we have to test in multiple test environments including the previous version of wordpress, the current version and the current beta.

To be honest we should test in more environments but even so maintaining that testing cycle is time consuming.

As a consumer it is common sense to maintain your own development server, set up as your production server to test plugin and core updates on. The cost in time and server costs are still negligible against major downtime in most enterprises.

By: Andy Beard

Andy Beard — Tue, 08 Dec 2009 12:22:53 +0000

Keeping plugins up to date not only from a security perspective, but also just for compatibility is a real drain on development resources.

By: Tim Nash

Tim Nash — Tue, 08 Dec 2009 11:45:16 +0000

While its very common to hear

Keep WordPress up to date, plugins up to date etc

It’s important to remember that WordPress publishing cycle of new releases means security bugs are bundled in with feature updates which potentially can do more harm then the security bug you are patching. It is quite usual for wordpress to have a release and then several smaller patch releases within a few days to address the bugs they didn’t find.

It is therefore worth holding back from instantly updating your live version of your site but testing the update on your development copy (which is populated from your regular backup ;) ) and holding off a couple of days to allow bugs to surface from early adopters and your own testing. (Its important for Open Source software in particular if you find bugs to report them otherwise they won’t get fixed)

While security is important, the chances of you being hacked on a given day are small, it is better to test and wait a few days with a potential security problem, then jump on to an untested ship which has the potential to be catastrophic.

I wrote an article on suitability of WordPress for Enterprise clients, and why SEO agencies working with such clients should be careful back in April.
http://www.timnash.co.uk/04/2008/wordpress-security/