• I’ve just finished putting together my first website, running with WordPress, which is fully functioning on localhost. I’m looking for the final pieces to the puzzle to make things work well when it goes live. First and foremost I’m looking for hosting, but I’ve started to get concerned about security, especially for anyone that signs up to my site for posting comments and more besides …

    The site has a business element to it which I’ve put together using the Jigoshop plugin and a bit of tweaking. That means that anyone who registers has an account page that they can use to save their address details, but all payment details will be handled by PayPal. So I want to make sure these details are pretty safe, and that the site is watertight on the whole.

    I don’t know how this works. I’m guessing I need an SSL certificate or something like that, or are there other options? Can anyone tell me how transparent a simple vanilla WordPress setup is to the outside world, if it’s particularly easy for someone with intent to browse through your SQL databases or whatever? And are WordPress passwords at least stored in some secure way? ( Although perhaps not transmitted in a secure way depending on the SSL status … )

    Thanks in advance for any help or pointers, maybe there are plenty of others out there who are just as interested in these points but have no technical knowledge about them.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Thanks for the links Ipstenu, I’d seen the first already but not the second. But the first doesn’t really answer a number of things I’m after.

    I understand that SSL covers the process of someone signing into a site and having the subsequent data transfer encrypted. Fine. But let’s say there’s no SSL set up, nor any users logging on or anything at all in fact, let’s say the site has been set up and is left untouched by admin for a good period – is getting into the WordPress files still relatively “easy” for someone in the know? And is having an SSL certificate enough to sit back and relax?

    Just read that back, not to sound too naive, I meant “relax” only to an extent. From what I’m reading around the interwebs right now, it seems you can have the most secure site in the world from your own efforts but it still being more or less vulnerable from the level of host effort. Found some interesting GoDaddy info. Not good. I’ve gone through enough material about hosts to know not to ask that question any more on these forums, at least. No perfect solution. It’s a shame there aren’t any clear winners out there on this front, just a few lesser of many evils, perhaps.


    SSL encrypts that data between host and client. Signed SSL tells the client that the host is who they say they are.

    This doesn’t in anyway help with, for example,
    – dodgy plugins and themes
    – useless passwords
    – missing security fixes by not updating core, plugins and themes
    – badly configured servers
    These are separate issues.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Is hacking into WordPress easy?

    No, actually, it’s not 🙂 Hacking into insecure servers is easier than hacking into a webapp, and most of the time, that’s how it’s done. In all my time on WP, the only hacking came from me using a computer with a virus on it, and clear-texting my FTP password. I only use Secure IMAP, FTP and SSH these days, and I run all my sites as admin over SSL when possible. But as it’s often not possible to run SSL on shared hosting, I just make hella secure passwords and never share ’em.

    TCBarrett – without asking you to go into detail, can you outline what makes a theme or plugin bad for security, are there some tell-tale signs that are relatively easy to pick out? I’m trying to keep plugins to a minimum, and the ones I do have seem pretty well established, but of course that’s no guarantee of anything. I’ve got a Twenty-Ten-based theme, but no intuitive feel about how solid it really is.

    Ipstenu – that’s what I’ve been picking up about the weak link from a number of sources, about the servers rather than the WP software. I’m guessing that without a private server then you’re pretty much open to the elements on that one, and have to weather whatever storm may come your way. In fact, having been reading about this for a couple days, I’m so surprised in finding out just how many hosting companies seem … less than impervious. More so than I’d expected.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Twenty Ten (and Twenty Eleven) are WordPress’s in-house themes, so they’re pretty much as secure as can be.

    Figuring out which plugins aren’t secure is a full time job. If you know PHP and SQL, it’s a good idea to at least skim through the files and see what’s there. If there’s encrypted data, or obvious calls back to the author’s email, then you know it’s a bad plugin.

    Honestly, its in the best interests of most shared hosts to protect you too! Some are always better than others, but that’s true of all things. My bottom line is I refuse to trust a host that offers ‘unlimited’ anything, and that don’t have a 24/7 1800 number I can call to pull my ass from the fryer.

    Good pointers RE the plugins. I’m experienced with other languages and trying to pick up the PHP etc. as I go, so I am getting my hands dirty. I’ll bear that advice well in mind.

    Having a theme “based on” 2010 could still mean there’s a chance of something screwed up, no? I don’t know what the “basing” entails, whether it’s largely cosmetic or what …

    About passwords – browsing through my SQL databases, I see that there’s a password field for each dummy user I’ve registered, but that it’s in some encrypted format. Not that I guess it would matter if there’s an intruder in the database already, but just for argument’s sake, do the passwords have any value when they’re in this format? i.e. Are they easily (“easily”) decrypted?

    And apologies in advance for this last bit, I’m going to break my silence on hosting companies which I said above I’d keep, but you tempted me – the buzz from some people that seem to be in the know looks like it’s in favour of Hostgator, but they have plenty of flashy unlimited offers. Still concerning, in your opinion? They do have a cartoon alligator though …

    I’ll dish up plenty of thanks later on, but I’ll slip some in at this point too – all help is much appreciated.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Passwords are hashed and salted. They are not easily decrypted (though they can be easily cracked if you’re good at that – I’ve got a phenomenal track record for ‘guessing’ passwords thanks to a lifetime of social engineering experiments).

    We’re not supposed to let hosting recommendation threads live on the forums (they become way too much of a ‘he said/she said’ thing, or spam fodder). I link to my host off my website because I like them, but pretty much every host has horror stories. So … dish if you want, but if you do it here, I’d have to close your post.

    The best ways to learn about site security are:
    1. Hire a professional
    2. Learn it yourself (system administration, software design, database design)
    3. Join local communities
    4. Standard internet nous

    I’m guessing #1 is not an option. Option #2 sounds a little out of your comfort zone. For #3 you could have a look in http://wordpress.org/support/forum/meetups

    No. 4 is the main one to start with. Specifically for WordPress plugins and themes: don’t download random stuff from weird websites. Stick with wordpress.org themes and plugins. Stick with popular, up-to-date and regularly updated plugins and themes.

    “they become way too much of a ‘he said/she said’ thing, or spam fodder …. pretty much every host has horror stories”
    The best and most secure host, is no host at all 🙂 OK, not a very effective website, but it is *really* secure!!

    Out of my comfort zone – no. I’m used to working through code technicalities, just not of this flavour, my background is in scientific data analysis. The learning’s a matter of time, but I’m looking for my site to go live in the near future and I wanted to be relatively confident that anyone who happens to sign up is looked after.

    The “business” side of things I have in mind may not even come to pass, but if it does then I do want to feel I have people’s details well kept, even though there won’t be any credit card info or the like as that’ll be dealt with by PayPal. I can rebuild the site if something gets screwed, that’s the game, and I can keep backups. My work isn’t the important thing here, it’s other people’s names and addresses.

    I guess my basic questions are too broad-based – general security etc.. But I think I have enough to get started on the right foot. I’ve found a hosting company that looks fairly solid (no further comment there) and have enough to go by for now. I’ll come back with more specific questions!

    Thanks very much to you both for your pointers and advice, very much appreciated.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Site Security’ is closed to new replies.