Times change and so does the value of WordPress plugins. A couple of years ago I wrote The 5 Most Important WordPress Plugins of 2009. Since then things have changed. In fact, out of the 5 listed then the only one I still use is Akismet. So which plugins are the must-haves of today?
Better WP Security
While this might be seen as a shameless plug for a plugin I’ve written I will not launch a WordPress site without this installed. From hiding the existence of WordPress to enforcing strong passwords and detecting intrusion attempts this plugin really does it all.
Contact Form 7
This is another plugin I won’t launch a site without. It simply works better than the competition and really does an excellent job at integrating other plugins such as Solvemedia and others. Not all sites need the same contact form and this plugin goes the extra mile to make sure each site’s contact form is best for the needs of that site.
I’m a new convert to this system from All-in-one SEO pack. Not only does it do everything All-in-one does, but it also provides an xml sitemap thereby eliminating the need for a 2nd plugin. No serious site should go without an SEO plugin and this one does it all.
W3 Total Cache
I’ve wavered on this in the past and I will say that it isn’t the best solution for every site. However, in my case it has taken the place of 3 plugins (DB Cache Reloaded, WP-Minify, and WP Super Cache) and it seems to do an excellent job of making sure my site is delivered quickly and efficiently.
WordPress Portfolio Plugin While not everyone has a website portfolio, for those who do this plugin can’t be beat. It can categorize and order sites, take automatic screen shots, and work seamlessly into any theme.
Update 8/1/11: I’ve removed the link to my 2009 post. When I started Bit51.com in August 2011 I took only the best and most relevant posts from my old site. Given this was a review post from a few years back I just didn’t feel that it made the cut.
As like most web professionals security of my sites is something I have to worry about on a daily basis. Whether it be an attempt to get credentials for other sites or a content injection attack that tries to turn your site into the latest pharmacy there are a lot of people out there to get you.
Given the risks and the many techniques to prevent attack I spend a lot of time both researching and discussing web security even writing some of my own software to help with holes I find to be just too big. As such, while I don’t consider myself an expert in the field (it is one of many hats I wear) I do take pride in what I’ve been able to accomplish so far. As such, here are some practical pointers to consider for security of your own site and your own webserver.
The world should not be able to write to your files
While this may seem obvious to some it is not uncommon to find full read/write permissions (0777) on all files on a given website. This means that anyone can write to them given the write conditions and can therefore change what is on your site for malicious purposes.
The owner of the files should be able to update and write to those files
This is the opposite of my first point. While you don’t want anyone to be able to write to the site, those who manage the site should be able to write to the files themselves. Failure to allow this permission can result in software not being updated which as we all know can lead to some major security holes. A good compromise for settings is allowing everyone to read/execute files and only the owner of the files to write them (0755 on *nix systems).
Keep your software up to date
Just as on your Windows or other computer, keeping your web software up to date can go a long way to securing your site. Whether you use WordPress, Drupal, or any other system it is vitally important to make sure the latest versions of your software have been installed and are functional in order to prevent attack.
Remove unwanted addons and software
Whether you’re talking about WordPress or the Apache server itself always remove what you are not using. Keeping around unused WordPress modules or extra running services on your server can lead to many holes you might not ven know are there.
Delete extra users
Keeping around an old editor’s or administrator’s account may seem like a good idea should that person ever be called upon again, but in reality it is just another avenue for someone to gain access to your site. Delete those users that aren’t needed. They can always be re-added later.
Look for problems
Don’t wait for someone to point out a problem to you. Instead look for it yourself. For example in my work I often perform Google searches for terms such as “SIU cialis” and “SIU viagra.” As hackers often put hidden links on your site to boost their Google rankings searching for terms like this can help you find problems you might not even know you have
Isolate your sites
If you’re running a server with multiple websites those websites do NOT have to execute code under the same user. For example with PHP you can use fastcgi and suexec to force every site to execute PHP code under a different user. Thereby if one account is compromised the rest of the sites on the server will be safe.
Isolate your databases
Running all your sites with a single database or the same username/password might seem to make things easier, but it’s opening you up to a lot of problems should that account be compromised. Take for example in which a system user account is compromised for a small, mostly forgotten site. Even assuming your files are safe by using fastcgi and suexec if you have a common database password the attacker can still destroy every single site on your server. Use strong database passwords and use a different username/password for each site.
Don’t expose services the public doesn’t need
In some environments, particularly places like universities, you might have the advantage of a firewall that can block all but what needs to be allowed out. If you’re lucky enough to have this take advantage of it. Don’t allow the public access to administrative sites or services such as phpmyadmin, ftp, or ssh. Leave those behind the firewall and only allow out what the public absolutely must have. If you’re not lucky enough to have an expensive firewall between the world and your server there are still things you can do. Use Apache to turn off admin sites when you won’t need them. Turn off other services or obscure them on non-standard IP ports, etc. Each item you turn off is one less item people can attack you with.
Watch your logs
A lot of information can be gathered from your server logs. Use a program like AWStats to look for anomalies that might indicate a problem. For example, if your site only averages a few hits a day from the local community and you suddenly find it getting thousands from a third world country you might have a problem. In addition, looking at items like 404 errors can reveal attempts on your site if you suddenly see a 404 spike or many long urls that might not make sense on first look.
Don’t be afraid to blacklist
If someone is harassing you either through the logs or otherwise don’t be afraid to blacklist their address to prevent access to your site. Not only can this reduce malicious attacks, but it can greatly reduce the amount of spam you receive as well.
Gone are the days when an expensive tape setup took hours to back everything up. Using built-in tools like mysqldump can backup you entire database quickly and accurately. Then programs such as jungledisk or even the simple rsync can back both the mysql dump files as well as all the files in your website up to a remote machine quickly and very cheaply (I pay less than $10 a month for my entire web and file servers at work).
Different is good
When it comes to security, different is good. If you’re using software like WordPress or Drupal change the default username. Use different folders where you can and make the database table prefix something other than the default. This will make it harder for an attacker to get into your site as many casual attacks are based off familiarity with the software.
Ask Question and Keep Reading
Probably the most important thing you can do to keep your site or server safe is to build your knowledge of it’s security. Even a rudimentary knowledge level can stop most attackers dead in their tracks. When you do find a problem ask for help. No one can know all there is to know about security and two heads are most definitely better than one.