Following the Heartbleed vulnerability affecting all of us on the web, security has been a big topic lately. Some of us even changed our years-old passwords, and maybe enabled 2-factor authentication on our email accounts… (2-factor is the system where you need a code generated by, say, your mobile phone as well as your regular password to login.)
So it seems that most of us survived, but given the wake-up call, we thought it would be a good time to remind you of some simple things you can do to ensure your WordPress installation is secure.
The easiest thing you can do is to make sure you always update to the latest WordPress release in good time. Version 3.9 was released a few days ago, bringing some usability features amongst others. But in some ways it’s the smaller releases that are more important, since they are often introduced to fix a security issue. Even in the last few days before WordPress 3.9 was launched, the developers still issued a security fix (version 3.8.2) to the previous version immediately, rather than just wait to bundle it into the all-new 3.9 release. If your site isn’t set to upgrade automatically, and you don’t login to your admin panel too often, you can sign up to a WordPress mailing list for notifications of new releases.
Use Secure HTTPS
WordPress is easy to install, but the default installation will always work under plain HTTP rather than secure HTTPS. That means when you enter your password to login, it is sent to your web server in human-readable plain text. Remember that the internet is made up of interconnected ‘public’ computers, and on its way from your laptop to your web server, you have no way of knowing the route that your connection will take through this network. So any of those computers could intercept your password. If you or your users have the same password for their other services too, a hacker will have access to your entire online world.
For commercial installations, it should be worth the investment (in time and money) to set up secure HTTPS for the admin area of your WordPress website. Depending on your hosting provider, they may be able to set this up for you (usually at a cost, at least to pay for the ‘security certificate’ required). Or if you have the access and knowledge to do this yourself, find the time to set it up.
How Single Sign On helps
Especially if you don’t take all the steps above, things should be more secure if you are able to use a third-party service such as Google to log you in to WordPress instead of using your WordPress username and password directly. That’s because Google will always operate under HTTPS themselves, and you can even take advantage of their 2-factor authentication.
Using our Google Apps Login plugin for WordPress, for example, you will supply your Google password to Google’s servers, and in turn Google will tell our plugin, sitting on your WordPress server, whether or not you should be logged-in. Of course, if your WordPress site is running only under HTTP, then Google has to pass information insecurely at some point – but that is a one-time code authorizing your access, rather than your main password in plain readable text.
So Single Sign On will help avoid your password being discovered, but it’s not enough on its own. Once logged in, your computer still needs to continually re-identify itself to your WordPress site, which it does through a cookie. If you’re running under HTTP, then that cookie will be sent in a way that is unencrypted and (if intercepted) usable by a hacker to pretend they are logged in as yourself. They can ‘hijack your session’ but won’t know your actual password to be able to login in the future.
What else do you think is important?
We hope this article reminds some of our readers that they want to invest a bit more in security for their WordPress sites. Let us know if you agree that the things we’ve discussed are the most important or not… and what else you do to increase security?