Plugging into WordPress security

As some of you might already know, I’ve also been a blogger for ages. Since 2005, I’ve played with nearly a dozen blogging accounts from LiveJournal to MySpace to Blogger to WordPress to Connections. But by far, my favorite platform is WordPress.

Hi, my name is Jay, and I’m an IBM TRIRIGA information developer at IBM. With nearly half a million employees worldwide, IBM easily has thousands of teams of all shapes and sizes. So I’m not surprised to hear recently that a few IBM teams might be migrating areas of their social media sites from Connections to WordPress. While I love the WordPress interface, I also understand the concerns that other colleagues might have about the security issues in WordPress, particularly in its plugins.

Jay’s WordPress “word cloud” (Wordle.net)

But here’s the thing about plugins. Just like installing and uninstalling fun or functional third-party apps on your smartphone, you can also install and uninstall fun or functional third-party plugins on your WordPress.org blog. In other words, your blog is only as strong as its weakest plugin. Fortunately, there are countermeasures. You can uninstall your weaker plugins, and you can also install security plugins.

What is the difference between WordPress.com and WordPress.org?

The primary difference lies with hosting. With WordPress.com, you don’t have to provide any hosting environment. Once you sign up and sign in, you can customize your blog design almost immediately. Naturally, unless you pay for more flexibility, you are limited in your customizations. However, even if you pay for more design flexibility, you also don’t have to actively maintain or update the core installation or integrated plugins, including those for security.

WordPress.com dashboard (November 2013)

On the other hand, with WordPress.org, you can either download and install the software package onto your own hosting environment, or you can pay for a hosting provider to do it for you. Once it’s installed, you can configure and customize your blog design as deep as you desire. However, to maintain the highest security, you also have to actively maintain and update the software, not only for the core installation but for any third-party plugins that you install. So you need to be aware of any compatibility issues between the core updates and your customizations, and between the core updates and your installed plugins, including those for security.

WordPress.org dashboard (Version 3.7.1)

If a few IBM teams are indeed migrating areas of their social media sites, then the logical choice is WordPress.org with its greater control over configurations and customizations. If that’s the case, then the most important issues revolve around plugin maintenance and security.

What are the WordPress.org plugin issues and countermeasures?

Here’s an excerpt from the Wikipedia article about WordPress:

“In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that 7 of them were vulnerable.

Individual installations of WordPress can be protected with security plugins. Users can also protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins, renaming the default admin account, as well as editing the site’s .htaccess file to prevent many types of SQL injection attacks and block unauthorized access to sensitive files.”

Like I mentioned, the IBM teams need to be aware of any compatibility issues between the WordPress.org core updates and their intended customizations, and between the core updates and their intended plugins, including those for security.

While it’s conceivable for the IBM teams to create their own security plugins, they’re more likely to rely on freely-available and field-tested plugins. Based on my searches in Google and WordPress, here are the top 3 most-popular and most-reliable WordPress.org security plugins as of November 2013:

Wordfence Security: Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, cellphone sign-in (two factor authentication), malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups. Wordfence Security is 100% free.

Wordfence Security plugin

Better WP Security: Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site. With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.

Better WP Security plugin

BulletProof Security: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. Security Logging. HTTP Error Logging. Login Security/Login Monitoring. Website Maintenance Mode (HTTP 503).

BulletProof Security plugin

Which is the best of these 3 security plugins?

Since the download numbers and average ratings of these three security plugins are nearly identical, let’s dig a little deeper. Based solely on the WordPress.org site at the time that their information was collected (November 10), only the latest Wordfence plugin (November 7) is compatible with the latest WordPress 3.7.1 (October 29), and only the Wordfence team has resolved 100% of its support threads (46 of 46). These surprising results for a free plugin demonstrates a remarkable team responsiveness.

Meanwhile, both the latest Better WP plugin (August 24) and latest BulletProof plugin (October 18) are only compatible up to WordPress 3.6.1 (September 11). Even more revealing, the BulletProof team has resolved only 94% of its support threads (62 of 66) while the Better WP team has resolved a mere 3% of its support threads (4 of 145). Having said that, it’s ultimately up to you or your team to weigh the different factors in choosing the best plugin for your blogging environment. After all, these snapshot results might vary from week to week.

Wow, the next time that I start a new WordPress.org blog, I know which security plugin to install. :)