Security and Website Themes
Wordpress and other web site publishing platforms can be nearly one-stop shops for clean and well-developed web sites. Their content management abilities coupled with easy interfaces can really help webmasters gain a solid and well-organized foundation for web content. While Wordpress and others such as Joomla, Textpattern and Movable Type are great and established publishing platforms, webmasters should still stay on top of their security and code, as one should with any software.
Security
Wordpress.org offers many tips on securing a Wordpress installation and web content. Besides the obvious practices of password protections and database security, there are a few extra steps you can take to ensure more Wordpress security:
- File Permissions: unless there is a specific need, all files should be owned by your user account and should be write-able by you.
- Secure wp-admin: Require an HTTPS SSL encrypted connection for the /wp-admin/ directory. This will ensure communication and sensitive data are encrypted. Do this for all forms on your site that pass sensitive data such as user names and passwords.
- Secure wp-config.php: Move this file one directory above the directory of the Wordpress installation files (where wp-includes resides) and give it a 400 or 440 permission.
For third-party plugins running in Textpattern, webmasters can easily review a plugin’s source code by “editing” a plugin. Simply navigate to Admin -> Plugins and click “Edit” for the plugin you wish to review. Look for anything out of the ordinary such as eval() or base64_encode() calls.
Using Themes
Unfortunately, many of the “free” Wordpress themes offered for download at popular theme websites often contain hidden malicious code adding unwanted spam advertisements. They use base64 code to hide their ads – unskilled end users will unknowingly promote advertisements they normally never would have supported. “Base 64 does not necessarily just hide links. It can also hide malicious code which can run amok on your site.” These “free” themes often have concealed backlinks hidden throughout the code, linking your website to places you’d never care to be associated with.
Although themes can be useful for the web site hobbyist and individual, they really aren’t ideal for a functional business. You need to establish a brand that your customers can become familiar with and trust. Implementing a free theme is counter this basic principle of marketing. However, if you must use a theme or need to use one as a temporary solution, use one from a trusted source and learn the code. Understand precisely what you are publishing.
If all this seems a bit much or you don’t have the time to dedicate, drop us a line and we’ll get your business blog setup properly from the start. We maintain all aspects of code from servers to blogging tools. All your team needs to do is create the content.
Maintenance
How often do you investigate your web site’s software installation and files for security breaches, malicious code, or other potential web threats?
