We would be although happy to get any further feedback. Did we miss something/is anything not clearly written/are there other plugins you think we should have touched on?

We will keep this paper as updated as possible.

Phil, I’m really happy with version 1.0, great work guys.

The paper looks great overall, though for htpasswd protection I’d definitely recommend using ‘AuthType Digest’ over ‘AuthType Basic’. Basic auth means sending base64 encoded password over internet, which is simply equivalent to plain text password. Most password sniffer can decode that in no time.

Abel, great thought. Digest is slightly better, however, its vulnerable to offline brute force attacks. The best suggestion is to use Basic/Digest over SSL (https), this solves both problems.

Hmmm, agreed. :-)

Nice work! Didn’t know you guys ported PHPIDS to Wordpress. I also like that Role Manager plugin.

Thanks :)

Yeah we created a Port for PHPIDS. A First release is available on PHPIDS.org, which doesn’t offer many features and holds quite some disadvantages(no exceptions, everything is blocked). We plan to drop a newer offical BlogSec release soon, which is quite better than the first draft. I got many valuable Feedback from Gareth and Mario, and Code improvements as well. But for sure we’ll receive much more valuable Feedback from our userbase.

I just finished reading it and I’m very happy with it.

I’m very interested in security, not only my blog, but general systems security, and even that I don’t know too much actually, I like very much your whitepapper, so, good work fot that.

I also take the time to check the wp-scanner and test the prefix changer without no problems.

I can say that the only problem I’d have was with the htaccess file but, it only needed to allow certains pluggins and files for the K2 theme, but, as is actually commented in the whitepapper as note, isn’t something to report as a bug or something =P.

Good work, and thanks for helping people like me, who doesn’t know much, but want to learn and protect their sites.

Best regards
LKP

Thanks for the feedback and support guys!

[...] el día de hoy publicaron un pequeña pero útil guía cuya meta es mejorar la seguridad de tu blog, en caso que uses [...]

[...] hat ein Whitepaper “How to create a secure WordPress install” zur besseren Absicherung der Blogsoftware Wordpress veröffentlicht. Dem Titel [...]

Hi there,
Can someone please point me in the direction of a fix?

I’ve applied the .htaccess recommendation to wp-includes, but I can’t work out the correct directive to get the spellchecker in the visual editor to work. Any ideas?
Thanks,
Nick

[...] very interesting and quite commendable. After some shameless delay I decided to read though their WP Security White Paper and apply some of the steps… yes I did say some, harden security folk will insist that you [...]

Never mind, I sorted it :D

[...] é este. O post com o anúncio do lançamento e um sumário apresentando o conteúdo, pode ser lido aqui. Comentários: (0) [...]

[...] BlogSecurity » WordPress Security Whitepaper Paper do pessoal do BlogSecurity sobre segurança em plataforma wordpress (tags: Security papers) [...]

[...] good example is this very worthwhile white paper by blogsecurity.net, entitled “How to Secure a WordPress Install”. The white paper provides [...]

Accessing your WordPress tables - Could you please go into more detail on how to set up the permissions on the database tables? And a more detailed explanation of what you mean by never letting a web app access the database with a root user??? There is only one user created at the time of install by my host using the admin log on with a postfix alpha numerical extension. No provision that I can see to change that account?? You can only create an additional user, but how would that get linked back to WP. I love your security whitepaper, but somewhat vague for new users.

Thank you ron for your feedback, we need it to improve our Whitepaper further. The Next version will cover this theme more deeply. It’s quite hard to cover all areas with the first try, by that amount of possible different Hoster and such things.
What I can tell you is, a root MySQL-User is an Account which has all possible privileges possible within MySQL(something like god), or at least most of them, Globally. So if your WP would use that account, and someone could steal all needed informations, he would be able to modify as well any other Database within your MySQL Server. If you just use a limited User he could only harm you within your WP Database(Dropping Tables, Recordsets, and such stuff).
To tell you more about your Problem/Case, I would need more informations. If you like to tell them please use the contact form to submit them to us, and we’ll reply.

Thanks

[...] more tips, including using a plugin to change the table prefix easier. For details, you can read it here. Don’t forget to scan your blog for vulnerabilities using the WP [...]

[...] Blog Security has written a WordPress Security Whitepaper on how to secure WordPress against security flaws and other worries. It also includes information [...]

[...] Blog Security has written a WordPress Security Whitepaper on how to secure WordPress against security flaws and other worries. It also includes information [...]

Page five has a typo, “grap” in the first sentence under “Create a new limited user.” Still reading, but great stuff.

Stephen thanks for that one, will be fixed with the next version.

[...] Asegurando Wordpressblogsecurity.net/wordpress/wordpress-security-whitepaper/ por habladorcito hace pocos segundos [...]

[...] on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of [...]

[...] Pero realmente se trata de un tutorial que todo usuario de WordPress debería leer y tener a mano: WordPress Security Whitepaper (PDF), una completa guía de consejos a tener en cuenta para reducir las vulnerabilidades del cms [...]

[...] found a pretty good Wordpress Security Whitepaper over at BlogSecurity.net. I followed most of the techniques, especially those that concerned with [...]

[...] chicos de BlogSecurity, han desarrollado un PDF llamado “How to Secure Wordpress” o “Como asegurar [...]

[...] Hier gibt es ein Whitepaper zur Wordpress Sicherheit. Dougal hat das ganze mal kommentiert. [...]

[...] BlogSecurity Etiquetas: plugins, seguridad, [...]

[...] has released a WordPress Security Whitepaper and Doug Campbell has posted an article about his pros and cons onto [...]

[...] on an Apache server and have access to .htaccess files, you can fix this problem right up. Here is where I was alerted to this little issue and where you can find the fix (this same article is [...]

[...] has a detailed whitepaper on how to secure your Wordpress installation. A must-read, especially for large-scale Wordpress [...]

[...] next best thing was to find a whitepaper on how to secure a WordPress installation. The 10 page whitepaper in PDF format is currently at “Version 1.1″ and covers [...]

[...] Blogsecurity.net ha publicado la versión 1.0 del documento “WordPress Security Whitepaper” que está disponible en formato PDF, donde relatan las medidas de seguridad básicas a tener en [...]

[...] | Autor | Descargar guía de la seguridad en formato [...]

[...] security released a white paper on how to lock down Wordpress a little bit tighter and while I think some of it might be overkill [...]

[...] Oktober wurde auf BlogSecurity das WordPress Whitepaper veröffentlicht. Hierbei handelt es sich um eine Sammlung von Tipps und Tricks für eine sichere WordPress [...]

[...] BlogSecurity Whitepaper [...]

[...] the only organization that deals with social networking and web blog security has recently released a WordPress security whitepaper entitled “How to Secure [...]

Thanks for a very useful tutorial. Some ideas below.

1) On the MySQL user.. perhaps it’s worth making clear that the most important thing is that the

user/pass that you have for your WordPress install does not have access to any other (sensitive)

data.

For those who installed using Fantastico etc (most at risk??) this would be the case by default.

It also does not mention when this cause problems.. i.e. third party modules.. which may not have

that good error reporting. Admitadly, these poorly written modules are perhaps what we are tring to

protect against??

2) Prefix script doesn’t work.

3) My username isn’t admin.. I did this on install.

4) Is it worth restricting (via .htaccess) the content and includes directory?? Sorry not sure the level of threat.

[...] BlogSecurity.net has released its “How to secure Wordpress” whitepapers, released as the first version [1.0]. [...]

[...] I suggest toread it and try to follow the whole guide. If you rent just a common webserver, most of the suggestions [...]

[...] Il existe un document complet sur la sécurisation d’un blog, que je n’ai pas eu le temps de finir, et que vous pouvez télécharger sur cette adresse : WordPress Security Whitepaper [...]

[...] spécialistes sont ceux de blogsecurity.net et ils se sont fendu d’un petit dossier d’une dizaine de pages (il s’agit ici d’une version 1.0 du petit livre blanc) [...]

[...] has published a white paper about how to secure your WordPress installation. A lot of the stuff in there is security by [...]

[...] received some great feedback after releasing our Secure WP Whitepaper, and it just got better for our German [...]

[...] get your copy of the whitepaper here. [...]

[...] Whitepaper von BlogSecurity ist nun auch auf deutsch erhältlich. Beide Versionen sind auf der Project-Page [...]

[...] Campbell: Creating a secure WordPress install Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of [...]

[...] Blog Security has written a WordPress Security Whitepaper on how to secure WordPress against security flaws and other worries. It also includes information [...]

[...] hat eine Liste zusammengestellt, mit Dingen die man tun sollte um sein Wordpress sicherer zu machen. Teilweise [...]

[...] First of all, AskApache’s plugin will do this for free or follow our htaccess guide (see our WordPress whitepaper for details). Second, this will not stop hackers from hacking your [...]

[...] Campbell at Geek Ramblings shares some interesting thoughts on a white paper entitled How to Create a Secure WordPress Install which he ran across at [...]

[...] WordPress Plugin which checks for vulnerabilities in your blog, Theme and elsewhere, and read the Secure WP Whitepaper and WP Hardening Project for more [...]

This is an excellent paper! Thanks for posting. I was in two minds between using blogger and rolling my own wordpress install, and security was my main concern with the latter. This helped me decide.

[...] mean we need another technique to encounter this problem. In actual fact, Blogsecurity.net in their Secure WP Whiteaper has briefly described to us about alternative technique which manually change the default Wordpress [...]

How about restricting database access only to the host you install WP in?

The WP Plugins tracker mentioned on page 9 is no longer needed with WordPress 2.3+ - it takes care of telling you about outdated plugins and outdated WordPress installations.

Nice paper though. Thanks.

Hendry, you mean something like one DB for one Webapplication? Or do you think about denying external DB connections?

Chris, although WP 2.3 comes with a buildin check for Plugin actuality it’s currently not able to check hosted Plugins outside of Wordpress.org, nor does everyone use WP 2.3, so we think there’s no reason to keep the word unspread about it. The newer version will as well mention the latest WP version and it’s new features.

[...] Blogsecurity whitepaper on wordpress security: http://blogsecurity.net/wordpress/wordpress-security-whitepaper/ [...]

[...] Blogsecurity.net paper » blogsecurity.net/wordpress/wordpress-security-whitepaper/ 02. Sherif Elsisi for written » [...]

[...] chicos de BlogSecurity, han desarrollado un PDF llamado “How to Secure Wordpress” o “Como asegurar Wordpress” en [...]

I use Wordpress 2.3.2 and in your white paper you say:

Now you need to replace two other values in this table: wp_usermeta.
The values wp_autosave_draft_ids and wp_user_level for the field meta_key need to be changed to the new prefix: 4i32a_autosave_draft_ids and 4i32a_user_level.

It should read
Now you need to replace three other values in this table: wp_usermeta.
The values wp_capabilities, wp_autosave_draft_ids and wp_user_level for the field meta_key need to be changed to the new prefix: 4132a_capabilities, 4i32a_autosave_draft_ids and 4i32a_user_level.

[...] blogsecurity.net there’s an article on how to secure Wordpress. It’s very well documented but I ran into one difference. They [...]

Has anyone run across not being able to edit posts after doing all the security steps?

[...] page with a great white paper on how to secure Wordpress with some “must-have”-plugins. http://blogsecurity.net/wordpress/wordpress-security-whitepaper/ Seems to be really [...]

Great paper, full off interest.
Greate job.

I’ve one newbie question : is there a way to restrict blog access to define users ?

Thanks a lot

[...] found an amazing resource in blogsecurity.net for securing my blog. I downloaded their whitepaper on Wordpress security and followed a lot of the steps to help secure my blog. I changed user permissions and other things [...]

Thank you for the sharing the enormous resource on securing WP installations. My site was recently hacked and I have learnt a lot from your whitepaper.

All the best.
Ash

[...] and I came across a very useful WordPress security whitepaper that you can download from blogsecurity.net for free. It is technical but I recommend that anyone who owns a WordPress blog to read it because [...]

[...] How to secure your Wordpress blog [...]

[...] How to secure your Wordpress blog [...]

[...] a plugin to secure your admin pages, Donncha O Caoimh details other ways to secure your blog, and Blog Security’s Whitepaper on securing your blog is [...]

This whitepaper is problematic and confusing. I wouldn’t recommend it.

Matt, you say that like we care?

Phil has been working on a newer “less-confusing” version - lets keep in mind this is version 1.

Thanks for such a nice guide! I tried implementing the htaccess file recommended for the wp-includes directory. The only thing that seemed to stop working was the default WP editor (I think it’s tinymce). What “specific” php files would we have to add and what would the context look like?

Also I can’t seem to get the part working about applying a password to the wp-admin directory. I’m using cPanel to apply the password instead of the manual instructions. Has anyone else gotten this to work?

Hi Mike,
Nick has wrote some time ago how to fix this problem: on his page
But instead we recommend now the given Tip of AskApache instead.
These changes will as well be covered in the upcoming release of the Whitepaper.

Just to bring everything back into this post for everyone, the tip that Philipp was referring to was the use the following text to replace the whitepaper’s recommended htaccess file content for wp-content and wp-includes:

RewriteCond %{QUERY_STRING} !error
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(wp-includes|wp-content)/(.+)\.php\ HTTP/
RewriteRule .* - [F]

I know that was listed as an example, but is the what you’ll be adding into the upcoming version of the whitepaper?

Also regarding locking down the admin directory, there is AskApache’s Password Protect plugin.

I think that covers it. Let me know if I’ve missed anything…

Yes as many things changed around these themes we’ll cover the changes and for sure mention the easier ways as well. Why struggle with the hard things If there’s something easier which does the same.

[...] to the effort of Samuel Aguilera we’re able to announce the instant availability of the Whitepaper and the ModSecurity Paper in Spanish. The translation is es_ES, but should be understandable as [...]

[...] meses hablábamos de Wordpress Security Whitepaper un documento en PDF creado por la gente de blogsecurity.net con algunos tips para asegurar nuestra instalación de WordPress, hoy me entero vía SigT que [...]

[...] meses hablábamos de Wordpress Security Whitepaper un documento en PDF creado por la gente de blogsecurity.net con algunos tips para asegurar nuestra instalación de WordPress, hoy me entero vía SigT que [...]

[...] que se trata de la seguridad para wordpress. Es un documento PDF creado por los señores de blogsecurity.net con tips para la instalacion de nuestro [...]

[...] http://blogsecurity.net/wordpress/wordpress-security-whitepaper/ [...]

[...] realmente se trata de un tutorial que todo usuario de WordPress debería leer y tener a mano: WordPress Security Whitepaper (PDF), una completa guía de consejos a tener en cuenta para reducir las vulnerabilidades del CMS [...]

Great material!! Can get enough of Wordpress security (and web application security in general).

Thanks.

Hey I’d love to help out in some way dealing with the .htaccess aspect.. I have some good ideas but comments isn’t the right forum for discussion.

Keep me updated with any new whitepapers, you guys rock!

[...] WordPress Security Whitepaper (tags: wordpress security blog) [...]

[...] and as long as you take action immediately, you’ll probably be OK. Check out this site about Wordpress security for more on how to secure your blog from hackers. I’ve not implemented all the measures I [...]

Lets start moving to version 2 guys, it well overdue!

[...] out more information at the WordPress Whitepaper HomePage.     Enjoy the article? Please take a second to: Digg it! | StumbleUpon [...]

[...] Libro Blanco de Seguridad en WordPress, o WordPress Security Whitepaper en inglés, realizada por BlogSecurity. En esta revisión de Abril se han añadido algunas secciones y mejorado y actualizado las [...]

[...] about their blog’s security and want to lock things down past the default configuration, the WordPress Security Whitepaper is worth a read. Note that it is quite technical, so if things like .htaccess and using SQL make [...]

[...] Un whitepaper sur comment sécuriser au mieux Wordpress. Vous pouvez suivre les releases de ce WhitePaper sur BlogSecurity. [...]

[...] última, foi reportado hoje pela BlogSecurity (que acaba, aliás, de actualizar o seu recomendável guia de segurança para as instalações de WordPress). Como poderão ler no site, ou no advisory original publicado [...]

[...] about security, BlogSecurity updated their great WordPress Whitepaper, a PDF that teaches how to secure your WordPress blog, a must [...]

[...] the well written and informative WordPress Whitepaper from Blog Security recently, I remembered the bag on the stage. Three days later, all I can remember from the paper, [...]

[...] one might interest you: BlogSecurity

[...] Security recently updated its popular WordPress Whitepaper which reports on security issues and problems with WordPress. It includes tips and step-by-step [...]

[...] già accennato al WordPress Security Whitepaper creato da [...]

[...] WordPress Security Whitepaper (tags: wordpress) [...]

[...] READ THIS WHITEPAPER ON MAKING WORDPRESS SECURE.  Thanks to stuntdubl for the [...]

[...] Blog Security [...]

I didn’t understand the “Password Required” thing. Isn’t the point of login to give user access to wp-admin already?

[...] meses hablábamos de Wordpress Security Whitepaper un documento en PDF creado por la gente de blogsecurity.net con algunos tips para asegurar nuestra instalación de WordPress, hoy me entero vía SigT que [...]

[...] Security recently updated its popular WordPress Whitepaper which reports on security issues and problems with WordPress. It includes tips and step-by-step [...]

[...] version de cet ebook est parue courant du mois d’Avril, n’hésitez pas à télécharger la révision 1.2 [...]

[...] 9 easy ways to secure your WordPress Blog http://www.simplehelp.net/2007/09/10/9-ways-to-secure-your-wordpress-blog/ WordPress Security White Paper http://blogsecurity.net/wordpress/wordpress-security-whitepaper/ [...]

[...] WordPress Security Whitepaper - a good overview of how to secure a self-hosted WordPress blog [...]

[...] have discussed before in our WordPress Whitepaper that the file upload facility should be restricted to trusted users only.     [...]

Thanks so much for this nice guide! I have learnt a lot from your whitepaper.

[...] WordPress Security Whitepaper [...]

[...] BlogSecurity also offers a WordPress Security Whitepaper which has detailed informations about securing your Wordpress installation. Read more here. [...]

[...] to keep your wordpress blog secure. June 14th, 2008 Just so you guys know, this is not going to make any wordpress blog secure, it will however allow less people being able to [...]

[...] Read the Wordpress Security White Sheet [...]

[...] Read the Wordpress Security White Sheet [...]

[...] ho suggerito in questa discussione del forum GT, la lettura del WordPress Security Whitepaper di BlogSecurity è un ottimo punto di partenza per analizzare tutte le possibili problematiche di sicurezza di [...]

[...] has the dial tuned closer to the paranoid end of the spectrum, then check out Blog Security’s WordPress Security Whitepaper, which lists out many things you can do to lock down your self-hosted blog, and keep out the [...]

[...] here is a free report, actually a White Paper on creating secure WordPress install. Seem to be current, as latest revision at the time of writing this post was April 2008. Keep in [...]

[...] install blogging platforms such as WordPress, Movable Type, etc. all the time, but how many take additional steps to harden their installations? The concept is the same as the OS hardening analogy I brought up at [...]

[...] WordPress Security Whitepaper (BlogSecurity) Thorough evaluation of the security of WordPress. Must read. (tags: security web) [...]

[...] http://blogsecurity.net/wordpress/wordpress-security-whitepaper/ [...]

The only way I found out my blog had been ‘hacked’ was that my Adsense ads reflected the ‘thousands’ of bad news links that had been added to my Footer code rather than the usual dog training stuff.

I admit to having been mortified and now upgrade to latest WP version ASAP