10 Common WordPress Security Questions

1) Why do I receive comment spam even if I only allow registered users to comment

Obviously if you have registration disabled then the bots can easily spam you, but if you only allow registered users to comment then the cause of your spam problems could be caused by one (or both) of these: A) the spammers register, then set up a spam bot to log in with that user name then comment, or B) the spam bots skip the comment feature all together and uses trackbacks to spam you.

More often than not trackbacks are the cause of comment spam. It is something many bloggers don’t even think about, and heck I didn’t think about it until it happened to me.

Plus there are probably a few ways to beat the registration system anyways.

2) How do I stop comment spam?

Instead of forcing users to register and disabling the trackback features I would recommend getting an anti-spam plugin. This blog uses Spam Karma 2.

3) How should I go about backing up my WordPress data?

You can either manually back it up using something like PHPMyAdmin or you can get a plugin such as WP-DB-Backup.

4) Do plugins create a security risk?

If you use a poorly written plugin then yes, you do have a security risk. However, most plugins that are listed on the WordPress plugins page are very well written.

If you do suspect a plugin is causing issues then why not ask the Google Gods about it?

5) What is the best way to recover from a server-attack?

Befriend your server’s administrators before the attack. Oh and always keep backups. If you are using a shared hosting plan then your host will probably have fairly recent (only a few hours old) backups of your entire site. In that case don’t worry about uploading your backup and let them do their job. However, if they find that one of your installed plugins or WordPress itself caused the issue then be afraid, be very afraid.

If you have a dedicated or semi-dedicated server then your host will most likely also have a full backup.

As always do not ever fully depend on anyone else to do backups of your stuff, always have your own copy just in case.

6) Does open registration create any potential risks?

Of course it does. If you get a malicious user they will try whatever it takes to break in.  WordPress does have a few annoying flaws - for example allowing contributors to view comments thus displaying other users’ IP addresses. Most of these flaws have solutions, thankfully.

The main thing you should do is just keep an eye on any users you think might be up to no good, and if you do see them doing something bad then either warn or ban them.

7) Do I have to upgrade to new versions of WordPress?

If you want to be as secure as possible then yes, you should. Do you have to? No. Technically you don’t have to do anything. (Please don’t sue me if you stop breathing and faint.)

Where can I find a list of known bugs?

At the official WordPress bug tracker.

9) How do user roles and capabilities work?

In a nutshell there are five different user levels. From lowest-level to most-powerful they are: subscriber, contributor, author, editor, and administrator.

Subscribers do exactly what it sounds like - they subscribe to your blog. This is the default user level for new users. The only capabilities they have is the ability to post comments and read posts. Editors are slightly more powerful. Unlike subscribers they have the ability to edit posts (they can create posts but they can’t publish them, and they can only edit their own posts).

The next level, author, lets users do all of the above as well as upload files and publish their own posts.

Finally we get to the editor, which is just one steppingstone down from administrator. The editor has the ability to add pages, edit pages, manage links lists, moderate comments, and also edit posts, upload files…etc.

Last but not least is the administrator, who can do anything he/she/it feels like doing.

You can access the full WordPress document on roles and capabilities by clicking here.

10) What are some WordPress bugs/features that may cause problems?

Well for starters you can access a WordPress blog’s installed plugins by typing the URL for them. Most plugins rely on the API to work correctly so you will usually get a bunch of PHP errors if you directly execute it, but if you have any of those few select “standalone” plugins this flaw can possibly cause serious damage.

There is also a bit of a bug with the way WordPress handles the comment manager for lower-level users. By default a contributor can view comments in the administration panel, this is a huge security concern because your user’s e-mail addresses and IP addresses are all displayed there. This is the same issue I talked about in question #6. The fix is available here.

Trackbacking, which I already discussed above, can be a way for spammers to steal page rank from your blog. If you experience a lot of issues with it then you may want to look into disabling it in the options panel.

Other than that I cannot think of anymore major security problems…

Please subscribe, or else I will cry. Do you really want to make a programmer cry?