Category Archives: Security

Disabling the WordPress File Editor

The problem with the WordPress file editor is that it allows users to run PHP code on your site.  Anytime a user is able to run their own code, this presents a security risk.  If an insecure admin account is hacked, the WordPress file editor is the gateway through which a full-fledged attack can be carried out.

Finding the WordPress File Editor

WordPress File Editor

The WordPress file editor can be a great tool because it allows you to make changes to theme and plugin files on your site directly from the WordPress administration area.  Most of the time, people who utilize this tool will edit their theme’s style.css file in order to make tweaks to their site.  This can be a blessing in disguise.  We will go into the issues with the file editor in the next section, but right now I want to point out where it is so you can know if it is enabled on your site.

Finding the file editor is pretty simple.  Log in to the administration area of your site and expand the ‘Appearance’ and ‘Plugins’ menu items by clicking on the arrow that appears on the right-hand side when you hover over the menu items.  If the word ‘Editor’ appears in either of these menus, then you know that the WordPress file editor is active on your site.

Concerns and Security Risks

A I mentioned earlier, the WordPress file editor is a great tool, but there are a few big reasons why you may want to disable it on your site.

WordPress users can mess things up. You do have to have administrative permissions to be able to view and use the file editor, but just because you are an administrator is doesn’t mean you know what you are doing.  WordPress web designers and developers will likely want to disable the theme and plugin editor for their clients in order to prevent them from messing with things that they don’t understand.  Web designers may not want the client making those css changes to the theme because their client doesn’t understand the importance of cross-browser compatibility.  Web developers may want to block this feature because inserting a single character in the wrong place in a PHP file can crash the site.

It is a gateway for hackers. WordPress is a secure platform, but users are often the weak link.  Most people don’t think about it, but your WordPress admin account is only as secure as you make it.  Let’s say a hacker knows your username and is able to crack your password.  Now they have full admin access to your WordPress site.  Where would they go to gain more access?  Yep… the WordPress file editor.  The file editor will allow them to run scripts to upload destructive files, email all your users, access your database, you name it.

Is disabling the file editor the answer?  If you don’t use it anyway, definitely.  If you do use it, just make sure you take enough precautions with site security so that you are the only one who ever sees it.

Disabling the File Editor

So if you agree with me that disabling the file editor is a good idea, you will be pleased to know that it is extremely simple to do.  Just add this line of code to your wp-config.php file:

define('DISALLOW_FILE_EDIT', TRUE);

Yep, that’s it!  Just one measly line of code can stand in the way of you and trouble… go ahead and add it right now.  It only takes 5 minutes. 🙂

http://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editor

 

Securing your WordPress Admin Accounts

On its own, WordPress is a very secure platform.  However, when you start introducing third party software and people into the system, this can change.  Today we are going to go over some good policies that every site administrator should put into place.

Don’t Give Away Your Username

Obviously if someone knows your username that you use to log in to your site, all they have left is to guess your password.  It used to be that WordPress automatically assigned the ‘admin’ username to the administrator when a site was created.  If for any reason your username is set to ‘admin’ you will want to change it.

WordPress won’t allow you to change your username after the fact, so you will have to follow these steps to fix it:

  1. Log into your administrator account.
  2. Create a new administrator account with a secure username.
  3. Log in using the new administrator account.
  4. Delete your old administrator account.
  5. When asked what to do with the content created by the old user, assign everything to the new user.

 Changine your display name in WordPress profile settings

Beyond just avoiding using ‘admin’ as your username, you will need to prevent WordPress from displaying your username on the front of the site.  By default, your username is displayed on the front end of the site for all the posts that you have authored.  This is done because the username is required during user creation and not all users have assigned another name to appear on the site.  Thankfully, WordPress allows you to display the name of your choice on the front end of the site.  The image above illustrates the last step in this process:

  1. Log in to your administrator account.
  2. In the menu on the left, go to ‘Users’ -> ‘Your Profile’.
  3. Enter in a nickname that is different from your username.
  4. In the ‘Display name publicly as’ dropdown, select your nickname.

If you don’t mind displaying your real name on the site, you can always display that as well.  Keep in mind that if your username was being displayed on the site before, you will want to follow the aforementioned steps for changing the username for your admin account.

Use Secure Passwords

All too often people use insecure passwords because they are easy to type or easy to remember.  Here are a few pointers on secure passwords:

  1. Never use obvious or easy to guess passwords.  ‘Password’ or your pet’s name should definitely be marked of the list.  Also, don’t use the name of your spouse, parts of your address or other personal information like your birthdate.
  2. Don’t use a password across multiple accounts.  If someone were to gain access to your password for one account it would compromise all of your other accounts.  When I use the word ‘accounts’ here, I mean any website where you might have a username and password.
  3. Make your password long enough. The shorter your password is, the more likely a hacker will be able to crack it.  As a password gets longer, it becomes exponentially more difficult to crack.  Eight characters should be the minimum here.
  4. Mix up your characters. Don’t just use all letters or numbers, or even all upper or lowercase for that matter.
  5. Actually change your password occasionally.