In recent weeks wordpress security, or more correctly the lack of wordpress security has been getting a lot of attention. While most people consider this a site maintenance issue, it has implications that affect your SEO efforts, in this post I’ll explain why, and look at some things you can do to protect yourself, and reduce the damage.
From a security standpoint wordpress has always been a piece of swiss cheese, with lots of security holes in it. As wordpress grows in popularity it’s attracting the attention of hackers at an alarming level. In June of 2009 wordpress released version 2.8.0, four months later we’re at wordpress 2.8.4, that’s four interim security related updates in four months. While wordpress has always been very quick to issue patches, they have done very little to prevent any of these hacks from happening in the first place. In this author’s opinion this represents nothing less than gross incompetence on wordpress’s part. Even more tragic is that this is a top down failure on the part of the entire wordpress development team, and isn’t likely to change anytime soon, so it’s imperative you understand the problem and all of it’s implications.
From a pure SEO perspective, the optimal wordpress setup is to use wordpress as a subfolder in the main site (http://example.com/blog), as this allows you to consolidate any inbound link equity into your main domain, increasing your overall trust and authority scores. From a security standpoint this is the most dangerous as many publishers will use the same database for wordpress as they do for their main domain customer, product, and transaction records. If login or access to the admin panel is comprimised, the hacker has access to all of your data. All they need to do is install the PHP MyAdmin plugin and they have full access to your database records to copy, modify, or delete at will, scary I know. Depending on the level of the compromise the hacker may also have access to your file system, to copy, modify or delete your entire website, even more scary.
The slightly suboptimal SEO implementation, consists of placing wordpress on a subdomain (http://blog.example.com) . The link equity is still shared with the main domain, but it’s not as effective as a subfolder is. From a security standpoint you can isolate your subdomain more effectively than a subfolder. The truly paranoid can even have the subdomain and database on a completely different server or hosting company by changing an A-Name record. With this type of implementation you’ve traded a lot of link equity for a lot of increased security.
The complete security zealots can go with a blog on a completely different domain (http://exampleblog.com) with almost zero chance of a wordpress hack influencing or compromising your main database or website. However this implementation is only useful in very few SEO situations. With this setup you have sacrificed almost all of the SEO value in the name of security.
Is it is possible to retain the SEO value, without completely sacrificing security, here are my tips on how to do it.
Backups: Ok technically backups aren’t part of security, but if something does go wrong, backup are your safety net. I use wp-DB-backups, to send a backup of all of my important database tables to an email account every night. This way I can roll back to whatever day I want. At the end of every month I archive the backups from the 1st and the 15th and delete the rest.
Database Isolation: You should always have your wordpress database isolated from all of your other databases, with different usernames and passwords. Worst case scenario the only thing a hacker can do would be to screw up your WP blog database, as long as you have the backups you can minimize the damage to your blog.
Change Detection: Chances are you already have an “about” or other static information page that changes very infrequently or never changes at all. Use a service like ChangeDetection.com to monitor it for changes and have it send you an email/SMS as soon as it happens. If someone injects a bunch of poker links in your footer this will let you know sooner rather than later. You can also use google alerts to alert you if something managed to slip by.
Block Brute Force Login Hacks: Sometimes automated programs will try to hack your username and password combinations. The Login Lockdown plugin can help prevent that. After a specified number of failed attempts the IP is banned for 30 minutes. Hackers will move on to something else. Every once in while you will lock yourself out if you change and forget your password, in that case you’ll need Emergency.php which lets you change your password and gain access. If you use this DELETE IT RIGHT AWAY or else someone could use it to gain access.
Limit Access With htaccess: If you’re comfortable working with htaccess, you can use it to grant access to the admin panel based on IP. If you don’t have a static IP, travel a lot, or have authors or editors without static IP’s this won’t work for you.
Social Engineering: Set up an account with admin priviledges but without the “admin” username, then delete the admin account. Use strong passwords, and don’t use the same password for all of you logins. If you’re old and suffer from short term memory loss try a password formula to help. Don’t give anyone who doesn’t need admin status admin status. Don’t give anyone who doesn’t need editor or author status editor or author status. Uncheck the “allow anyone to register” box unless you need to leave it checked. If you do need to let anyone register, put a captcha plugin on the page to keep the bots at bay.
Updates: Keep your blog and plugin as up to date as possible. Sometimes updating right away breaks plugin, so it’s a catch 22. But if you lag behind you have no one to blame but yourself when hackers do get in.
Using these suggestion in most cases you can maximize the SEO value of a blog by keeping on your main domain, and be reasonably sure the damage hackers can inflict is minimal, and your ability to spot it quickly recover from it is very very high.