I recently went to my local WordPress group WordPress Cambridge), where Tim Nash gave a talk about WordPress security.
He works for a hosting company 34sp.com on the security side, so has a slightly different perspective to a normal user or developer.
He outlined some of the tools you could use to inspect a customers site for vulnerabilities. (wpscan.rb, sqlmap.py, xssstrike)
I gave wpscan.rb a go, its quite surprising when you have not used this before how much it can find out. Just pointing it at a few websites, revealed more information than I might want disclosed. I didn’t for example realise how simple it was to list all the sites user names by default.
wpscan –url http://example.com –enumerate u
Its probably good as a quick way of identifying versions of plugins themes and WordPress itself. Its also interesting what it thinks it found that isn’t actually there. So its interesting to run over one of your websites and see what it can discover.
Tim also talked about the merits and otherwise of security plugins and how it’s in their interests to stress the large number of attempts they have blocked in order to sell them selves and other paid for extensions. How its worthwhile asking your hosting company what they have set up on their systems in terms of firewalls and mod security etc to see what they are already doing. Something they can be very vague about in their documentation.
I added something to change version numbers in urls and other generated bits of a WordPress site I was working on the next day. The site is up to date, the main thing, but I thought it would make the automatic probing scripts work a bit harder. Even if I’m just annoying them :)
Its always a bit worrying when you think about this all to much, it can feel especially when you start looking at logs. Tim did point out that at the end of the day its not going to be the end of the world even if despite your best efforts, someone gets at the website. Especially if you have proper backups.