One click WordPress upgrades are convenient. They fit right in with how I describe blogging platforms to the uninitiated: They make web publishing simple for people of modest technical means.
Some web hosts include the Fantastico module which also allows for one click upgrades of WordPress. I’ve used it many times. It is (usually) faster than upgrading manually.
However there is a serious shortcoming with the one click upgrades and it involves security.
The good folks at WordPress are very security conscious. They are continually improving the platform to make it more secure.
Trouble is some of the most important security enhancements are completely left out of one click upgrades. In fact, they may even be left out of manual upgrades.
The issue involves the wp-config.php file. This is the WordPress file that sets the login information to the data base that houses all of your blog’s information.
This file does not get updated automatically when WordPress is upgraded. In fact, the file isn’t included even when you download WordPress to upgrade manually. With good reason.The good folks at WordPress don’t want every upgrade to overwrite database passwords and lock folks out of their blogs.
Instead they include a different file name with generic info in it called wp-config-sample.php and this file gets overwritten every time WordPress is upgraded.
The problem is some of the biggest security upgrades involve modifications to the wp-config.php file, so they aren’t happening on a lot of WordPress blogs as they are upgraded.
Getting More Secure
In WordPress 2.5 they introduced the Secret_Key encryption. If you look at the wp-config-sample.php file you fill find the following inside:
// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit http://api.wordpress.org/secret-key/1.0/
// to get a secret key generated for you, or just make something up.
define(‘SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
And as you can see from the link above, the folks at WordPress did a good job of documenting what you need to do with this file to make your blog more secure.
How to Secure WordPress 2.6
However, starting with WordPress 2.6 they ditched the Secret_Key and added 3 other keys which means the wp-config.php file needs to be manually updated again. Here is the code from the latest WordPress version:
// Change each KEY to a different unique phrase. You won’t have to remember the phrases later,
// so make them long and complicated. You can visit http://api.wordpress.org/secret-key/1.1/
// to get keys generated for you, or just make something up. Each key should have a different phrase.
define(‘AUTH_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.
This code should replace the code listed above from WordPress 2.5. Each place you see ‘put your unique phrase here‘ you should replace it with a different long and random character string.
To make it easier on everyone, WordPress has set up a page which will generate random code suitable for replacing the three lines outright at this link: http://api.wordpress.org/secret-key/1.1/
For example I went there and it generated the following:
define(‘AUTH_KEY’, ‘IU/(x3pR(Ae6*PlhA=N6#/ =F^_;\\rpnX|9:|0}so-`zxqXoaV(y|0g~&V0%Kc^a’);
define(‘SECURE_AUTH_KEY’, ‘oiSMI<Ui*\’DCW *cSe5Y0Y_vGx ^G0su~q*8@73xBjWj=z6RZ;\\;mH,UmA@U |eW’);
Now all you have to do is paste those 3 lines that are generated into your wp-config.php file. Obviously don’t use these phrases here. Go get your own so that they are randomly unique to your blog.
If You’ve Been Hacked
If your WordPress blog was hacked, say, because it hadn’t been updated in a while you are going to want to take some extra precautions.
For starters you obviously need to go through your blog and make sure all potentially malicious code has been removed. An easy way to double check you’ve got it all is to search your posts and pages for a snippet of the offending code.
Then, since you’ve been hacked you also need to change all passwords for any user profile that has access to change your blog content. If the user account’s role is higher than “Subscriber” change the password, especially on your own account!
That last step is crucial. In a lot of the hacking attacks on WordPress, the hackers are breaking in to older WordPress blogs and stealing the login usernames and passwords. Often they don’t do anything with the access they’ve gained until the blog owner upgrades the blog so that it appears like the newer version is vulnerable.