WordPress Security: Which is more secure? A VPS or a VHost?

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

In web server admin parlance, a VPS is a Virtual Private Server and a VHost is a virtually hosted website. There were a few questions regarding security on VPS’s and VHosts in my previous post on “Seven ways I could hack into your WordPress website“, so I thought I’d clarify what the difference is between WordPress hosted on a Virtual Private Server (VPS) vs WordPress on a Virtual Host (VHost) and what the security implications are of each configuration.

A Virtually Hosted Website (VHost)

In the early days of the web, you would have a single physical machine running a single operating system running a single web server. That web server would serve up a single website.

HTTP 1.0 introduced the optional “Host:” header and HTTP 1.1 made it mandatory with any web request that a browser sends. The effect of this is that when a web browser sends a request to any web server, it lets the server know which website it wants to see. Because web servers know what website a browser expects, they can now host an unlimited number of websites. This is called virtual hosting.

When you have a virtually hosted website, you are sharing a single server and operating system with many other websites. Your files and the files of other websites are stored on the same operating system. You all share the same web server and the server chooses which of your websites it needs to serve based on what a web browser requests when it connects to that web server.

Usually on a virtually hosted website, you won’t have access to other website files and they won’t have access to yours. This is usually done by giving you a unique username that you use to sign in and your username only has permissions to view your files.

A Virtual Private Server (VPS)

A VPS is a little different. Normally when you install any operating system, you install it directly on a machine like a server or workstation. With a VPS, you first install a base operating system like Windows or Linux. Then you install a virtual machine hosting platform called a Hypervisor. Examples of Hypervisor’s are VMWare and Xen.

Within the Hypervisor you can then install multiple virtual machines. These pretend to be physical hardware and when you boot them up you get a BIOS message similar to when you boot up a physical machine.

Within these virtual machines you can then install an operating system like Linux or Windows. Using this config you can have potentially hundreds of virtual machines running on a single physical machine.

So to summarize, you have a physical machine running an operating which runs a hypervisor which runs multiple virtual machines and each virtual machine runs its own operating system. Within these operating systems you run your own web server, have the files for your website and do anything else you feel like doing. It’s impossible for someone on another virtual machine to access your virtual machine.

Linode is one of the most popular virtual machine hosting providers and they use the Xen Hypervisor to host Linux virtual machines.

So which is more secure?

By now you’ve probably already figured it out: Running your own virtual machine that is completely segmented from everyone else is usually the more secure option. Here are a few reasons why:

  1. If your web host messed up the machine configuration or permissions, then other users may be able to access your files.
  2. If another user’s WordPress installation gets hacked, it may be possible for the hacker to gain read or in rare cases read and write access to your files.

Another thing I like about having a VPS instead of a VHost is that you have your own IP address. On the Internet, IP addresses can get blacklisted, particularly if you’re sending email. If your web application sends email e.g. if you’re using the WordPress “Subscribe to Comments” plugin, then your emails may be flagged as spam if another user on the same server is sending a lot of spam.

With a VPS you have your own IP address, so as long as the IP address wasn’t already black-listed when you got it from your web host (I’ve seen it happen) then only you are responsible for how that IP address is perceived on the Net.

In conclusion: While VPS’s tend to cost slightly more (about $20/month from Linode), they are well worth the extra cost when it comes to protecting your website and your reputation. As always please post any questions in the comments and I’ll either answer them directly or in a future post.

Caveat: I have generalized greatly when it comes to VPS and VHost configurations. There are many variants including Type I and Type II Hypervisors, shared hosting where a single OS hosts one web server instance per website and many more. I’ve described two common VPS and VHost configs above for illustrative purposes, however the VPS config I describe is probably the most common configuration used by VPS providers.


WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

1. Upgrade to the newest version of WordPress

I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

2. Upgrade all your themes and plugins to their newest versions

In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

3. Get rid of the ‘admin’ user

If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

4. Make sure all your passwords are strong

OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

5. Know what other web applications you have installed

Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

6. Make sure all other public services running on your web server are secure

Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

7. Make sure you don’t get social’d

Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

The value of Time

From Lawrence of Arabia. Probably the finest film ever made.

Sherif Ali: There is the railway. And that is the desert. From here until we reach the other side, no water but what we carry with us. For the camels, no water at all. If the camels die, we die. And in twenty days they will start to die.
T.E. Lawrence: There’s no time to waste, then, is there?

Unemployment is lower? Bull.

Last Friday and again today the DJIA got a nice bump from data showing unemployment has dropped from 9% to 8.6%. This number is known as U3 and only counts those actively looking for work. U4 is what the government should publish which counts U3 + those who have given up looking.

We “added 120,000 jobs in November” and have added over 100,000 jobs per month for the last 5 months.

I found the birth, death and marriage rate on the CDC website. For December 2009 we had 344,000 live births per month, 216,000 deaths per month and 138,000 marriages per month.

Our population is increasing by roughly 128,000 per month, which is 8000 more than the number of jobs we added. Looking at marriages per month gives you an indication of how many new couples are starting life and presumably expecting full employment. That’s 18,000 more than the maximum number of jobs we added per month in the last 5 months.

I don’t think we’re ever going to get the jobs we lost back because the financial crisis of 2008 was a trigger that caused companies that have become more efficient to cut a workforce that is no longer needed. That is why corporate revenue has not declined even though unemployment has increased. The grey marks the recession, click the graph to go to ycharts for a live version.

The only way to solve this is to bring our education syllabus up to date. The chinese have a few ideas how to do that: They’re cutting majors that produce unemployable graduates.