How to Win Friends and Influence People: The Principles
Part 1: Fundamental Techniques in Handling People
Principle 1: Don’t criticize, condemn or complain
Principle 2: Give honest and sincere appreciation
Principle 3: Arouse in the other person an eager want
Part 2: Six Ways to Make People Like You
Principle 1: Become genuinely interested in other people
Principle 2: Smile
Principle 3: Remember that a person’s name is to that person the sweetest and most important sound in any language
Principle 4: Be a good listener
Principle 5: Talk in terms of the other person’s interests
Principle 6: Make the other person feel important—and do it sincerely
Part 3: How to Win People to Your Way of Thinking
Principle 1: The only way to get the best of an argument is to avoid it
Principle 2: Show respect for the other person’s opinions. Never say, “You’re wrong.”
Principle 3: If you are wrong, admit it quickly and emphatically
Principle 4: Begin in a friendly way
Principle 5: Get the other person saying, “yes, yes” immediately
Principle 6: Let the other person do a great deal of the talking
Principle 7: Let the other person feel that the idea is his or hers
Principle 8: Try honestly to see things from the other person’s point of view
Principle 9: Be sympathetic with the other person’s ideas and desires
Principle 10: Appeal to the nobler motives
Principle 11: Dramatize your ideas
Principle 12: Throw down a challenge
Part 4: Be a Leader—How to Change People Without Giving Offense or Rousing Resentment
Principle 1: Begin with praise and honest appreciation
Principle 2: Call attention to people’s mistakes indirectly
Principle 3: Talk about your own mistakes before criticizing the other person
Principle 4: Ask questions instead of giving direct orders
Principle 5: Let the other person save face
Principle 6: Praise the slightest improvement and praise every improvement. Be “hearty in your approbation and lavish in your praise.”
Principle 7: Give the other person a fine reputation to live up to
Principle 8: Use encouragement. Make the fault seem easy to correct
Principle 9: Make the other person happy about doing the thing you suggest
How to Win Friends and Influence People Summary
Ninety-nine times out of a hundred, people don’t criticize themselves for anything, no matter how wrong it may be.
Criticism is futile because it puts us on the defensive and usually makes us strive to justify ourselves. Criticism is dangerous, because it wounds our pride, hurts our sense of importance, and arouses resentment.
Don’t criticize others; they are just what we would be under similar circumstances.
“Don’t complain about the snow on your neighbor’s roof when your own doorstep is unclean.”—Confucius
We’re not logical; we’re emotional, motivated by pride and vanity.
“I will speak ill of no man and speak all the good I know of everybody.”—Benjamin Franklin
Rather than condemn others, try to understand them. Try to figure out why they do what they do.
We all want to be appreciated.
“I consider my ability to arouse enthusiasm among my people. The greatest asset I possess and t way to develop the best that is in a person is by appreciation and encouragement.”—Charles Schwab
Before trying to persuade someone to do something, ask yourself, “How can I make this person want to do it?”
“If there is any one secret of success it lies in the ability to get the other person’s point of view and see things from that person’s angle as well as from your own.”—Henry Ford
“You can make more friends in two months by becoming interested in other people than you can in two years by trying to get other people interested in you.”
“It is the individual who is not interested in his fellow men who has the greatest difficulties in life and provides the greatest injury to others. It is from among such individuals that all human failures spring.”
Encourage others to talk about themselves.
Always make the others feel important.
Most people you meet will feel superior to you in some way. A sure way to their hearts is to let them realize in some subtle way that you recognize their importance, and recognize it sincerely.
“Talk to people about themselves and they will listen for hours.”—Disraeli
“If you argue and rankle and contradict, you may achieve a victory sometimes; but it will be an empty victory because you will never get your opponent’s good will.”
How to keep a disagreement from becoming an argument:
Welcome the disagreement
Distrust your first instinctive impression
Control your temper
Look for areas of agreement
Promise to think over your opponents’ ideas and study them carefully
Thank your opponents sincerely for their interest
Postpone action to give both sides time to think through the problem
“There’s magic, positive magic, in such phrases as: ‘I may be wrong. I frequently am. Let’s examine the facts.’”
“Don’t argue with your customer or your spouse or your adversary. Don’t tell them they are wrong. Don’t get them stirred up. Use a little diplomacy.”
“If we know we are going to be rebuked anyhow, isn’t it far better to beat the other person to it and do it ourselves?”
“Say about yourself all the derogatory things you know the other person is thinking or wants to say or intends to say—and say them before that person has a chance to say them.”
When you’re right, try to win people gently and tactfully to your way of thinking. When you’re wrong, admit your mistakes quickly and with enthusiasm.
“In talking with people, don’t begin by discussing the things on which you differ. Begin by emphasizing—and keep on emphasizing—the things on which you agree. Keep emphasizing, if possible, that you are both striving for the same end and that your only difference is one of method and not of purpose. Get the other person saying, ‘Yes, yes’ at the outset. Keep your opponent, if possible, from saying ‘No.’”
“Remember that other people may be totally wrong. But they don’t think so. Don’t condemn them. Any fool can do that. Try to understand them. Only wise, tolerant, exceptional people even try to do that”
“If, as a result of reading this book, you get only one thing—an increased tendency to think always in terms of the other person’s point of view, and see things from that person’s angle as well as your own—if you get only that one thing from this book, it may easily prove to be one of the stepping—stones of your career.”
How to stop arguments, eliminate ill feeling, create good will, and make the other person listen attentively: “I don’t blame you one iota for feeling as you do. If I were you I would undoubtedly feel just as you do.”
“Three-fourths of the people you will ever meet are hungering and thirsting for sympathy. Give it to them, and they will love you.”
It’s always easier to listen to unpleasant things after we have heard some praise of our good points.
“Calling attention to one’s mistakes indirectly works wonders with sensitive people who may resent bitterly any direct criticism.”
“It isn’t nearly so difficult to listen to a recital of your faults if the person criticizing begins by humbly admitting that he, too, is far from impeccable.”
“Admitting one’s own mistakes—even when one hasn’t corrected them—can help convince somebody to change his behavior.”
“People are more likely to accept an order if they have had a part in the decision that caused the order to be issued.”
“Everybody likes to be praised, but when praise is specific, it comes across as sincere—not something the other person may be saying just to make one feel good.”
“If you want to improve a person in a certain aspect, act as though that particular trait were already one of his or her outstanding characteristics.”
“Tell your child, your spouse, or your employee that he or she is stupid or dumb at a certain thing, has no gift for it and is doing it all wrong, and you have destroyed almost every incentive to try to improve. But use the opposite technique—be liberal with your encouragement, make the thing seem easy to do, let the other person know that you have faith in his ability to do it, that he has an undeveloped flair for it—and he will practice until the dawn comes in the window in order to excel.”
“Always make the other person happy about doing the thing you suggest.”
The effective leader should keep the following guidelines in mind when it is necessary to change attitudes or behavior:
Do not promise anything that you cannot deliver. Forget about the benefits to yourself and concentrate on the benefits to the other person
Know exactly what it is you want the other person to do
Ask yourself what is it the other person really wants
Consider the benefits that person will receive from doing what you suggest
Match those benefits to the other person’s wants
When you make your request, put it in a form that will convey to the other person the idea that he personally will benefit
The beauty of this approach is that the site doesn’t ever appear broken and the user won’t even be aware that they are getting the ‘default’ experience. With progressive enhancement, every user has their own experience of the site, rather than an experience that the designers and developers demand of them.
I could only go so long, on a blog devoted to books about self-improvement and personal effectiveness, without covering the quintessential modern tome on the subject. The 7 Habits of Highly Effective People has become so representative of increasing personal effectiveness that it has almost become a cliché, even to the point where it is derided as representative of the inauthenticity and shallowness of many who claim to practice it. I found myself oddly embarrassed to be seen reading this book on the subway – lest someone attribute that same character to me.
In truth, this book is more worthy of its acclaim than of its infamy. If you can push past the Buzzfeed-style clickbait titles to understand the truths behind them that were the impetus for people to later turn them into buzzwords, you will find enormous value in these pages.
The 7 Habits
In the pursuit of personal effectiveness, most people try to change one of two things: their behavior (“I’m going to try really hard at this!”) or their attitude (hence the popularity of self-help books and motivational speakers). If you’ve tried these approaches, you know them to be ineffective. The only solution for real change is the recognition and changing of your personal “paradigm,” or pattern of perception by which you view the world.
To sum up the seven habits at a high level, an effective person has learned to make the paradigm shift from outside-in to inside-out, progressing along the growth continuum from dependence to independence to interdependence. He has found the balance of being able to produce while also increasing his capacity to further produce.
That may sound like a bunch of gobbledygook, but it will become clear as you progress through the habits and make the paradigm shift the author writes about.
The first three habits are habits of self-mastery, or private victories. These habits must come first, after which come the second three habits of public victories. The last habit is one that is key to the proper functioning and renewal of the first six.
Habit 1: Be Proactive
Put aside the dictionary definition of the word “proactive” for a moment, as well as any meaning you’ve learned to attribute to it from your time in the workforce. You’ll have to do this with several of the upcoming habit titles in order to understand what Covey is saying.
The best way to understand what a paradigm is, as well as which paradigm an effective person possesses, is to first understand the three widely accepted paradigms that most people use to explain human behavior:
Genetic determinism (you are who you are because of your genes)
Psychic determinism (your childhood and upbringing shaped your personality), and
Environmental determinism (the things around you make you who you are)
The prevailing viewpoint is that at our core, we are animals, compelled by a given stimulus to give a certain response. While there is certainly some truth to this, Covey quotes psychiatrist and Holocaust victim Victor Frankl: “Between stimulus and response, man has the freedom to choose.” (See Frankl’s book Man’s Search for Meaning for his story.)
The author defines proactivity (and the paradigm shift that comes with it) as exercising your freedom to choose self-awareness, imagination, conscience, or independent will in between stimulus and response. If you’re unhappy, unsuccessful, etc., it’s because you chose to let something make you that way instead of choosing your own response. This is not to minimize the effect that genetics, upbringing, or environment have on who a person is; however, being an effective person requires that you recognize your responsibility to shape your response to those things.
This is not just positive thinking; being proactive means understanding the reality of a situation, but understanding the reality of a situation also means understanding the reality that you can choose your response to your circumstance. We all have a “circle of concern,” representing all the things that we care about. We can only influence a small portion of the things in our circle of concern, and many people spend their time and energy worrying or complaining about the things they can’t control. The more you focus on things outside your control, i.e. outside your “circle of influence,” the fewer things you’ll be able to control. Your circle of influence will shrink. In contrast, by focusing only on those things within your control, you will find that your circle of influence will grow.
To shift your focus to your circle of influence, stop saying the “haves” (if I only had a better job) and start saying the “be’s” (I can be more _).
Habit 2: Begin with the End in Mind
Everything is created twice: first in a mental creation, then as a result becoming a physical creation. If you don’t consciously choose to control the mental creation, the vicissitudes of your life are created by default, shaped by random circumstances and other people’s expectations and agendas. (Refer to the summary of Think and Grow Rich by Napoleon Hill to better understand what this means, and to learn how to shape your actions based on this principle.)
Said another way, Habit 1 is “You are the creator.” Habit 2 is the first creation.
Beginning with the end in mind means approaching any role you have in life with your values and directions clear. Because we are self-aware, we can realize when we are acting in a role that isn’t in harmony with our values or isn’t a result of our own proactive design.
Whatever is at the center of your life will be the source of your security (your sense of worth), guidance (your source of direction in life), wisdom (your perspective on life), and power (your capacity to act and accomplish).
Most people never take the time to align their values with their center. As a result, they have one or more of many possible alternative centers. People can be spouse centered, family centered, money centered, work centered, pleasure centered, friend or enemy centered, church centered, or self centered. You probably know someone who is an example of being centered around each one of these things, and if you’re honest with yourself, you’ll realize that there are probably times when you become centered around many of these things as well.
Many of these things are perfectly good in and of themselves, but it isn’t healthy for your security, guidance, wisdom, or power to depend on and be determined by any of them. Instead, to be an effective person we need to have a “principle” center – one that is based on timeless, unchanging values. The principle center will put all these other centers in perspective.
Covey puts it this way: “The personal power that comes from principle-centered living is the power of a self-aware, knowledgeable, proactive individual, unrestricted by the attitudes, behaviors, and actions of others or by many of the circumstances and environmental influences that limit other people.”
The best way to make sure your life is aligned with your principles (and the best way to track when you get off center) is to write a personal mission statement. Covey doesn’t present a cookie-cutter formula for doing so, but suggests approaching it from the perspective of roles and goals: who do you want to be, and what do you want to accomplish?
This principle is the same for families or organizations; as hokey as it might sound, an authentic mission statement is the first step in the process of being effective. You need to put in the time, thought, and effort in order to gain the right perspective, and in order to set yourself up for the next habit.
Habit 3: Put First Things First
Habit 3 is the second creation – the physical realization of Habits 1 and 2. Habits 1 and 2 are best characterized as “leadership,” which must come first, while Habit 3 is where we begin discussing “management.”
Effective management means putting first things first, and doing the things that other people don’t want to do. From Habits 1 and 2, you must have a burning “yes” inside you that allows you to say “no” to other things that don’t align with your principles and goals.
Covey describes four levels of time management:
Notes and checklists (reducing your cognitive burden in the present).
Calendars and appointment books (looking ahead to better arrange your future time).
Daily planning, by means of goal-setting and prioritization. Most people never get beyond this level.
Categorization of activities and purposeful focus on and/or exclusion of certain ones.
This fourth level is where the author asks us to operate. He borrows the tool for this categorization from none other than Dwight Eisenhower:
An effective time manager spends as much time as possible in quadrant II, doing things that are important before they become urgent: building relationships, long-term planning, preventative maintenance of all types, etc. The more time you spend in this quadrant, the less time you will have to spend in quadrant I. Delegate or otherwise cut out anything in quadrant III or IV.
In contrast, most people spend the majority of their time in quadrant I and III, doing urgent things that may or may not be important, and rarely allow you to be effective. Most of us try to get out of this vicious cycle by trying to be more disciplined; however, the author contends that your problem is probably not that you lack discipline. More likely, it is simply that your priorities have not been rooted in your values.
In order to become a quadrant II self-manager, Covey suggests a series of four steps:
1) Identifying roles. Write down a list of roles that you wish to devote time and energy to filling. Some examples are your role as an individual (for which you would devote time for self-improvement), your role as a family member (spouse, son, mother, etc.), and your role at work (which may be multiple things, any of which may not correspond to your official title).
2) Selecting goals. Write down one or two goals for each role that you want to accomplish over the next week. Since you’ve already gone through the process of establishing Habits 1 and 2, these goals should be tied into your larger purpose and long-term goals.
3) Scheduling. Take things a step beyond where most people get with their use of scheduling, sit down and plan out your schedule a week at a time. This allows you to match your goals with the best time to accomplish them. For example, peak productivity for most people is between 2 – 5 hours after waking. One use of this principle might be to schedule time 2 – 5 hours after waking on Saturday to do the most important quadrant II activities that your job won’t allow you to do during the week. The key is not prioritize your schedule, but schedule your priorities.
4) Daily adapting. Take a few minutes at the beginning of each day to review the schedule you put together and revisit the values that induced you to establish your goals for the day. In real life, things change, so it is important to allow your schedule to be fluid and adaptable while keeping your focus on your values and priorities.
Habit 4: Think Win/Win
This is another buzzword-type title that will require you to put aside your perception of the term in order to grasp Covey’s meaning. As opposed to some kind of unrealistically happy and friendly attitude, the author defines thinking win/win as a mindset that is always looking for a third alternative to the “me or you” decision. Most people live in one of the following four alternative paradigms:
Win/lose (authoritarian or egotistical)
Lose/win (being a pushover)
Lose/lose (when two win/lose people interact)
Win (focused solely on the results you get for yourself)
To escape these unproductive mindsets, we must develop the three character traits essential to the win/win paradigm:
Integrity (the value we place on ourselves)
Maturity (the balance between courage and consideration)
Abundance mentality (which comes from a sense of personal worth and security)
Try thinking about your relationships as an emotional bank account. By proactively making deposits, you ensure that the emotional funds will be there when the time comes to make a withdrawal. Win/win is often difficult, but is made much easier by the presence of a hefty emotional bank account.
So we can better understand what a win/win decision is and how it is structured, Covey provides the following characteristics:
Clear identification of desired results
Specified parameters within which to achieve those results
Resources to be used to accomplish the results
Accountability by means of specific standards of performance and times for evaluation
Consequences of the results of the evaluation
You can find a more thorough presentation of this approach to effective negotiations in Getting to Yes by Roger Fisher and William Ury. The essence of Getting to Yes is to separate the person from the problem, focus on interests instead of positions, invent options for mutual gain, and insist on objective criteria.
The key to this chapter is that in most difficult situations, the problem is the system, not the people. By approaching those situations with the question of how we can change the system in order to make it work for all involved, many difficult problems can be resolved.
Habit 5: Seek First to Understand, Then to Be Understood
If you want to interact effectively with people and influence them, you must first understand them. It may be common sense, but it stands in direct contrast to most people’s modus operandi, which is to be first concerned with being understood.
Again, Covey breaks things down into a step-by-step framework that makes your own behavior easier to understand. Here are his four levels of listening:
Pretending to listen
The first three are self-explanatory, but you may not have heard the term “empathic listening” before. Empathic listening means getting inside someone else’s frame of reference by “listening” to their body language, tone, expression, and feelings. It’s a tremendous deposit in the emotional bank account.
In contrast to empathic listening, we tend to listen from our frame of reference (even if we are listening attentively) and have these “autobiographical responses”:
Evaluate (agree or disagree)
Probe (ask questions from our own frame of reference)
Advise (give counsel based on our own experience)
Interpret (explain people’s actions based on our own motivations)
By listening empathically instead of forcing our natural autobiographical responses onto each situation, we can get beyond a surface-level, transactional exchange and have a real impact. Needs stop motivating people once those needs are satisfied. Satisfy the need to be understood, and you can move on to being productive.
The other half of this habit, then, is being understood.
Covey refers to the Greek philosophy of ethos, pathos, logos – first character, then relationships, and only afterward the logic of what you’re saying. Most people try to skip straight to logos in every exchange, but it can’t be denied that someone must first trust you and understand where you’re coming from emotionally before they will understand how your logic fits into the overall picture of your perspective. Approach your communication through this framework, and you’ll be surprised at how much more easily you get your point across.
This habit is powerful because it is always in your circle of influence to seek first to understand, then to be understood. When people understand each other, the door is opened for third alternatives – win/win solutions.
Habit 6: Synergize
Despite being entitled with the business world’s most eminently cringeworthy king of buzzwords, this chapter offers enormous value if you can grasp the principle. Covey is not referring here to the type of “synergy” that occurs when two companies merge and become better together by cutting down on administration costs. He’s not even referring only to the simple act of working together to accomplish more than what you could accomplish on your own.
What the author means by synergy is something that may be impossible to understand unless you have experienced it. One way to describe it is when a group of people enter a simultaneous and cooperative state of flow – the “peak experience” of group interaction.
You may have had an experience playing sports where the team just gelled and the plays started clicking like you were moving as one body. Perhaps you’ve played in a musical group and found yourselves in a song where every note was perfect, every hook was tight, and you found yourself improvising riffs you didn’t even know you were capable of playing. You might have been in an emergency situation where a group of strangers came together to act with a degree of cooperation that seemed unprecedented.
Maybe you’ve had one of those conversations with a group of close friends where you were baring your souls about some deep, commonly held belief or commonly faced challenge, and each person’s words created thoughts in your own mind that you then perfectly expressed as insights you didn’t even know you had.
This is what the author means by synergy – a shared peak experience that can be created as the culmination of the first five habits. The key here is that synergy of this type doesn’t have to be a rare experience. We can create it in our everyday lives, beginning to live at a higher level by putting the first five habits into practice and adding a courageous amount of authenticity and openness. To be able to consistently operate at this level is to achieve the ability to be more effective than most people can even dream of being.
Habit 7: Sharpen the Saw
Remember, these are all intended to be habits, which means they have to be practiced repeatedly. In order to be able to practice these things, you need to take the time to renew yourself.
Covey recommends you carve out the time to do things to renew what he classifies as the four dimensions of human nature:
Spiritual (value clarification & commitment, study & meditation)
When you neglect any one area, you damage the rest – so commit at least one hour of every day to these practices.
Covey doesn’t spend enough time on any of these things to be the best “how-to” source for their implementation, and I don’t think that was his intention. His point is that an overall balance is necessary to support the other six habits. If done correctly, it leads to a virtuous cycle of continual personal growth.
In a twist of cruel irony, it seems that the 7 Habits of Highly Effective People has become the poster child for the very things it was written to help people overcome. The crux of the book is that to be effective, you must come from a place of authenticity, starting with your values and building with each successive habit. Unfortunately, it is human nature to imitate the form without delivering the authenticity.
The value of this book made it the victim of its own success when it was catapulted into becoming the business world’s favorite trend for a time. It seems that many people and organizations genuinely liked what they heard, but then tried to awkwardly force the habits onto their own lives or others’ (often cherrypicking the ones that sounded easier) without truly taking them to heart. An unlikely alliance of Covey-directed scorn was resulted between those who have had negative interactions with such people, and the small minds who couldn’t overcome their own scripts in order to understand Habit 1 and take responsibility for the results of their lives.
The disdain is truly undeserved. In reading the book, titles that at first reek of buzzword become epiphanies once you understand the truth of the principle. Reducing this particular book to a quick summary, which certainly has its uses, also has the effect of losing some of the meaning – of taking some powerful, emotion-filled lessons and reducing it to bullet points.
While it is certainly not a comprehensive framework for personal effectiveness, The 7 Habits of Highly Effective People gets many things right, and deserves its spot as the manifesto of personal effectiveness.
One thing this book is missing is the practical technique for managing the human mind to put new habits into practice. For that skill, refer to The Power of Habit by Charles Duhigg.
I’ve also found it useful to rephrase each buzzword title into an action point that more directly states the meaning of what the author had in mind. Once you’ve read the book you’ll have grasped the greater meaning and the nuances of his points, but it’s still useful to refresh your memory in this way:
1. Be proactive. Adopt a perspective of responsibility for your actions, reactions, and results.
2. Begin with the end in mind. Make sure your efforts start with establishment of your personal principles.
3. Put first things first. Spend your time on things that are important, not on things that are urgent.
4. Think Win/Win. Approach every interaction with the perspective of trying to fix the system, not the person, in order to find the solution that is best for all involved.
5. Seek First to Understand, Then to Be Understood. Meet people’s need to be understood, establish trust, and communicate your emotions; communicate your logic last.
6. Synergize. Combine the first five habits for an exponentially higher level of effective and cooperative daily interaction.
7. Sharpen the Saw. Take the time to maintain and renew your mind, body, emotions, and spirit.
Last year, WordPress was responsible for 83% of infected content management sites. Make sure you’re not contributing to those infections and learn how to securely manage WordPress.
(This article is kindly sponsored by Sucuri.) WordPress security doesn’t have a good reputation. More than 70% of all WordPress sites carry some kind of vulnerability according to research done on +40.000 WordPress sites by Alexa. If you develop WordPress themes or plugins — or use WordPress for your websites — that number should scare you.
There’s a lot you can do to make sure you’re not part of the 70%, but it takes more work than just installing a plugin or escaping a string. A lot of advice in this article comes from Sucuri’s guide on WordPress security and years of personal experience.
Is WordPress Insecure?
WordPress has the largest market share among content management systems and a 30% market share among the most popular 10 million sites on the web. That kind of success makes it a big target for hacks. WordPress isn’t less secure than other content management systems — it’s just more successful.
Vulnerabilities in WordPress core are responsible for less than 10% of all WordPress hacks. Most of those are from out-of-date WordPress installs. The amount of hacks that happen on actual security holes in up-to-date versions (also known as zero-day exploits) in WordPress core account for a tiny percentage of all hacks.
The rest of the infected sites were caused by plugins, themes, hosting, and users. And you, as a WordPress website developer, have control over all of those. If this seems like a big hassle to you, then I can recommend Sucuri’s agency plan. Otherwise, let’s find out how to deal with WordPress security ourselves!
Who’s Attacking You And Why?
Let’s bust a myth first: A small WordPress website is still an attractive target for hackers. Attacks on a personal basis are very rare. Most hacked WordPress websites are compromised automatically by either a bot or a botnet.
Bots are computer programs that constantly search for websites to hack. They don’t care who you are; they just look for a weakness in your defences. A botnet combines the computing power of many bots to tackle bigger tasks.
Hackers are primarily looking for a way into your server so that they can use your server’s computing power and turn it loose on some other goal or target. Hackers want your server for the following reasons.
Spam accounts for about 60% of all email, and it has to be sent from somewhere. Many hackers want to gain entry to your server through a faulty plugin or an ancient version of WordPress core so that they can turn your server into a spamming machine.
Attacking Other Websites
Distributed denial-of-service attacks use many computers to flood a website with so much traffic that they can’t keep up. These attacks are very difficult to mitigate, especially when they are done right. Hackers who break into your server can add it to a pool of servers to attack websites.
Mining cryptocurrency is very popular now, but it takes a lot of computing power. Hackers who don’t want to spend a lot of money on a server farm will break into unprotected WordPress websites and gain access to servers or to your websites’ visitors and steal computing power.
Bumping SEO Scores
A particularly popular hack for WordPress is to gain access to its database and add a bunch of (hidden) text underneath each post, linking to another website. It’s a really quick way to bump one’s SEO score, although Google is getting more vigilant about this behavior, and blacklistings are increasing.
Data is valuable, especially when it’s linked to user profiles and e-commerce information. Getting this data and selling it can make an attacker a handsome profit.
Why Does Security Matter?
Apart from not giving criminals the satisfaction, there are plenty of reasons why your website should be secure by default. Having cleaned and dealt with plenty of WordPress hacks myself, I can surely say that they never occur at a convenient time. Cleaning up can take hours and will cost either you or your client money.
To get a hacked WordPress website up and running again, you’ll need to remove and replace every bit of third-party code (including WordPress core); comb through your own code line by line and all other folders on the server to make sure they are still clean; check whether unauthorized users have gained access; and replace all passwords in WordPress, on your server and on your database.
Plenty of services can clean up a WordPress website for you, but prevention is so much better in the long run.
Apart from the cost of cleaning up, hacks can also cost you a lot in missed sales or leads. Hacks move you lower in search rankings, resulting in fewer visitors and fewer conversions.
More than the financial cost, getting hacked hurts your reputation. Visitors come to your website because they trust you. Getting hacked damages your reputation, and that takes a long time to repair.
There’s also a real possibility of legal issues, especially if you have customers in the EU, where GDPR legislation will go into effect in the summer of 2018. That new legislation includes a hefty fine for data breaches that aren’t handled properly.
Money, reputation and legal problems: Bad security can cost you a lot. Investing some time in getting your website, code and team set up with a mindset of security will definitely pay off.
Let’s find out how we can prevent all of this nastiness.
The CIA Triad
The CIA triad is a basic framework for every digital security project. It stands for confidentiality, integrity and availability. CIA is a set of rules that limits information access to the right parties, makes sure the information is trustworthy and accurate, and guarantees reliable access to that information.
For WordPress, the CIA framework boils down to the following.
Make sure logged-in users have the right roles assigned and that their capabilities are kept in check. Only give users the minimum access they need, and make sure that administrator information doesn’t leak out to the wrong party. You can do so by hardening WordPress’ admin area and being careful with usernames and credentials.
Show accurate information on your website, and make sure that user interactions on your website happen correctly.
When accepting requests on both the front and back end, always check that the intent matches the actual action. When data is posted, always filter the data in your code for malicious content by using sanitization and escapes. Make sure spam gets removed by using a spam protection service such as Akismet.
Mak sure your WordPress, plugins and themes are up to date and hosted on a reliable (preferably managed) WordPress host. Daily automated backups also help to ensure that your website stays available to the public.
All three elements lean on each other for support. Code integrity will not work on its own if a user’s confidential password is easily stolen or guessed. All aspects are important to a solid and secure platform.
Security is a lot of hard work. Apart from the work that can be done in code, there’s a huge human element to this framework. Security is a constant process; it can’t be solved by a single plugin.
Part 1: Integrity — Trust Nothing
Verify the intent of user actions and the integrity of the data you’re handling. Throw your inner hippie out the door. Nothing can be trusted online, so double-check everything you do for possible malicious intent.
Data Validation and Sanitization
WordPress is excellent at handling data. It makes sure that every interaction is validated and that every bit of data is sanitized, but that’s only in WordPress core. If you’re building your own plugin or theme or even just checking a piece of third-party code, knowing how to do this is essential.
//Cast our variable to a string, and sanitize it.update_post_meta($post->ID, ‘some-meta’,sanitize_text_field((string)$_POST[‘some-meta’]));//Make sure our variable is an absolute integer.update_post_meta($post->ID, ‘some-int’,absint($_POST[‘int’]));
In this example, we’ve added two pieces of data to a WordPress post using update_post_meta. The first is a string; so, we cast it as a string in PHP and strip unwanted characters and tags with sanitize_text_field, one of WordPress’ many sanitization functions.
We’ve also added an integer to that post and used absint to make sure this is an absolute (and non-negative) integer.
Using core WordPress functions such as update_post_meta is a better idea than using the WordPress database directly. This is because WordPress checks everything that needs to be stored in the database for so-called SQL injections. A SQL injection attack runs malicious SQL code through the forms on your website. This code manipulates the database to, for instance, destroy everything, leak user data or create false administrator accounts.
If you ever need to work with a custom table or perform a complicated query in WordPress, use the native WPDB class, and use the prepare function on all your queries to prevent SQL injection attacks:
$wpdb->prepare goes through every variable to make sure there’s no chance of a SQL injection attack.
Escaping output is just as important as sanitizing input. Validating data before you save it is important, but you can’t be 100% sure it’s still safe. Trust nothing. WordPress uses a lot of filters to enable plugins and themes to change data on the fly, so there’s a good chance that your data will get parsed through other plugins as well. Escaping data before adding it to your theme or plugin is a smart thing to do.
Escaping is mainly meant to prevent cross-site scripting (XSS) attacks. XSS attacks inject malicious code into the front end of your website. An added bonus of escaping data is that you can be sure that your markup is still valid afterwards.
Escape as late as possible. This ensures that you have the final say over your data.
WordPress admin requests are already pretty secure if you have SSL enabled and if you have a decent host, but some vulnerabilities still exist. You need to check a user’s intent and validate that the incoming request is something that was done by the actual logged-in user.
WordPress validates intent with nonces.. A nonce (or “number used only once”) isn’t really an accurate description of this API in WordPress. It doesn’t only use numbers, and it is much more like a cross-site request forgery (CSRF) token that you’ll find in every modern web framework. These tokens make sure hackers can’t repeat requests. It’s a lot more than just a nonce, but WordPress likes backwards-compatibility, so the name stuck.
Nonces are sent along with every vulnerable request that a user makes. They’re attached to URLs and forms, and they always need to be checked on the receiving end before performing the request. You can add a nonce to a form or a URL. Here’s an example used in a form:
<form method= “post”>
<!-- Add a nonce field: --><?phpwp_nonce_field( ‘post_custom_form’ );?>
<!-- other fields: →
The first field checks intent by using a generated code with the 'post_custom_form' string that we’ve passed to the function. The second field adds a referrer to validate whether the request was made from within the WordPress installation.
Before processing your task on the other end of the form or URL, you would check the nonce and its validity with wp_verify_nonce:
Here, we’re checking the nonce with our action name, and if it doesn’t match, we stop processing the form.
Third-party plugins and themes are a hotbed for hacks. They’re also the toughest nut to crack when ensuring the security of your website.
Most WordPress hacks are caused by plugins, themes, and out-of-date copies of WordPress. No piece of software is 100% secure, but a lot of plugins and themes out there either haven’t been updated in a while by their developers or weren’t secure to begin with.
Less code means less to hack. So, before installing yet another plugin, ask yourself whether you really need it. Is there another way to solve this problem?
If you’re sure you need a plugin or theme, then judge it carefully. Look at the rating, the “last updated” date and the required PHP version when browsing through WordPress’ plugin directory. If you’ve found what you’re looking for and everything seems to work, search for any mentions of it on a trusted security blog, such as Sucuri or WordFence.
Another option is to scan the code and make sure it contains proper nonces, sanitation and escaping; these are usually signs of well-written and secure code. You don’t have to know PHP or do a complete code review. A simple and quick way to verify proper use of WordPress security functions is to search the plugin’s code for these strings:
A plugin could still be secure if it doesn’t include all of these strings, but if none or a low number of these strings are found, that is a red flag. If you do find a vulnerability, please share it with the creator in private, and allow them time to fix it.
Keeping track of vulnerabilities in the WordPress plugin space is getting easier with initiatives such as wpvulndb.
Note: Some themes out there bundle versions of plugins with their code. This is a symptom of WordPress not having great out-of-the-box dependency management, but it’s also a sign of a very poorly written theme. Always avoid these themes because they include code bases that can’t be updated.
Themes and plugins rarely contain code written by only one developer. Composer and NPM have made it so much easier to depend on other libraries that it’s become a popular attack vector. If you’re downloading a cut-and-dry WordPress theme or plugin, this really isn’t a concern, but if you’re working with tools that use Composer or NPM, then it doesn’t hurt to check their dependencies. You can check Composer dependencies with a free command-line interface (CLI) tool by SensioLabs. A service such as Snyk (which you can use for free but which also has premium options) enables you to check every dependency in your project.
Part 2: Availability: Keep It Simple
Your main goal is to keep your website online without interruptions. Even with top-notch security, you can still get in trouble. When that happens, a great backup will save you a big headache.
Open-source can’t exist without updates. Most attacks on WordPress websites happen on outdated versions of either the core software or plugins. Security updates to WordPress’ core are now dealt with automatically (unless you’ve disabled this, you monster!), but security updates in plugins are a different story.
Updating is normally safe with popular, trusted plugins, but all plugins should be tested before they go live on your website. Tools such as WP CLI make updating everything much easier. WordPress lead developer Mark Jaquith had an excellent blog post on updating all plugins automatically yet gradually, so that you can filter out possible errors.
Users, Roles and Capabilities
“Availability” in the CIA triad has to do with getting information in the right hands. Our main priority with this is limiting the capabilities of your back-end users. Don’t give everyone an admin account.
The admin account in WordPress is unusually powerful. There’s even an option in vanilla WordPress to alter your complete code base from within the WordPress admin account. (If this is new to you and you haven’t disabled this, please do.)
The roles and capabilities system in WordPress is powerful and is very easy to alter in code. I create a lot of new roles when working with WordPress. The main benefit of this is that you get full control over which parts of the system various users get to access, but another huge benefit is that it prevents third-party code from altering the standard capabilities of WordPress core.
WordPress usually handles email via the server it’s on, but this makes all of your email completely dependent on the server it’s running on. Prevent your emails from getting intercepted and seen as spam by using an SMTP service. A lot of plugin options are available to make sure that all of your mail is sent over a secure SMTP connection.
You will, however, need access to the domain name’s DNS settings to add a Sender Policy Framework (SPF) record. All good SMTP services will provide the exact record that needs to be added. An SPF record ensures that your SMTP service is authorized by the domain to send email in its name.
Monitoring your website online is a 24/7 task that can be fully automated. In the case of WordPress, we’re interested in uptime and file integrity.
Monitoring uptime is usually something a good host will do for you. Tools such as Uptime Robot add even more security. Your first 50 websites are completely free.
Regarding file integrity, if a hacker gains access to your server they can change your code.
In this case, plugins are the answer to your problem. Sucuri has a great auditing plugin. It checks all files in your installation against a vast database of known malicious code. It also checks whether WordPress core is still 100% WordPress core, and it gives you a heads up if there’s been a breach, so that you can fix it as soon as possible.
The ultimate fail-safe of every security process is automated backups. Most good hosts will do this for you, but there are other good options if your host doesn’t offer backups. Automattic makes one named VaultPress, and tools such as BackupBuddy back up to a Dropbox account or an Amazon S3 bucket.
Most of the reliable services in the WordPress backup space are either premium services or premium plugins. Depending on whether you need to fully control your data, you might prefer a plugin that comes with a cloud host, instead of a service. Either one is worth every penny, though.
WordPress isn’t the only piece of software running on your server. Plenty of attack vectors are open when you’re on crappy hosting. In fact, bad hosting is the main reason why WordPress still supports outdated versions of PHP. At time of writing, WordPress’ own statistics page reports that 32.5% of all WordPress installations are running on PHP versions that do not receive security updates anymore.
Note the almost 60% of installations running on PHP 5.6 and 7.0, which will receive security patches only until the end of this year.
Hosting is important not only for keeping your server’s software up to date, though. A good host will offer many more services, such as automated daily backups, automated updates, file-integrity monitoring and email security. There’s a big difference between managed WordPress hosts and hosts that give you an online folder with database access.
The best advice is to find a decent managed WordPress host. They cost a little more, but they provide a great backbone for your WordPress website.
Part 3: Confidentiality
If you’ve made sure that your code base is as secure as it can be and you’re on a great WordPress host, surrounded by malware scanners and backups, then you’re still going to experience security problems, because people are the worst… at Internet security.
Confidentiality is about educating yourself, your client and the users of the website.
You might not know it, but your plugins and themes are probably showing valuable confidential data. If, for instance, you have WP_DEBUG set to true, then you’re showing every hacker your website’s root path on the server. Debugging data should have no place in your production website.
Another valuable data source are comments and author pages. These are filled with usernames and even email addresses. A hacker could use these in combination with a weak password to get into your website. Be wary of what you show the outside world.
Also, double-check that you’ve put wp-config.php in your .gitignore.
Don’t Code Alone
A way to prevent a lot of mistakes from sneaking into your code base is to practice pair programming. If you’re by yourself, this a lot harder, but many online communities are available that are willing to do quick code audits. WordPress for instance, uses Slack to communicate everything about the development of its platform. You will find a lot of people on there who are willing to help. Slower but better alternatives are the WordPress forums, StackOverflow and GitHub Issues, where your questions (and their answers!) are saved so that other people can benefit from them.
Asking for input can be tough, but people love showing their expertise, and WordPress in general has a very open and welcoming community. The point is that if you never ask for input on the quality of your code, then you will have no idea whether your code is secure.
Logins and Passwords
Your clients will need to log into WordPress to manage their content. WordPress core does what it can to prevent weak passwords from getting through, but this usually isn’t enough.
I’d recommend adding a plugin for two-factor authentication to your website, along with a limit on login attempts. Even better, do away with passwords entirely and work with magic links.
Trust But Verify
So far in this article, we haven’t talked about social engineering at all. It’s a form of hacking that’s gaining momentum, but it generally isn’t used to hack into WordPress websites. It is, however, an excellent way to set up the culture around your website with security in mind. That’s because the best defense against social engineering is “Trust but verify”.
Whenever a client, a user or your boss asks for something related to security, the best way to deal with it is to trust but first to verify whether what they are saying is true.
A client can claim they need administrator access to WordPress, but your job is to verify whether this is true. Do they actually need access, or are they missing just a single capability in their role? Is there a way to solve this problem without adding possibly new attack vectors?
“Trust but verify” is a simple yet effective mantra when it comes to security questions, and it can really help get people up to speed.
Is WordPress insecure? No, it’s not. WordPress core is constantly being updated and fixed, and most reported WordPress hacks aren’t from WordPress itself. Is the culture surrounding WordPress insecure? You betcha!
But by having security in mind with every line of code you write, every user you add, every plugin you enable and every hosting bill you pay, you can at least ensure that you’re running a secure website that keeps your reputation intact and your data safe.