Securing WordPress websites

All web applications and solutions, including WordPress, have opportunities for improving security. Risks arise from default naming approaches and settings that are commonly known by those looking to exploit websites’ weaknesses. These risks need to be reduced and managed; taking preemptive steps goes a long way in closing easy backdoors for those looking at exploiting a website. Human error is usually one of the main causes of risks. Potential risks range from service disruption, stolen user information, and phishing to malware distribution to users and subscribers, website or page redirection, account takeover, and domain blacklisting.

Approaches and actions to secure a WordPress website

Stay on top of updates

  • Usually, updates are triggered by publishers for known issues, incompatibilities, and vulnerabilities found in live environments. Installing updates and patches helps secure your website from known weaknesses. Keep WordPress and its supporting applications, like the database and PHP, updated.
  • Keep WordPress themes, plugins, and third-party scripts updated.

Keep strong access approaches

  • Websites are accessed by website admin login, registered user or subscriber login, and casual site visitors. The following approaches help secure against vulnerabilities brought on by those accessing the website:
    • Strong password strategy: WordPress has a built-in random secure password generator. It’s accessed from the admin module > My Sites > Users > UserProfile > Security.
      • Consider setting up two-step authentication as an added security approach. Once enabled, logging in to WordPress will require entry of a unique passcode generated by an app on the user’s mobile device or sent via text message, in addition to a username and password. This will ensure that admins, users, and subscribers have an added level of security while logging in.
      • This strong password approach should be used across different interfaces, including host/admin accounts, database accounts, FTP accounts, and the primary site email address of the domain or web admin.
    • Add more challenge interfaces: For posts, discussions, comments, feedback, and responses, you can implement a CAPTCHA challenge before an entry is accepted to the website. This will ensure that crawling bots and similar solutions do not create mass entries and malicious feeds in discussion threads.
    • Consider setting up auto-logout for idle users in WordPress. Plugins help monitor and log out inactive users.
    • Use SFTP: Secure File Transfer Protocol, or SFTP, should be used instead of FTP to keep user information encrypted while performing transfers.

Change defaults

Make backups and test restorable files before trying the following changes.

  • Default admin: The default administrator name in WordPress is “admin.” If this is not changed, it becomes an open door for those looking for vulnerabilities, such as bots written to keep trying password combinations to attempt a break-in. Similarly, the default URL for admin login is website.com/wp-admin; changing this will ensure that those looking to execute password combination attempts towards the default link do not get access to the admin login page. Additionally, the maximum failed login attempts can be changed from the default to a restricted number of times, after which the user won’t be allowed to access the website.
  • Default file permissions:
    • Lock down write and delete file permissions where possible. This is an effective approach especially when files are hosted in shared environments. These restrictions can be loosened when write access is needed. Create separate folders with limited restrictions to allow users to upload files when needed.
    • Secure the database (if you are the database admin). Disable features that are not used by your configuration. For example, if the feature of accepting remote TCP connections is not needed, disable it. Most operations, including posting blogs, uploading files, and posting comments, need only data read and data write privileges to the database. Remove user database administration access; this will ensure that an authorized user can’t change the database structure. This works as a containment approach if the installation is compromised. Caveat: Some major updates and supporting applications (including themes and plugins) may require access to make structural changes in the database (including addition of new tables or a change in the schema). The work-around is to temporarily allow the required privileges before installing or updating the plugin, theme, or application.

Addressing hosting-related challenges

  • While selecting a hosting provider for your website, review the provider’s credentials.
  • Review security practices at the hosting level. The most common hosting security features include firewall and DDoS protection, virus protection at the host level, SSL security certificates, and domain owner detail masking.
  • Get a clear understanding of how and what the hosting provider covers in terms of protection. The remaining unprotected portions will be the website owner or admin’s responsibility.
    • A secure hosting provider that does not manage a web server usually protects the availability, privacy, and authenticity of infrastructure resources (the physical or virtual server a website is hosted on). The security of the web server and its applications remains the responsibility of the web admin.

Addressing theme-related challenges

  • WordPress offers a choice of themes, including free, paid, or custom (imported from a third party) themes.
    • Professional themes, free or paid, are regularly updated to address known security and performance issues. However, only minor updates may automatically apply, so it is the site owner’s responsibility to check and test major updates before implementing them on a live site. There are plugins that track theme updates and send a notification with information about new versions or updates being published.
    • Custom themes sourced from unknown or unverifiable developer sources present the risk of security vulnerabilities that could expose the WordPress site to malware and hacking possibilities. These risks could be due to poor code or malicious code that’s been inserted. Patching of security weaknesses and similar follow-up services may not always be available, adding to the risk of custom themes.
  • For sites that retain a set theme and plugins without frequent updates or changes to the theme or plugins, the installing provision for themes and plugins can be disabled when needed. This is possible in WordPress through the WP-admin module.

Addressing plugin-related challenges

  • The WordPress admin page has more information on listed plugins, compatibility issues, and approved for use details. This should be checked before installing a plugin. WordPress regularly updates and flags known issues with a plugin. This advisory remains until the plugin passes WordPress’ acceptance. Work with plugins from the WordPress options where possible rather than import a third-party custom plugin.
  • Plugins that need write access to WordPress files and directories should have their code checked. Some resources to consider looking at to identify known issues with plugins include https://wordpress.org/support/, other WordPress user forums, and the plugin supplier’s resources.
  • Once a plugin is installed, it’s good practice to run a malware and vulnerability scan.
    • Some online malware scanners check for malware through software algorithms that crawl the entered website URL to identify known malware and suspected malicious code. There are plugins that do this as a routine task too.
    • Similarly, if site performance degrades inexplicably, running a malware scanner is a good idea.
  • Disable and delete all unused plugins.
  • Some plugins may need and allow PHP or other code to execute from entries in a database; this creates risk if the website is compromised. A work-around used in conjunction with locking or disallowing file editing is to use a custom page template to call this function.
  • You can prevent users from installing themes or plugins from the WP-admin module. This security hardening approach may work for some sites that retain the existing theme and plugins without frequent updates.

Maintain audit logs and utilize the backup and restore capability

  • An audit log helps track all activities and changes to the WordPress site. This can include user activities, like logins, logouts, updates, and posts, and application update activities.
  • You can refer to the activity log for details on any suspicious activity or changes made. There are backup plugins that allow you to restore to a specific point in the audit log. Notifications can be set for critical website changes that are initiated.

Summary

Making WordPress secure is an ongoing exercise. Using security strategies and actions makes it harder for break-ins and website corruption to happen through known loopholes. In this article, we looked at securing a website at various levels—on the application level, with stronger access criteria like passwords and secure protocols and by masking or changing default details, and on the physical level (host servers and networks). Using tools and plugins helps automate and monitor some of the areas that can be tracked for analysis.