The internet dominates nearly every aspect of our lives and will continue to do so for years to come. And why shouldn’t it? It’s fun, informative, scary, and just downright useful for nearly all aspects of life as we know it. The fact that most anyone can fire up a website for any various reason is making the internet scalable and adding to available options.
The Internet runs on WordPress
Website creation is readily available to everyone: anyone can build a site using a content management platform like WordPress. WordPress is a framework that has many components and optional components for a website. It is extremely easy to configure, publish content and even create an e-commerce solution. Some suspect that webmaster use it for blogging and kind of a more personalized substitute for a social media page, but WordPress is so much more. Online stores are also a possibility, though they are typically a little more complex – with the need for payment methods, confirmations, etc.
But, when it comes to meeting the needs of the common website, WordPress acquits itself quite well.
Because of its great scalability, options and “ease of use,” a lot of websites on the internet are built with WordPress. In fact, WordPress websites account for 1/3 of the world’s websites.
But, what happens when technology gets popularized? It is attacked. It happens all the time. Hackers attacked Windows when it became popular. Apple started to come on strong and, despite people saying that there are no viruses/attacks for Apple, guess what happened? It accounted for much more attacks than earlier. So, when you have (currently) a website platform that facilitates 1/3 of all content for arguably the most popular communication platform in the world, can we expect focused attacks? Definitely.
There are many components of WordPress and, like most software, all those aspects have potential security flaws. Let’s examine some of those security vulnerabilities and see what can be done about them. We’ll go through this categorically, so each component is addressed. Some of this stuff is low hanging fruit, and some will be a little more complex.
Login stuff is one of the more obvious security needs, but let’s go over the details:
Secure password: Some hackers attack websites by simply trying thousands of passwords until they guess the right one. Make it hard for hackers to guess your password by choosing a long password (10+ characters) that includes a variety of words, numbers, and characters. It’s also best to change the password regularly.
Brute-force prevention: Hackers have a pre-guessed database of millions of user ids and passwords, which they keep applying with a script until the successful login attempt is made. In addition to a secure password, login limiters can fight brute force attacks. Use plugins like Loginizer, The iThemes Security, Limit Login Attempts Reloaded, WPS Limit Login, etc. that offer a lockdown feature. i.e., after a certain number of failed login attempts, these plugins automatically block the IP address of the user. Set a low login attempt amount. For example, lockout after five tries.
2 Factor authentication: This provides one more layer of security such as a secret code, secret question, or phone/email verification with a one-time password (OTP). Popular Plugins for the 2-factor authentication are Two-Factor, WordPress 2-Step Verification, Unloq Two Factor Authentication, and Google Authenticator.
Username: Do not use ‘Admin,’ as your login id. Rename it with your email id or use any unique admin name.
Modify the login portal URL: The default URL WordPress login page is either /wp-login.php or /wp-admin. Rename the login URL to a unique path like /mywordpress_login.php or /newpage_login.php etc. Only people with the exact URL can reach your admin login page.
Administrative panel for WordPress security
Dedicated accounts: The administrative panel of a WordPress site will control much of the management aspects of WordPress and not necessarily the end product. Settings, users, plugins, themes, etc. are all managed here. The power of the Administrative Panel is apparent. Treat it well. Have dedicated, specialized user accounts for distinct tasks. For example, have an account just to publish, and a separate account with admin rights.
Use encryption: Use an SSL certificate to activate HTTPS and padlock sign in the address bar and to encrypt the web sessions between users and server. An SSL certificate will only secure data transmission but also help you to gain the trust of your website visitors and get better rank in search engines.
Plugins: The plugin threat is real. Basically, anyone can create a plugin: plugins can come from anywhere. Plugins may have access to certain shelled and core functions, so they can be very dangerous. Follow these tips:
- Beware of where plugins are coming from. Try to use high-rated and highly-utilized plugins.
- Research vulnerabilities in plugins such as XSS (Cross Site Scripts).
- Remove unused themes and plugins.
- Keep plugins up to date.
- Review changelogs and security fixes.
If a user is logged in to the WordPress account and leaves his/her computer without logging out, someone can easily access and abuses the website during this time. If s/he is accessing your WordPress site from a public place or a public computer (cybercafé or a free wi-fi in a cafe), the risk increases up to a great extent. An attacker doesn’t even have to utilize any complicated hacking technique. It is like an open vault. It is the easiest way to log into and exploit any website.
To reduce such risk, you can use plugins such as Bulletproof Security, Inactive logout, an idle user log out, or any other that automatically logs out the user if s/he is inactive for a while. With such plugins, you can set a time limit for inactivity after which the user is automatically logged out.
Auto-logout definitely reduces the risk of abuse but is not a foolproof method. If the user’s browser has cached the id and password, the login fields will be automatically filled up when the attacker tries to log in after the original user has logged out.
So, if your WordPress site has multiple-user, it’s crucial to select admins carefully. Only give admin rights to people who are as sincere about your WordPress site’s security as you are.
Restrict dashboard access for a specific time
If you or admins of your website access the dashboard only at a specific time each day, you can lock down the dashboard for the rest of the day. iThemes Security has an ‘Away Mode’ which enables you to set a time duration in which access to the dashboard is restricted for everyone.
Even if the hacker gets the credentials of your website, s/he will not be able to access your admin dashboard. Unfortunately, it also means that you can’t access your own website in that particular time duration, even in times of emergency.
Distribution of privileges
WordPress has 6 default user roles:
Each role has its own powers and responsibilities. The Administrator has full control over the website and can create, edit and delete content, manage all plugins and themes and create, modify and delete user accounts.
The permission reduces as you go down the hierarchy. You must have a clear understanding of the rights and responsibilities of each of these 6 roles before you assign any of these roles to anyone.
The Administrator has the highest power. So only people for whom you can vouch for that they won’t abuse power and are not negligible should be appointed as the administrator of your website.
Code & database security
Prevention is key. Your WordPress database should be treated like any other database: Protecting the data will result in fewer frustrations when problems arise. Especially when WordPress is accessed by multiple contributors (co-authors, employees), database vulnerabilities are a real threat.
- These vulnerabilities can be typically avoided through strong database user hierarchies. Create separate accounts and passwords for all needed users and limit their permissions for what they actually need.
- Typical user management and permission auditing are often overlooked in many systems including WordPress. Everyone does it. Even if the management of users is too much, just be conscious of who has access to what. Any users that no longer have business with the system or organizational entity should be have modified permissions, at the least.
Choose a secure platform: Hosting platforms run from bare metal server solutions to the rising and popular cloud-based server platforms. Many security precautions are handled by your host, so, using a reputable hosting provider is a must.
Encrypted access: Use an encrypted protocol to control your server: SSH, SCP or SFTP; NO TELNET or plain-text FTP
Protect wp-config.php: Be careful about file permissions. In fact, all file and folders should be protected.
- Add this code to protect the active wp-config.php. For example, define(‘DISALLOW_FILE_EDIT’,true);
- Have a master copy and work on copies before elevating them to production.
More tips for WordPress security
WordPress security scan: There is a popular misconception among people that only big and popular WordPress sites get hacked. Many people don’t find it necessary to install a WordPress security scanner in the initial phase. And that’s why a malware injection can go unnoticed before it’s too late to take any preventive steps. Thus, you must install anti-malware scanners/security scanners from the very beginning. It will help you protect your website against future attacks by scanning your entire WordPress website. If there are any suspicious script, viruses, malware, it immediately removes them. Sucuri, WordFence, anti-malware security are some of the well-trusted WordPress malware scanners. CodeGuard also has a robust inbuilt scanner.
Backup: Backups and revision management is crucial. Make frequent backups of your WordPress site. This way, if you experience any significant problems, you’ll have a working restore point. You’ll inevitably be in a situation, even outside of WordPress management, where you will be glad you had revision management and backups and/or regret that you did not. Having a working copy of the wp-config.php file can also resolve problems quickly without the need to do a full restore. Backup and export data away from the production server.
Final tips for securing your WordPress website
Firewall protection: These are good ways to keep all non-public facing data and communication private. Implement software and/or hardware firewall on the hosting server and make sure it’s properly configured. Use other measures of the firewall. AWS, for example, has VPC which is an extra layer for the subnet and adds ACL and firewall-like rules.
Prevention of SQL injection attacks: To identify injection vulnerabilities, use a well-respected vulnerability scanner. Also, make sure local PHP is up to date. Older versions of PHP have many security flaws. As of May of 2018, around 25% of the PHP versions used is 5.6 or less.
Monitor carefully: Network logs and activity monitors will also give a good idea as to what may be happening. Audit logs inform you about other’s activities on your website. You can keep an eye on their every move and be assured that they are not doing something that they are not authorized to. WP Security Audit Log, Simple History, User Activity Log, Simple Login Log, WP Log Viewer are some popular plugins for audit logs.
WordPress is an excellent platform for websites. Keep your users safe and engaged on your site with proper WordPress security practices! Stay safe, happy WordPressing and happy scrutinizing!
Sam Patel is a technical writer at CheapSSLsecurity.com. He specializes in explaining WordPress, website security, and digital marketing topics in easy-to-understand language for business owners and marketers.