Securing WordPress

Preface

WordPress is the most popular and possibly best software for operating a modern website. The built in tools that it provides for free are extremely valuable for any web project. WordPress is built on top of PHP which is a “Server Side” programming language. That means when WordPress performs computational tasks it is performing them on the server, rather than in the visitor’s browser. This presents significant security risks, because hackers can exploit vulnerabilities in WordPress to take over the server, which they can then add to their botnets to perform DDoS for Hire attacks, or to act as Crypto-Miners, or to grow their BotNet by infecting the machines of your visitors.

Many people have the mistaken belief that if they are a small organization such as a new business or a non-profit, that they don’t have to worry about hackers. In fact, most hackers don’t care who you are. Every website is a target, and every website connected to the internet is being scanned and attacked on a daily basis by dozens of hackers. Hacking computers has become a global organized crime racket, and your website is a target.

Essentials

Backups

The most important part of this process, while not necessarily directly related to security, is backups. Backups will not protect your website from attacks, and if your backup system is insecure they may actually increase your risk of compromise. What backups will do is significantly reduce your cost of recovery from an attack. Even the strongest and most comprehensive security policies sometimes fail to prevent attacks, and so backups are the most important piece of the puzzle.

Updates

The second most critical aspect of improving WordPress security is to keep your core WordPress software and all of your plugins updated every day. This might seem like a hassle, but malware programmers move quickly when they learn of new exploits. In very rare cases you might have issues due to upgrading your plugins but that is easy to recover from because you have backups, right?

We published a short guide on Updates and Backups that you can refer to for more detailed instructions. Click Here to Read More.

Responsible Plugin Management

Because the majority of attacks happen through vulnerable plugins you need to ensure that you are only using plugins which are being actively developed. They should be listed as compatible with the most recent version of WordPress, and if they require a license to keep them updated then you should have an active license. Deactivate or delete old plugins that you aren’t using anymore, or that you can’t update anymore.

Strong Passwords

Odds are your passwords are not good enough. In my 20 year career I’ve worked with a lot of people and most of you have weak passwords. For your WordPress administrator account your password should be a minimum of 64 random characters. Some mathematicians will tell you that is overkill, and they would be right, but in a few years it won’t be, so unless you want to frequently change your password as computers get more powerful, start at overkill.

Your Password needs to be completely unique. You should not re-use the same password anywhere.

In this day and age a password manager is an essential tool for managing passwords. You should be using a password Manager, we recommend KeePass or one of it’s cross-platform variations. We discourage the use of “Online” password managers because they are honey pots for hackers and there have been a quarter dozen compromises in recent years alone. I published a comprehensive guide on strong password habits which you can read at https://strongpass.us.

Custom Administrator Username

As long as you are using only very strong passwords, this tip is a minor one. In order to reduce the success chance of brute force attacks, your administrator accounts should never be named “Administrator” or “Webmaster” or “Admin” or anything similarly obvious. We want to emphasize that Strong passwords are more important than custom usernames, and must come first.

Filesystem Security

This subject is a bit advanced for most users but it remains an essential piece of a comprehensive security plan. You have to ensure your Website files have the appropriate security settings. Your wp-config.php file should not be readable by anyone. It only needs to be accessed by your webserver, and that is the only ‘user’ who should have access to it. If you create backups of this file, ensure that they are also equally secure.

An especially strong permission guideline for other files in your website directory tree is to set ‘660’ for files and ‘770’ for directories. This allows the owner and group-members to access them, but nobody else. You may need to add your user account to the group to access files with these permissions. If setting file permissions is too advanced for you, please E-mail us at support@pridetechdesign.com and we would love to help you.

Optional Advanced Techniques

These techniques are more advanced but they will help you to keep your website secure. If you would like help to implement these techniques please E-mail us at support@pridetechdesign.com.

Password Hashing

Passwords stored in the WordPress database are hashed so even if someone gains access to your database, they will have a difficult time cracking the passwords stored within. There is a free plugin available which can significantly increase the strength of the hashing technique. You can download the bCrypt Hashing plugin at This Github Page.

WP-Fail2Ban

Fail2Ban is a popular security program which runs on your server and monitors server logs for suspicious activity. When it sees evidence of hackers, it automatically bans their IP address. There is a free plugin that allows Fail2Ban to monitor WordPress activity. You can find the plugin By Clicking Here. This method requires that your server have Fail2Ban installed, and if you’re using a low-quality host they might not offer Fail2Ban support. If that’s the case you should consider switching hosting providers. Pride Tech Design offers high quality hosting with an emphasis on security, including Fail2Ban support.

WP-Bruiser

This free plugin WP-Bruiser offers a number of ways to improve the security of your WordPress website. It’s primary task is to block bots from submitting account registrations, logins, and comments. It does this without using any “Captchas”, which improves the user experience for your real visitors. WP-Bruiser has a 100% success rate blocking bots, so it’s actually more reliable than any existing Captcha system. When you are configuring the plugin you’ll notice it includes a number of basic security features as well, making it a great lightweight choice to improve the security of your website.

Directory Indexing

Directory Indexing is what allows a visitor to see a list of files contained in a directory when there is no index.html or index.php file in that directory. Generally this is considered a security risk as you do not want to allow random visitors to browse the file structure of your website.

This is an item that only effects misconfigured Apache based servers. Unfortunately many low quality hosting providers, some of whom are often listed as “Top 10” brand names, operate misconfigured Apache servers with Directory Indexing enabled by default. In these situations you can use .htaccess files to disable indexing.

Security Suites

There’s a number of well known security plugins for WordPress. They include a ton of features, however we recommend that these are the least important method to improve your security. Many of these plugins only support Apache based websites, their firewall features simply won’t work on Nginx based websites. That will hopefully change in time, but for now it’s an important fact. Many of their features are extreme and won’t really improve your website security, such as changing the login URL, and they can sometimes break your website. If you want to use one of these plugins, you should consult with a professional to configure them for your specific needs. You can E-mail us at support@pridetechdesign.com to help you with configuring a security suite on your website.

Conclusion

You can see there are a lot of steps you can take to improve the security of your website. A well-secured WordPress site is extremely difficult to break into and can reliably serve as the main customer portal for your business, non-profit organization, or global enterprise. If you need any further guidance on this subject, please E-mail me at support@pridetechdesign.com and I will be happy to provide you with personal support for your business. You may also want to sign up for one of my WordPress Maintenance Plans.

Tags: , , ,

Comments are closed here.