The more people that use a given piece of software, the more attractive it is as a target for hackers. Google Chrome is a bigger target than Opera. Windows systems are a bigger target for exploits than Apple’s. More popularity = more attention from the wrong kinds of people.
WordPress currently powers over 27% of all websites. That kind of widespread distribution is attractive to hackers. Note that doesn’t mean WordPress is inherently not secure; in fact, there has never been a major exploit of the most updated version of WordPress core. But securing WordPress should still be a top priority for your organization.
WordPress security is a continuum—it’s not an all-or-nothing proposition. And as secure as your site may be, there’s always room for improvement.
This guide will help you advance on the security continuum, regardless of your current level of sophistication. We’ll cover the basics of securely administering and updating WordPress, recommend plugins that can help enhance your security, and help you close the three most often exploited WordPress vulnerabilities.
Read on to make your WordPress site less attractive to hackers, and get more peace of mind for your day-to-day operations.
Securing WordPress 101
The most effective path to a culture of security is when executive leadership themselves embrace such a culture. As with most things, if senior leadership does not understand and prioritize good security practices, the rest of the organization will typically have patchy and inconsistent security. Education, accountability, communication and collaboration from the top to the bottom of the organization, placing security as a key value, will lead to a solid security posture.
The first and simplest weak point in your defenses is the human element. So increasing your WordPress security starts with thinking about security, with making it a priority in your organization. Essentially, it’s ensuring that the people on your team value security, and know how their actions either promote or undermine the rest of your efforts.
Your security is only as strong as your weakest link—and that weakest link might be a password written on a sticky note stuck to someone’s monitor.
These four basic elements can help you build a firm foundation for the rest of your security efforts.
1. Practice Good Password Hygiene. Make sure everyone in the organization knows what a strong password looks like and how to keep it safe. Secure passwords used to mean hard-to-memorize combinations of letters and numbers, but conventional wisdom is moving to passphrases, combinations of actual dictionary words. These phrases can be easier to remember and harder to crack.
Once you have strong passwords, don’t undermine them by sharing them in a Google doc, writing them down, or having multiple people on one account. A password manager like LastPass or 1Password can greatly simplify the process. Additionally, it’s worth considering two-factor authentication for another level of security.
2. Use HTTPS And SFTP. Secure connections aren’t just for banks and hospitals anymore. HTTPS is rapidly becoming mandatory across the internet, backed by heavy hitters like Google, Facebook, and Apple. Pantheon offers free, automated HTTPS for every site on our platform; for other platforms, check out Let’s Encrypt to get secure with minimum of hassle.
It’s important to extend security to your file transfers as well. SFTP and FTPS are both good options to move files securely.
3. Limit Login Page Access. Your WordPress login page is the starting point for many types of attack. You can make it harder for attackers to get through by taking a few simple steps:
Change your admin account name. Many attacks assume the default name, “admin.”
Limit the number of login attempts. Use a plugin like iThemes Better Security to protect against brute-force attacks.
4. Have a Safe Plugin Policy. Plugins are an essential part of customizing your WordPress site, but poorly-coded or outright disreputable plugins can compromise your security. Make sure your team knows how to find reputable plugins—which developers, sites, and peer recommendations your organization can trust. This beginner’s guide can help you build your list of trusted plugins.
My top little known tip for securing WordPress is ‘less is more.’ Go through your plugin list and see how many of them you really need, how many overlap and which ones haven’t been updated in ages. A great deal of vulnerabilities in WordPress come from plugins which are out of date, not updated to the latest version, or have known vulnerabilities. Pare down the number of plugins and you reduce the surface area for attack.
—Chris Teitzel, Founder/CEO, Lockr
Securely Updating WordPress
WordPress core is the most secure part of the CMS, provided you’re running the most recent version. While WordPress is backwards compatible, only the most recent version is fully supported. So it makes sense to install updates in a timely fashion.
WordPress does have an auto-update feature to help with keeping the core current. This functionality works great for some users, but it could be incompatible with your team’s best practices. The background updater requires that your WordPress instance have the permission to write to itself, which is an inherent security risk. Still, it’s reasonable to stick with auto updates unless you:
Manage your own site and have your own version control process.
Implement your own deployment mechanism—for example, if you have multiple servers to update.
You have managed WordPress hosting and feel confident in pushing updates yourself.
If any of the above apply, you should disable auto-updates. If you do so, however, it’s important to create a process for updates that includes version control and controlled deployments.
First, disable file edits. The background auto-updater requires this permission to operate, but since you’re manually updating, you can close this vulnerability. That’s good, because hackers can exploit file editing capabilities to run arbitrary code on your site. Just add this snippet into your wp-config.php to turn it off:
Second, disable updates on test and live. Updates should be done in the development environment, not directly on your live or test sites. This workflow is built into Pantheon. Here’s how we code for it in our default wp-config.php:
// FS writes aren't permitted in test or live, so we should let WordPress know to disable relevant UI
if ( in_array( $_ENV['PANTHEON_ENVIRONMENT'], array( 'test', 'live' ) ) && ! defined( 'DISALLOW_FILE_MODS' ) ) :
define( 'DISALLOW_FILE_MODS', true );
These first two steps set the proper permissions for you to safely build your update process.
Here’s what a simple manual update procedure looks like:
Log in to your WordPress admin in a development environment.
Update core, themes, and plugins as needed.
Quick check to see if everything is functioning normally: If so, commit changes. If not, troubleshoot.
Deploy code to your Test environment, syncing your Live content and settings down to Test.
Test the site thoroughly, making sure your content and configuration is fully functional with the new code. If it looks good, push to Live. If not, sync back to Dev for more troubleshooting.
Of course, doing the above can be a chore, especially if you’re managing more than one site. Building automation that does all of the above, while taking advantage of version control and managed deployments is the best situation. Learn more about this process and check out an example.
Top WordPress Security Plugins
These are some of our favorite plugins for helping you move across the security continuum. From promoting better password hygiene to preventing specific types of exploits, these plugins are all worthy additions to your site.
iThemes Better Security: Features a whole suite of options for hardening your WordPress site. You can protect login attempts, disable file editing, force secure connections, and more.
BulletProof Security: Like iThemes, this plugin features multiple ways to enhance your security. You can set a timer for idle sessions to logout, control cookies, and more.
VaultPress: This plugin hooks into a subscription service for backup, security scans, and expert support.
Login Lockdown: This plugin limits the number of failed login attempts from specific IP addresses. This simple step can help prevent brute-force attacks.
Two-Factor: Add an extra layer of protection to your logins with Two-Factor Authentication; this plugin makes it easy.
Force Strong Passwords: Get rid of the ‘Password1234’s in your organization. This plugin requires anyone with a predetermined level of privileges to set a strong password.
Closing WordPress Coding Vulnerabilities
Now let’s move from secure WordPress administration to secure WordPress development. It’s possible to take every precaution in keeping your site secure, but to introduce vulnerabilities in the code. There are three common types of attacks that rely on insecure code. It’s important to both be aware of these vulnerabilities, and know how to prevent them. If you write any custom code for WordPress or anyone on your team does the same, it’s essential to understand (and prevent) these common attacks.
Cross-Site Scripting (XSS)
XSS attacks are the most common vulnerability, making up nearly half of all vulnerabilities found in a recent study. In an XSS attack, hackers use forms that can accept arbitrary user input as a vehicle to insert malicious code.
Avoid this attack by validating, escaping and sanitizing your data. For detailed instructions, this XSS article is a great resource.
This type of attack also relies on unsanitized data. The attacker attempts to enter SQL commands through an input form on your webpage. These commands can do everything from filling your database with spam to deleting data.
As with XSS attacks, preventing SQL injections is all about proper data hygiene. Your code should check that any data inputted is properly formatted and free of suspicious characters before it’s added to the database. This guide from the WordPress Codex provides a good overview of how to code these security checks.
Cross-Site Request Forgery (CSRF)
This type of attack uses a trusted user’s account to fool your website into accepting malicious code. The attack is possible when a user logs into your website, then navigates away from the site and encounters a forged link. The user clicks the link, which generates a forged request to your site. The user doesn’t know what happened, and your site is fooled into thinking the request came from the user.
WordPress has a built-in function to help stop CSRF attacks called a “nonce,” or “number used once.” The number is an identifier attached to a specific user and session and can be changed at any interval you decide. Any information that looks like it comes from the user, but doesn’t include the nonce, will be rejected.
For detailed information on how to generate and use nonces, consult this guide from CSS-Tricks.
Just getting into the mindset of ‘is what I’m writing secure’ helps a great deal. I think getting into the habit of doing big review tests at certain points during a project or schedule, along with mini-reviews of smaller code commits, helps. If you aren't a solo developer and have a team, then a culture of communication goes right along with that—casual reviews of code from other developers might help things missed. Every developer is going to miss things, so the more eyes the better.
Secure WordPress Hosting
Your WordPress host can be an invaluable partner in keeping your site secure. Too often, though, hosting companies take a hands-off approach, leaving you responsible for every vulnerability (and the cleanup after an attack).
The right host should work with you to move your site up the security continuum. They should promote the best practices and technology that keep data safe, and should be there for you if your site is compromised. Most importantly, they should have just as strong a culture of security as you do.
Here are just a few ways the right host can help keep you secure:
A Secure Development Environment. Is your development workflow promoting good security habits? Pantheon bakes in security best practices with separate dev/test/live environments, making it easy to deploy updates and changes without risking your live site.
DDOS & Intrusion Protection. Your hosting provider is the first line of defense against these types of attacks. Pantheon provides robust network intrusion and DDOS protection to turn back thousands of attempted breaches per day.
Automated Backups. In the rare event that your site is compromised, having a current backup can get your site online again faster and with a minimum of hassle. Pantheon offers the ability to schedule automated backups of your entire site and files.
As hackers become increasingly sophisticated, every website is a target. WordPress security isn’t a “set it and forget it” thing; it takes an ongoing commitment to move your site up the security continuum. Work to establish a culture of security in your organization, use best practices and plugins to harden your site, keep your coding secure, and find a host that is an active partner in your site’s security.
Pantheon is a website management platform with WordPress security built in, from development to testing to ongoing support. Create a free account to see for yourself.