In Part 1 of this series, we covered how easy it is for any novice to set up a self-hosted WordPress site and how quickly security can fall between the cracks. In this blog post, I will share with you what to look for in a Webhost provider, how to secure and harden WordPress, and what often-overlooked items you should watch out for during this process.
With any content management system (CMS), there is a learning curve. If you think back to when you first learned to drive a vehicle, did you just hop in the car and drive with no preparation? Probably not. When you prepared for both the written and driving portion of the test, was the process instantaneous? Or did you have to devote study time to learn state traffic laws and utilize behind-the-wheel time to gain driving experience? What if driving was not a privilege? What if you could just go out, buy a vehicle, and not register it with the state or bother with auto insurance?
Quick and dirty
Let’s create a quick and dirty fairy tale. You can now drink and drive. Here are a few shots of Spirytus Delikatesowy to tide you over. Feel free to swerve, crash, and collide with other vehicles while driving on either side of the road. I'll even allow you to drive at your preferred speed. Does 100mph work for you? No doubt in the above-concocted fairy tale, fatalities will ensue, urban infrastructures will crumble, and anarchy will eventually rule. This situation is pretty much what is happening with WordPress security today. Though the fatalities lie on the digital highway via cross-site scripting (XSS), file inclusion exploits, malware, privilege escalation vulnerabilities, SQL Injections, and the like. Each self-hosted WordPress site launched that lacks security, is one more website that adds to the Internets detriment.
It’s time to buckle down on security
For knowledgeable tech savvy WordPress administrators, running a self-hosted WordPress site is not rocket science, nor is management and maintenance a minuscule task. This year more so than previous years, site administrators need to buckle down and take security seriously. For those of us entrenched in securing the Internet, we are often forced to choke down a never-ending stream of hastily assembled WordPress sites that consistently undermine the concept of database security into meaningless shards of insecurity. Whether you are an individual hosting your blog or a company setting up your first WordPress site, securing and hardening your website should top the list.
Knowledge is power
There are plenty of free tutorials and guides available on the web. To get the security ball rolling, here are a few good ones to start with: [WpBeginner] The Ultimate WordPress Security Guide – Step by Step (2017) [Wordfence] Introduction to WordPress Security [Wordfence] How to Protect Yourself from WordPress Security Issues & Threats [WPMUDEV] WordPress Security: The Ultimate Guide [WPMUDEV] 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked [CODEX] Hardening WordPress [OWASP] WordPress Security Implementation Guideline Includes Apache, PHP, and MySQL hardening for website administrators.
Secure your workspace first
Sometimes, the user sitting at your keyboard (you) can become your worst enemy. If your workspace (router, PC, laptop, mobile device) is vulnerable to an attack, login credentials will become a viable target for a hacker. Keep operating systems, hardware, applications, and security software updated. This includes checking your router for firmware updates and applying them (when needed). OWASP recommendations:
- Password protect the device
- Use strong passwords
- Keep the OS updated
- Encrypt the storage
- Have an antivirus installed and updated
- Have a firewall installed and configured
- Secure your browser
- Have a malware/spyware scanner installed and perform regular scans and updates
Your WordPress hosting provider plays an extremely crucial role in the security of your website. Though cheap deals at leading providers sound appealing, don't make the mistake of selecting a hosting provider just because the price is right. I once said: "Take the time to find a reputable and reliable hosting service – do your research first. You don't want to end up on a server that can quickly become compromised, is slow to update software, has bad tech support, or has too much down time," and I still recommend this advice today. At one point in time, it took me 18 months of playing musical hosting providers to find an appropriate and secure server for my webs. I finally settled on Lightning Base for my site and WPEngine for client webs. WPMUDEV recommends hosting companies that place emphasis on security. One that:
- Provides daily internal backups
- Support for the latest versions of PHP and MySQL
- Is optimized for running WordPress
- Includes a WordPress optimized firewall
- Has malware scanning and intrusive file detection capabilities
- Offers account isolation if you opt for a shared hosting plan
"Your WordPress database contains every post, every comment and every link you have on your blog. If your database gets erased or corrupted, you stand to lose everything you have written. There are many reasons why this could happen, and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal." — codex.wordpress.org
Before launching any WordPress site, you should already have an idea of what type of backup process you plan to use. I mainly use UpdraftPlus and BackWPup, but there are plenty of other backup plugins available to choose from at WordPress.org. If you are using WPEngine as your hosting provider, you will not need to install a backup plugin. You can access their backup service via the WP Engine user portal.
Beef up login practices
You can beef up and harden login practices by limiting the number of failed login attempts, forcing all users to use unique and strong passwords, implementing unique login names; enabling two-factor authentication, and monitoring user activity on the site.
Limit login attempts
Whether it is through malicious scripts or web bots, your site will get hit with plenty of failed login attempts. There are some great plugins available to limit the number of times one of the bad boy's attempts to login to your site. I've used the following plugins with great success:
- Cerber Security: 30,000+ active installs with a 5-star rating. This plugin blocks intruders by IP or subnet.
- WP Limit Login Attempts: 30,000+ active installs with a 4.5-star rating. This plugin provides extra protection with Captcha and is highly proficient for removing bots.
- Limit Login Attempts Reloaded: 20,000+ active installs with a 4.5-star rating. This plugin blocks IP addresses from making further attempts to login after the specified limit of retries is reached. This makes brute-force attacks difficult for an attacker to achieve.
Good password security is a must-have. Though I’m not overly enthusiastic about using browser-based password managers, it is far better than reusing passwords across multiple sites. On the flip side, browser-based password managers contain vulnerabilities. Sean Cassidy, CTO of DefenseStorm, recently stated in a blog at NetworkWorld: "browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malvertising." As an alternative to browser-based password managers, be sure to check out Bruce Schneier's Password Safe solution.
Dadada is a no-no
Trust me. It's no laughing matter that all these mega data breaches over the past few years include a treasure trove of exceptionally weak passwords. Hackers love frequenting this free-for-all playground of easily obtained valuable company employee logins from third-party data breaches. Who can forget Mark Zuckerberg's insanely simple password: "dadada," (revealed in the LinkedIn database leak). We all had a good romp-on-the-floor reading about the CEO of one of the world's biggest social media companies on Earth reusing the same six-character proud papa password across multiple sites (Twitter, Instagram, and Pinterest). Whichever method you select to secure your passwords, do yourself a favor and make them unique for each site.
Implement two-factor authentication
It is important that you enable two-factor authentication (2FA) for each WordPress site. 2FA adds a second security layer to the user login sequence and verifies your identity. It also makes it harder for hackers to compromise your site. Google Authenticator and Two-factor authentication by miniOrange are easy to configure, and you can read how to install and configure miniOrange at TechRepublic. Below, let's discuss some other often overlooked items.
Use a Virtual Private Network (VPN)
Securing a connection to your WordPress site with a virtual private network (VPN) adds another layer of defense. VPN’s are not only for public WiFi and traveling; system administrators use them all the time too.
- Protects user’s sensitive information.
- Increases user’s trust and confidence.
- Makes it difficult for data to be intercepted.
- Eliminates the risk of cyberattacks.
- Google gives ranking benefits for SSL enabled websites.
Keep WordPress updated
All WordPress updates are not created equal. There may be some updates where full disclosure would create an R.S.V.P. for bad actors to respond to the invitation. Such was the case when earlier this year WordPress strongly encouraged website administrators to update WordPress to version 4.7.2. The 4.72 security release included the following vulnerability patches:
- The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
- WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data.
- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
Unknown to the minions, there was a fourth vulnerability patch included in the above release (that was not revealed until February 1, 2017). WordPress versions 4.7 and 4.7.1 indeed had an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. This meant an attacker would have the capability to view, edit, delete, and create content on all posts and pages if the WordPress site was left unpatched. Graham Cluley reported at WeLiveSecurity:
"The reason the vulnerability wasn’t made public at the time of WordPress 4.7.2’s release was the very real worry that malicious hackers might race to exploit the flaw, attacking millions of blogs and company websites."
- Secure your workspace.
- Use a secure hosting service.
- Backup. Backup. Backup.
- Beef up login practices: Limit login attempts, secure your passwords with unique and strong passwords (never reuse passwords at any other site), and implement 2FA authentication.
- Use a VPN.
- Use HTTPS only.
- Keep WordPress updated.
- Keep plugins and themes updated and delete all inactive plugins and themes.
- Run the latest version of PHP.
- Change Admin password/name.
- Always update your WordPress site from secure systems only [no public wifi, etc.]. Use a VPN to add an additional layer of security.
- Check file permissions:
- All directories: 755 or 750
- All files: 644 or 640
- Wp-config.php: 600
- Deny the web server from serving any PHP files in the wp-content/uploads directory [.htaccess].
- Move wp-config.php one directory above the root folder.
- Disable XML-RPC.
- Hide the login page.
- Remove WordPress version information.
- Use file auditor/monitor logs to keep track of all user activity and files accessed.
- Add WordPress Security Keys to wp-config.php.
- Disable file editing/PHP exec/error reporting.
- Prevent directory browsing.
- Delete both install.php and readme.html.
- Disable WP_DEBUG on production sites [only use when necessary and set to “false” in wp-config.php when not in use].
- Disable plugin file editing.
- Restrict access to the admin interface. Add server-side password protection to /wp-admin/ by IP [.htaccess].
- Never use FTP! Use ssh/SFTP instead.
- Remove inactive users, and check roles and permissions of current users.
- Scan all files on a regular basis. Wordfence Security and All In One WP Security & Firewall can detect file changes as well as add a multitude of all-in-one security options to harden your site.
- Download themes and plugins from reputable repositories.
- When using custom themes, hire a professional WordPress developer or agency who works from the ground up to secure and harden all theme code.
- Configure a firewall.
Each time a plugin is updated, be sure to check the changelog. Be aware that plugins and all-in-one security plugin suites are not immune to security exploits or vulnerabilities. As an example: Wordfence version 6.1.7 fixed an XSS vulnerability. Note: Time and date are not listed in the change logs, but you can roughly estimate the time frame by making it a habit to keep track of plugin updates.
We’ve covered quite a bit of territory in this WordPress series. Though the information provided is not exhaustive, it does entail the type of maintenance and security expertise a WordPress site administrator needs. For those who do not have time to run the administrative end of a WordPress site, managed hosting should put you on the right track. WPBeginner.com describes managed hosting as: “a concierge service where all technical aspects of running WordPress is managed by the host . . . This includes security, speed, WordPress updates, daily backups, website uptime, and scalability. Later next month, I will continue with my "It’s Not Rocket Science" series by delving into MongoDB security. If you would like to comment or add your thoughts on WordPress security, feel free to hit me up on Twitter with the hashtag #TekTripW.
About the Author: Bev Robb is a freelance writer/editor/social media manager and “thought leader” for information security. Previously, she wrote security articles for Dell Powermore and was the Fortscale Security Technology Editor and Publication Manager for Norse Corporation. She can be found on Twitter and LinkedIn. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.