Whenever I mention WordPress to other developers, most of them roll their eyes and scoff at the fact that WordPress is written in PHP or its reputation of security flaws. I hope this article will help people realize how they can secure their WordPress site and protect themselves and their visitors. I would also like to point out that none of these recommendations are a result of a failure of the WordPress software itself. Most security breaches with WordPress websites are the fault of the site administrator, host, or users, not the WordPress software itself. So I hope that this article can help WordPress administrators realize what they actually need to be doing with their WordPress sites.
1. SSL, SSL, SSL!
I cannot stress this enough, If you are logging into any site over the internet, you better be browsing over SSL. If you aren’t then your password will be sent to that server in plain text for any hacker to see. SSL has become much cheaper in the past year (~10/year) and it is a must for all WordPress sites. Even Google is giving sites secured with SSL a boost (yeah SEO much?) Furthermore, once you have installed an SSL certificate you should set the
FORCE_SSL_ADMIN setting in your wp-config.php. See the Administration over SSL article for more details. You can also use the Force SSL plugin or rewrite rules to force all requests to your site to be served over SSL.
2. Secure Password
This one is obvious, but is also one of the most commonly ignored recommendations for website security. WordPress 3.7 came out with a new password meter that is designed to intelligently identify strong and weak passwords using the zxcvbn script built by Dropbox. Unlike traditional password strength meters which just check if you have a little of X and a little of Y, the script that Dropbox built, and WordPress now uses, actually calculates the entrapy of your password and the estimated crack time for that password.
We are quickly realizing that passwords aren’t enough though. Many users will keep on coming up with predictable passwords that are easy for a hacker to guess. To counter this, many sites now offer the option of enabling 2 Factor Authentication. 2FA requires you to enter your username and password AND some time sensitive code that is generated by a device (i.e. phone or fob) that you have previously linked to your account. One of the best plugins to enable 2FA for your website is Google Authenticator. Another interesting plugin (which is not 2FA)
4. Login Attempt Limits
Surprisingly WordPress does not limit the number of failed login attempts out of the box, meaning that a hacker can pound away at your login form trying password over password until they finally get the right one. Fortunately this is an easy fix with several brute-force protection plugins. Also please read up on the WordPress Brute Force Attacks Page to learn more about WordPress security
5. Botnet Attack Prevention
Botnet attacks are a specific type of brute force attack which many plugins don’t prevent. A botnet attack is when thousands of compromised computers each make an attempt on your site individually. Each computer might only make 5 attempts but if your security system is only blocking repeated attempts based on IP, then you will find yourself with thousands of attempts being made overall on the same login (which is very bad). To protect yourself from botnet attacks consider installing a plugin like BruteProtect which will detect and prevent botnet attacks on your login form.
6. Restrict Administration Section Altogether
If you don’t need to access the WordPress administration section from outside of your company’s network, consider blocking all requests from the outside world to /wp-admin/, /wp-login.php, and /xmlrpc.php. For more information on restricting access to the administration section check out the Brute Force Attacks Page on the WordPress Codex
7. Check your plugins and Themes!
Plugins are dangerous. A decent chunk of the plugins on wordpress.org do not implement the recommended security features that WordPress provides, such as nonces, capabilities, meta capabilities, proper escaping, encoding, and data validation. If a plugin doesn’t implement these critical features then they are putting your site at risk and should be avoided. Plugins that haven’t been updated in over 2 years should also be avoided as they probably have been forgotten about by their maintainers and are not keeping up to the latest WordPress coding standards
8. Be smart about permissions
Don’t give admin rights to just anyone. WordPress has roles for a reason, you should be giving out admin access to just anyone! Admin privileges just gives a user access to site settings and the ability to install plugins and themes. It is important to note that admin ability gives them to right to LOCK YOU OUT! It is a rare occasion where I hear a valid reason why a new user should be an admin instead of an editor, so when in doubt, make them an editor.
9. The ‘admin’ username
Security is half about predictability. If you have a user with administrative rights with the username ‘admin’ then you are just giving the hackers a nice head start. Pick something else for your admin username.
10. Disable File Editor
In my personal opinion the file editor that comes with WordPress is the most stupid “feature” ever. The file editor allows any administrator to read and edit plugin and theme files directly from their browsers and save them with the click of a button. I really hate this because it means that changes to the plugins can be made without syntax checking or a developer verifying that the changes won’t open up a security hole. It also screams White-Screen-Of-Death and it causes more headache than it is worth. I would recommend Disabling it with DISALLOW_FILE_EDIT setting. To further increase security I would recommend Disabling all Plugin and Theme file modifications (including installing new plugins and themes) which prevents admin users from installing code into the web server without an actual user account on the server itself.