Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This article will introduce you to basic security concepts and serve as an introductory guide to making your WordPress website more secure.
What is Security?
Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.
Moving beyond the theoretical, we take the concepts presented above and provide a list of actions you can take as a website administer to harden and improve your security posture:
- Limit access: Reduce the number of people who have administrative access to your WordPress site to a minimum. You should also reduce the number of possible entry points to a minimum. You can do this by only installing web applications that you need and use. Remove any unused plugins and themes. These follows the principle of least privilege and provides administrative and logical controls to help preserve confidentiality, availability and integrity.
- Functional Isolation: Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised. Where possible, avoid having a large number of diverse web applications on a single hosting account. Logical separation of applications into separate accounts with their own access will confine a compromise to that one account and reduce damage.
- Backups: Maintain reliable backups. You should occasionally verify the integrity of backups to make sure that you can restore your website if it is damaged. Have a plan to recover your website if it is compromised and document this plan. A good guide can be found WordPress Backups
- Stay Up-to-Date: Do your best to stay up-to-date with your WordPress installation, including plugins and themes. You should put an administrative control in place that requires a check, with some frequency, that status of your site and it’s extensible components.
- Trusted Sources: Do not get plugins/themes from sources that are not trusted. (Trusted sources include the WordPress.org plugin directory.) Googling for a free version of a premium plugin is a recipe for disaster. Malicious people and organizations distribute what is known as ‘nulled’ plugins and themes which contain malicious code that will extend the premium plugin, but bundle it with malware that will allow them to hack your site. Do not use nulled plugins on your site.
- Security Updates and News: Security vulnerabilities is something that affects all software, WordPress is no different. To stay current, we recommend subscribing to the vulnerability database maintained by WPVulnDB.com. You can also stay ahead of the latest trends following WordPress’s own Security tag.
Below we propose structural changes that provide additional security hardening for your WordPress installation. Each option comes with some disadvantages and problems which you need to be aware of.
Core Directories / Files
The default permission scheme should be:
- Folders – 755
- Files – 644
There a number of ways to accomplish this change. There are also a number of variations to these permissions that include changing them to be more restrictive. These however are the default recommendations. Check with your host before making permissions changes as they can have adverse affects on the performance and availability of your site.
Avoid having any file or directory set to 777.
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
Note: This won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work.
The uploads directory is the one directory that will almost need to be writable by the web server. It’s where all files are uploaded remotely . You want to prevent PHP execution in this directory, you can do this by placing an .htaccess at the root of /UPLOADS using:
# Kill PHP Execution <Files ~ "\.ph(?:p?|t|tml)$"> deny from all </Files>
Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php> order allow,deny deny from all </files>
Disable File Editing
It is recommended to disable file editing within the WordPress dashboard. WordPress has a constant that disabled this editing via the wp-config.php file. Append the following two lines to the end of your wp-config file:
## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
Free Online Scanners
Remote scanners look at a website as a user or search engine would.
These can be automated by using plugins as well, examples:
Application scanners look at the files locally on the server. For WordPress, this is achieved by security plugins.
If you’re running a server, you might consider:
Reputation monitors are services provided by established brands like Google, Bing, etc… that have a vested interest in your website displaying unaltered data.
These tools is that they are free, they have a vested interest in your site being clean, and will notify you 24 – 48 hours in advance before blocking your site.
We hope you found this information useful. Once of the simplest ways is to keep your WordPress website updated and current – including any plugins.
For those of you using themes, some of those plugins might require purchasing to keep them updating to the latest version. Our recommendation is do so in order to keep your website updating, as themes sometimes do not update or the developer removes that theme from the place you purchased it from.
Town Press Media offers managed WordPress hosting and WordPress Maintenance packages that includes backups, updating, security checks and more.
Contact us to get discuss your WordPress security options.