Improving WordPress Security
WordPress is an awesome and increasingly powerful tool for both launching and maintaining websites and enabled even more functionality with the several thousand plugins and themes. However, with popularity (at least 75 million sites) comes the attention of the hacking community, both sides (white and black) of which have many reasons to probe and search for security vulnerabilities to the world’s largest content management system (CMS).There are many guides on securing your own WordPress installations, some of which are over 50 pages long; so the following post aims to outline some of the ‘biggest hitters’ which provide the highest levels of security for the time you spend implementing them.
As ever, before making any changes to your WordPress implementation you should do a full backup of the WordPress files and database. Also, if your site is a ‘production’ or ‘live’ site, maybe perform the changes during the time period you receive the least amount of traffic to your site and therefore least impact if something does go wrong.
It’s also worth pointing out that while most of this advice is worded as if you were making these changes on a ’new’ install of WordPress they should also work on a site which has been up and running for years. I assume your WordPress installation is up to date (as of writing version 4.2.2), and if it’s not, update it! This is the biggest thing you can do to help secure your site!
- Never Use ‘admin’ Accounts
The administrator account should never be named ‘admin’. This is the first username hackers and bots will use when trying to brute force their way into your site. Use something you’ll remember, but which is hard to guess.
Example: For Cyber Killed the Cat we might have “god-cktc” as our main administrator account.
- Install Akismet (Anti-Spam Plugin)
The world most popular WordPress plugin, free for personal or non-commercial use. Checks through your comments for spam type abuse and allows you to report any it misses to its automatic tool.
- Install Jetpack (Multifunctional Plugin)
This is the primary offering of WordPress.com which offers a large selection of features via its plugin ‘Jetpack’. The ones we’re interested in from a security perspective are:
- Photon – Content Delivery Network (CDN) which cuts down on your bandwidth by using a distributed network.
- Protect – Secures against traditional brute force attacks and distributed brute force attacks.
- Stats – Lets you know how many visits your site gets, and what posts and pages are most popular.
- Monitor – Keeps tabs on your site, and alert you the moment that downtime is detected
- Install Backup Tool(s)
Keeping an external copy of your site is very important, even the most secure setups can be compromised, therefore you should ensure there are regular backups being performed. There are many different ways to back up your site, below cover two free tools which we have found useful which remove the manual steps required:
- WPB2D (Dropbox) – This plugin links to a Dropbox account and can be setup to provide a full backup (database and files) every day, week or month.
- BackWPup (Cloud / Email / FTP) – This expands your options to the top cloud providers (Dropbox, S3, Backspace) as well as via email and FTP. It also backs up both the database and files of your site.
- Install Google Authenticator (Two-Factor Authentication)
This is an absolute must for your administrative account (and all privileged account) if you take security seriously. This enables two-factor authentication (2FA) on your WordPress installation and will serve as an excellent layer of securing your privileged accounts.
The plugin recommends using the accompanying ‘Google Authenticator’ mobile app to store and use your 2FA code, however this can present issues if you don’t have your mobile or need to move handsets. I recommend Authy, as a cloud based 2FA app, it works on what ever platform you need it to and stores your 2FA ’seeds’ in the cloud.
- Enable CloudFlare Protection (SSL / CDN / Anti-DDoS)
This seems very complex, but is actually easier to implement than you think (for the most part). First of all, CloudFlare is a global provider of website protection technologies and content distribution. It’s strategically positioned to provide huge (and I do mean huge) resources to mitigate and protect it’s customers from attack and legitimate traffic spikes. It should be noted there are a couple of WordPress plugins which can help integrate your site with CloudFlare (CloudFlare, Flexible SSL, WordPress HTTPS)
The main services we’re interested in are:
- Content Delivery – Using their hosted CDN minimises both bandwidth costs and also adds a layer of security between your site and prospective bots and hackers.
- Site Wide SSL (Encryption) – CloudFlare provide a free option for adding SSL to your website, using their ‘Flexible SSL’ option encrypts the website traffic from your visitors to their server before being forwarded to your server.
It should be noted that the traffic from their CDN to your server isn’t encrypted until you get your own SSL certificate and then enable ‘Full SSL’. Regardless this means that you protect them against man-in-the-middles attacks at their end of the connection. It also improves your search engine ratings!
- DDoS / Attack Protection – As a huge amount of the world internet traffic is routed via CloudFlare’s data centres they receive an unprecedented amount of intel about attack types, vectors and are able to ’train’ their system to block out and mitigate many of the attacks before they go anywhere near to your server. Also during DDoS type attacks they can be engaged to sinkhole the attack traffic enabling your site to remain up.
- Install Easy Updates Manager
This keeps your WordPress site up to date with the latest releases of the core installation, themes and plugins. It allows you to fine tune which types of updates you want to be automatic and which you just want to be notified about. You should always be careful with automatically installing updates incase they ‘break’ your site. Try different setups and find the balance that works for your site.
- Install Cookie Control
- Install WP-reCAPTCHA
This integrates Google’s ‘reCAPTCHA 2.0’ into your site. Great for detecting bots and automated spammers on your site. You will also need a private and public key from Google.
- Install iThemes Security
This offering from iThemes offers a huge amount of configuration changes and settings to harden and monitor the security of your WordPress installation. Below covers some of the settings I have successfully used in many WordPress implementations over the years (explanations of each one can be found within the plugin itself:
- Enable Automatic Blacklisting / Lockouts
- 404 Detection
- HackRepair.com Blacklist
- Brute Force Protection
- Hide Login Area
- Enable Malware Scanning (VirusTotal)
- Strong Password Enforcement
- Protect System Files
- Disable Directory Browsing
- Filter Request Methods
- Filter Suspicious Query Strings
- Filter Long URL Strings
- Remove File Writing Permissions
- Disable PHP in Uploads
- Remove WordPress Generator Meta Tag
- Remove the RSD (Really Simple Discovery) Header
- Disable Trackbacks/Pingbacks
- Disable Login Error Messages
- Change WordPress Salts
- Change Database Prefix
(Note: If using CloudFlare to implement SSL on your site, disable iThemes Security first while performing all the configuration, it can interfere with it. Once enabled and tested, re-enable it)
Lastly a few more general tips for keeping your WordPress installation secure:
- Remove unnecessary users from the system.
- Remove unused or outdated plugins and/or themes.
- Check backups to ensure they are functioning correctly.
- Keep a list of what steps you have taken to secure your site, including configuration changes.
- Stay up to date with emerging news to do with WordPress to ensure you’re as secure as possible.
Hopefully you have found this post useful, if you have any tips or questions please let me know on Twitter!
Note: This was first authored (by myself) for a small blog/project which is now shutdown and I wanted to keep the content.