7 essential steps for hardening WordPress

WordPress is well known to be a target for hackers. So, anything you can do to harden your WordPress site is a sensible thing to do; and should be part of your overall design process. I’ll look at some of the main areas that should be on your list of potential areas of weakness and what you can do to add greater levels of security and protection.

The general areas that need to have attention are shown below but you may have site specific security requirements too, so bear this in mind:

  • Access control to the site content
  • Securing WordPress core files
  • Plug-in and theme security
  • WordPress vulnerabilities
  • Webserver vulnerabilities
  • Secure communications / HTTPS
  • Disaster recovery

Much of the security of WordPress comes down to the same core processes as securing any other digital system, i.e. handling software vulnerabilities, controlling access, securing communications and having a plan if it all goes wrong.

To begin, you should always start with a security strategy plan in mind, based on the types of security issues and their potential resolution. The plan should take into account what the site is used for and by whom. For example, SSL may not be required for visitors if you don’t create user accounts, and so on; but you may use third party adverts and these can have potential as a malware vector. So the plan should reflect the level of security that is required by the site.

However, some things are fundamental and should always be implemented, for example, good login security for site administrators and contributors.

1) Access control: friend not foe

The first area to look at is setting up how your administration, contributors, and other users can access and modify the site content. This area is fundamental to controlling the security of your site. Some areas are very difficult to secure — insider threats for example. If one of your privileged users decides to turn against you, then this event is difficult to predict and control. However, you can manage insider threats through good monitoring of usage behaviour and pre-empt any issues by removing old accounts, for example.

Insider threats are one thing, but controlling cyber-attacks, such as brute force attacks, is another. There are a number of ways you can control these sorts of attacks where hackers attempt to access your accounts.

Brute force attacks are where a hacker uses an automated program to enter many typical usernames and passwords into your login screen to try and force entry. People have a tendency to use password and username patterns and so these attacks can be very successful. For example, password policies, which typically ask for a capital letter and number, result in many people using a typical password, such as “password” and instead replacing it with “Password1”. Hackers know this and use this type of behaviour against us.

To prevent brute force attacks you should:

  • Use a  non-typical username (for example, don’t use “admin” as your username).
  • Use a long password with special characters as well as words and letters, this just makes it that much harder for hackers to use brute force attacks.
  • Enable second factor authentication within your WordPress login system. You can use plugins such as the DUO plugin to request a mobile app based code, or an SMS text code, as well as username and password to access the WordPress CMS.

If you don’t like second factor authentication, you can alternatively use a Captcha method such as Math Captcha.

2) Securing core WordPress files

There are certain, core files that WordPress uses that should have protection applied. These files are involved in the appearance and functionality of your WordPress site. If a hacker gains access to these files, you can kiss your site goodbye. The files are neatly placed together in well-known folder areas, perfect for hackers to find.

To protect these important files from being compromised you should only allow write access on a highly limited, need to know, basis. You should add password protection to your wp-admin/ folder, which contains many of these important files.

There’s one file in particular, wp-config.php which tells WordPress where to find your site database. It contains your MySQL username and password as well as your WordPress authentication keys. This file needs to be hardened against attacks and one way to do this is to move it from its default home (under the public_html folder or www folder) to another folder.

However, the jury is out on the effectiveness of this tactic. Ultimately the best way to protect this and other files is through strong access control and anti-malware actions.

As an alternative to your own security actions, there are a number of WordPress plugins that can help with security of core files and malware threats, including Wordfence and Sucuri’s Security Plugin, the latter also offering help with hardening of core files.

3) Plugin and theme security

Plugins and themes are the perfect vector for malware. Hackers look for vulnerabilities in plugin and theme software and exploit those vulnerabilities to insert many types of malware. Sucuri recently found that 100’s of thousands of sites had been infected with malicious code via an insecure version of the plugin, Revslider.

The best way to prevent this type of entry point for hackers is to make sure you use plugins that have at least some pedigree (and not found on some dodgy looking Warez site) and most importantly keep your plugins and themes patched and up to date. This won’t stop zero day vulnerabilities, aka exploits using software insecurities that haven’t yet been recognised by the vendor, but it will keep your software as malware free as you can possibly make it.

You should also look at, but not rely entirely on, security plugins to help prevent malware infections, examples being Anti-malware and Brute Force Security or Theme Authenticity Checker, which checks themes for malware infection.

4) WordPress vulnerabilities

WordPress itself can have software vulnerabilities built into new versions, which you often don’t hear about until the hackers have taken advantage of them. You can see an on-going list of WordPress specific security vulnerabilities here.

Like all other software, vulnerabilities are best handled by keeping versions patched. However, the most recent patch was in version 4.2.1 released in April of this year, to fix a zero day vulnerability that allowed an attacked to use JavaScript to perform a cross site script attack (XSS) on a WordPress site.

The vulnerability was inherent in a default plugin (Jetpack) and Theme (Twenty Fifteen) bundled with WordPress. If you installed this new version and utilized the default settings, you were highly vulnerable. Patching wouldn’t have immediately helped this issue of course as it was a zero-day vulnerability, i.e. WordPress weren’t aware of it until after it had been hacked, but they quickly brought out a patch which fixed it.

5) Web server vulnerabilities

Web server security should be applied in a number of areas. Generally you’ll be looking at an Apache webserver, running on Linux. The Apache core files are located here. One of the most important files to protect is .htaccess which should be set to not allow Apache directives to be overridden. How to do this and protect various other aspects of an Apache webserver can be found in this tutorial here.

One of the problems that a lot of sites have is that they run on a shared webserver through a shared web hosting company. In this situation, you should check out the security precautions your web hosting company take to prevent cross-site contamination – they should be using security tools to minimise this.

Again, as with all other aspects of your WordPress site, make sure your webserver software is patched and up to date, patching really is the first step in security.

6) Secure communications / HTTPS

HTTPS is a version of HTTP which uses a protocol called Secure Socket Layer (SSL) or Transport Layer Security (TLS) to encrypt traffic that is communicated over the Internet. It helps to prevent “Man-in-the-Middle” (MitM) attacks where someone intercepts communication traffic (data). As default you should be accessing your WordPress site as an administrator, or other contributing user, through and HTTPS connection. However, you also need to implement HTTPS across your site if you are in any way likely to gather data from your visitors.

To implement HTTPS across your WordPress site you need to install an SSL or EV (a more secure version of an SSL certificate) digital certificate. Many web hosting companies can help with this and even supply the digital certificates (which will need to be securely issued to your organization – visitors can then see it is issued to your company). Alternatively, you can look at this WordPress tutorial on implementing HTTPS for your WordPress site. Even following tutorials however can leave some areas of the site open to attack and this article explains how to avoid them.

7) Disaster recovery: don’t let a disaster bring you down

If it still all goes wrong and you get infected by malware, your site is hacked, or you have a DOS attack, you need to be able to fix things and get your site back up and running with as little time delay and loss of data as possible.

Conversely, to what must seem logical, thinking about disaster recovery should be one of the first things you think about and organize.

WordPress is basically split into four areas:

  • The WordPress code (PHP)
  • Theme (PHP)
  • Plugins (PHP)
  • Database content

All four need to be backed up to be able to bring your site back if disaster occurs. Regular backups are a must, some people like to do them each night, but really it is up to you and things like how regularly your site is updated and so on, will determine this.

Backup software is often prescribed by the web hosting company you have your site with, but automatic WordPress backup plugins are also available. If you look in the WordPress plugin directory you will find many examples, you need to research, which is the best for your site and database type. Whichever you choose, test out the results before you start using it in earnest.

A final thought

Security is not something you should grudgingly do, it is not an afterthought, it should be part of your general web design process.

Andrew May is a web design and development fanatic and enjoys spending his own personal time blogging and writing articles relating to this industry. He also co-owns a thriving design and development agency Mays Digital which is located in the United Kingdom. More articles by Andrew May
Home CSS Deals HTML HTML5 Java JavaScript jQuery Miscellaneous Mobile MySQL News PHP Resources Security Snippet Tools Tutorial Web Development Web Services WordPress