Often you hear the question, “What plugins should I use for WordPress Security?”. It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!
Risk reduction is the name of the game. A collective set of actions, tools, and processes all helping lower the risk of exploitation.
It’s Everyone’s Responsibility!
It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins!):
1. Keep software updated
This week marked the release of WordPress 3.5.1 which was a maintenance and security release. There is a reason patches are released. Not only for awesome new features, but to fix bugs and security vulnerabilities.
Has your site died on upgrade? Has your plugin author or developer told you not to upgrade because the site will break? These may be signs that a theme or a plugin enabled on the site may not have been developed with the WordPress Coding Standards in mind. It could be a theme/plugin that is deprecated and not compatible with the upgraded version of WordPress. Whatever the case may be, this is not ideal and it may be time to find a suitable replacement. Just ensure you research and review, and ensure the theme or plugin is being actively supported by the author.
Do your homework. Use trusted sources like the official WordPress theme or plugin repositories. If you’re using commercial themes or plugins, ensure to research, and even contact the author asking about their support policies and coding practices.
2. No Soup Kitchen Servers! (As coined by Mr. Tony Perez)
Ever install a dummy WordPress instance for testing? Then you leave it there and it sits for a couple years? Ya, don’t do that. You end up putting every website on the server at risk of cross-contamination.
Attackers will find a weakness and continue to exploit it, they will then infect everything in your shared space. If you don’t clear the vulnerability, you can clean until your finger tips fall off, they will infect it again. This happens because often shared servers allow for the same root account owner to add multiple websites in their hosting area. You infect one, you infect all! If a site is not in use, remove it. At minimum refer back to step one above. 🙂
In all seriousness, you should be segmenting all your websites into their own isolated space, especially when it comes to your development, staging, and production websites. Further, if you have themes/plugins disabled, remove them altogether, no need to have them on the server. Only keep what you need and what’s in active use!
3. Reduce access
Give folks enough access to do their job, nothing more; remove it when they are done! This is the practice of least privilege, and you should be practicing this across any type of information system. This means WordPress, FTP, even your databases, and any other logins. It comes down to proper management and use of roles and capabilities. If the users responsibility is to edit content, why would they need administrative rights? Use an administrator account only when performing administrative tasks like upgrading WordPress, or adding/removing a plugin, a theme or widgets.
Another access control risk website owners face is brute force attacks on their WordPress login page – /wp-admin or /wp-login.php. There are two easy wins here, one would be including two-factor authentication on WordPress admin. Check out the Google Authenticator Plugin if you haven’t already. It works great and if you’re already using Google Authenticator you know it works across a lot of your existing tools and devices.
The other win is limiting the amount of failed login attempts allowed. Recently I demo’d how trivial it is to attack wp-admin by default, and if you’re using poor passwords, the demo displays how quickly you can be hacked. If you disable further attempts after 3-4 failed login attempts on your wp-admin by using something like Limit Login Attempts, you reduce the risk significantly.
4. Pass-phrases over Passwords
Did you know that “password” is still one of the most widely used and active passwords across the internet? If that’s public knowledge, don’t you think attackers know this? They do! Attackers looking to brute force your WordPress admin access, or even your SSH credentials will enumerate using known passwords like this. The most important thing I want you to take away from the password discussion is to be unique!!!
Instead of short passwords, use long pass-phrases like the lyrics to your favorite Notorious BIG song. Use different pass-phrases across your different logins. Another great approach is to not know your passwords at all and let a password management tool like LastPass do the heavy lifting. It stores them securely, and even helps make them for you without you even knowing them.
5. Institute a Backup Schedule
If you don’t have an active backup schedule and solution in place, you’re not right! Countless are times we have been approached to clean a site and we quickly determine the attacker has wiped out crucial data components, or a ton of their theme files. Come to find out when we ask for a backup of the data or files that they don’t have one, and their host doesn’t have one. It’s like it never existed.
It’s your responsibility and right now is as good a time as any to get started. There are various tools on the market like BackupBuddy and VaultPress, even some free ones in the repository. Your host may also have a solution. Whichever you choose is fine, just ensure to make a plan, implement the schedule, and ensure you’re storing your backups off the server (preferably in multiple places).
Beyond that, most of the practices you hear about like removing the “admin” user, removing the WordPress version from the site, or changing your database prefix are not extremely helpful. They are definitely obscure practices that may thwart a script kiddy from doing damage, just don’t fool yourself into thinking it’s an extreme help against modern automated attacks which can scan for specific vulnerabilities in your website or server, or even attack weak passwords. It is indeed about reducing risk so I don’t discount these practices altogether.
Plugin, or Not Plugin, That is the question!
Most of the security plugins that do, or say they do everything under the sun but don’t hit these areas mentioned concern me, and I’d really weigh their value beyond link/traffic bait. In a lot of cases they give a false sense of security with buzz words and OMG tactics.
There are some plugins that have a built-in web application firewall which can prove useful in blocking traffic from malicious addresses, the Sucuri WordPress plugin we include with all our service accounts has one. This approach is particularly useful as it can actively blacklist IP addresses that are classified for performing nefarious activities, on the fly. It also taps into a network with 100’s of 1000’s of known malicious and spammy websites/IP addresses/hostnames which enables us to block this stuff world-wide on all installations of the plugin.
Some of the other plugins out there are more for auditing and tracking down issues that may have occurred which do bring value, but wont be very helpful in proactively reducing risk.
In the end it’s up to you. What I ask is for you to do some research. Do your due diligence and ensure what you’re installing serves a valid security need and not some vague practice with no real value. If you stick to updating, maintaining, limiting access, strong credentials, and backups, you’re putting yourself in a favorable position.
The Quick Close
Sometimes less is more, and with a lot of the plugins out there today, there is a considerable amount of overlap. I do like taking a defense in-depth approach so overlap can be a good thing, just don’t go crazy installing everything under the sun. It’s valuable to understand that the more you add, the more you have to maintain, and more potential vulnerabilities can arise. Keep it simple, kill the noise, and think risk reduction!
There you have it. That’s my soapbox, and I’m sticking to it. What would you add or omit?
We’d love to hear how you approach your WordPress security. We’d also love to hear your recommendations so make sure to leave us a comment below!