Update 11/3/2017:
Check out our latest WordPress Security Guide for best practices to keep your website protected and learn about vulnerabilities.
Often you hear the question, “What plugins should I use for WordPress Security?”. It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!
Risk reduction is the name of the game. A collective set of actions, tools, and processes all helping lower the risk of exploitation.
It’s Everyone’s Responsibility!
It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins!):
1. Keep software updated
This week marked the release of WordPress 3.5.1 which was a maintenance and security release. There is a reason patches are released. Not only for awesome new features, but to fix bugs and security vulnerabilities.
Has your site died on upgrade? Has your plugin author or developer told you not to upgrade because the site will break? These may be signs that a theme or a plugin enabled on the site may not have been developed with the WordPress Coding Standards in mind. It could be a theme/plugin that is deprecated and not compatible with the upgraded version of WordPress. Whatever the case may be, this is not ideal and it may be time to find a suitable replacement. Just ensure you research and review, and ensure the theme or plugin is being actively supported by the author.
Do your homework. Use trusted sources like the official WordPress theme or plugin repositories. If you’re using commercial themes or plugins, ensure to research, and even contact the author asking about their support policies and coding practices.
2. No Soup Kitchen Servers! (As coined by Mr. Tony Perez)
Ever install a dummy WordPress instance for testing? Then you leave it there and it sits for a couple years? Ya, don’t do that. You end up putting every website on the server at risk of cross-contamination.
Attackers will find a weakness and continue to exploit it, they will then infect everything in your shared space. If you don’t clear the vulnerability, you can clean until your finger tips fall off, they will infect it again. This happens because often shared servers allow for the same root account owner to add multiple websites in their hosting area. You infect one, you infect all! If a site is not in use, remove it. At minimum refer back to step one above. 🙂
In all seriousness, you should be segmenting all your websites into their own isolated space, especially when it comes to your development, staging, and production websites. Further, if you have themes/plugins disabled, remove them altogether, no need to have them on the server. Only keep what you need and what’s in active use!
3. Reduce access
Give folks enough access to do their job, nothing more; remove it when they are done! This is the practice of least privilege, and you should be practicing this across any type of information system. This means WordPress, FTP, even your databases, and any other logins. It comes down to proper management and use of roles and capabilities. If the users responsibility is to edit content, why would they need administrative rights? Use an administrator account only when performing administrative tasks like upgrading WordPress, or adding/removing a plugin, a theme or widgets.
Another access control risk website owners face is brute force attacks on their WordPress login page – /wp-admin or /wp-login.php. There are two easy wins here, one would be including two-factor authentication on WordPress admin. Check out the Google Authenticator Plugin if you haven’t already. It works great and if you’re already using Google Authenticator you know it works across a lot of your existing tools and devices.
The other win is limiting the amount of failed login attempts allowed. Recently I demo’d how trivial it is to attack wp-admin by default, and if you’re using poor passwords, the demo displays how quickly you can be hacked. If you disable further attempts after 3-4 failed login attempts on your wp-admin by using something like Limit Login Attempts, you reduce the risk significantly.
4. Pass-phrases over Passwords
Did you know that “password” is still one of the most widely used and active passwords across the internet? If that’s public knowledge, don’t you think attackers know this? They do! Attackers looking to brute force your WordPress admin access, or even your SSH credentials will enumerate using known passwords like this. The most important thing I want you to take away from the password discussion is to be unique!!!
Instead of short passwords, use long pass-phrases like the lyrics to your favorite Notorious BIG song. Use different pass-phrases across your different logins. Another great approach is to not know your passwords at all and let a password management tool like LastPass do the heavy lifting. It stores them securely, and even helps make them for you without you even knowing them.
5. Institute a Backup Schedule
If you don’t have an active backup schedule and solution in place, you’re not right! Countless are times we have been approached to clean a site and we quickly determine the attacker has wiped out crucial data components, or a ton of their theme files. Come to find out when we ask for a backup of the data or files that they don’t have one, and their host doesn’t have one. It’s like it never existed.
It’s your responsibility and right now is as good a time as any to get started. There are various tools on the market like BackupBuddy and VaultPress, even some free ones in the repository. Your host may also have a solution. Whichever you choose is fine, just ensure to make a plan, implement the schedule, and ensure you’re storing your backups off the server (preferably in multiple places).
Beyond that, most of the practices you hear about like removing the “admin” user, removing the WordPress version from the site, or changing your database prefix are not extremely helpful. They are definitely obscure practices that may thwart a script kiddy from doing damage, just don’t fool yourself into thinking it’s an extreme help against modern automated attacks which can scan for specific vulnerabilities in your website or server, or even attack weak passwords. It is indeed about reducing risk so I don’t discount these practices altogether.
Plugin, or Not Plugin, That is the question!
Most of the security plugins that do, or say they do everything under the sun but don’t hit these areas mentioned concern me, and I’d really weigh their value beyond link/traffic bait. In a lot of cases they give a false sense of security with buzz words and OMG tactics.
There are some plugins that have a built-in web application firewall which can prove useful in blocking traffic from malicious addresses, the Sucuri WordPress plugin we include with all our service accounts has one. This approach is particularly useful as it can actively blacklist IP addresses that are classified for performing nefarious activities, on the fly. It also taps into a network with 100’s of 1000’s of known malicious and spammy websites/IP addresses/hostnames which enables us to block this stuff world-wide on all installations of the plugin.
Some of the other plugins out there are more for auditing and tracking down issues that may have occurred which do bring value, but wont be very helpful in proactively reducing risk.
In the end it’s up to you. What I ask is for you to do some research. Do your due diligence and ensure what you’re installing serves a valid security need and not some vague practice with no real value. If you stick to updating, maintaining, limiting access, strong credentials, and backups, you’re putting yourself in a favorable position.
The Quick Close
Sometimes less is more, and with a lot of the plugins out there today, there is a considerable amount of overlap. I do like taking a defense in-depth approach so overlap can be a good thing, just don’t go crazy installing everything under the sun. It’s valuable to understand that the more you add, the more you have to maintain, and more potential vulnerabilities can arise. Keep it simple, kill the noise, and think risk reduction!
There you have it. That’s my soapbox, and I’m sticking to it. What would you add or omit?
We’d love to hear how you approach your WordPress security. We’d also love to hear your recommendations so make sure to leave us a comment below!
32 comments
Thanks Dre!
Cheers, Cheo!
What linux admin should do to secure CMS’s like wordpress?
Biggest key in my opinion is segmenting the sites, ensuring each site cannot talk to the other, and minimize execution of code where it shouldn’t..
I didn’t understand what this meant – I have an account on a VPS server with D9Hosting but what do you mean by segmenting?
Hey Dre! Nice article. Don’t forget to mention Sticky Password manager next time 🙂
Hey, thanks for the note. Sticky Password could be a very good tool for a lot of folks!
Am I understanding correctly that Sucuri plugin does not limit the amount of failed login attempts allowed? So the firewall function is a distinct strategy? And thanks for the tips: always appreciated!
Hi Paul, it does indeed if we’re talking about the commercial plugin we include with our service plans.
Thank you for the very useful post! Do you mind my translating your post and putting it on my blog?
Hi there, feel free to translate. Be sure to link back to the original.
The Sucuri WordPress Plugin rocks. I put it on a client site that was recently hacked via brute force (and yes He FINALLY changed his password) so far it has blocked over 200 ip addresses.
Hi, Melanie! Glad to hear it’s of value to you 🙂
Hi Dre
I’m doing most of the above, but security does appear to be a never ending battle.
I’m in the process of introducing a “clients security maintenance fee” so that I can use Sucuri on all my client sites.
Hoping to get something sorted in the next week or so.
Keith, it’s everyone’s responsibility and it is beginning to end.
Best of luck!
Great article, I think the most important thing is regular back-ups. It’s amazing how many people don’t do this. If I’ve learned anything from doing research on WordPress security, it’s that the landscape is always changing and you can never be 100% safe. Making regular backups and storing them offsite in multiple locations is the only real way to be sure you can recover from disaster if it ever strikes.
Great article, just want to add one important aspect of WordPress security: Keep all computers and laptops (that are used to log in on WordPress or that are using FTP) clean and free of malware. I cleaned a lot of infected WordPress sites and most of them were infected (or re-infected) because of malware (trojans) on the PC or laptop. The malware steals the FTP credentials and the next step is an infection.
Thanks for sharing these tips with us. Thats very helpful as we need to harden our site security so much.
I found some more information here too.
http://www.expertvillagemedia.com/harden-the-security-of-your-wordpress-based-website/
Thanks again.
Amit
I have read many articles about security, I appreciate your post
I got one of my word press site hacked and i wonder how easy it is to hack wordpress websites.You have a wonderful post here on 5 steps to reduce risk.Here is another post which i recommend everyone http://createawebsite4free.com/index.php/wordpress-security-tips/
Ever install a dummy WordPress instance for testing. This is exactly what I have done
Great article, just want to add one important aspect of WordPress security: variety themes
Great article. Also I want to point out, that it’s important not to install free premium themes on wordpress.. Yes you get tempted, but don’t do it! I did it once on my website http://blivenblogger.dk and the website got hacked or something. So I ended up buying the theme insted 😉
This is what I’ve been looking for. Thank you!
Can you please clarify the comment about the Sucuri WordPress plugin it sounds like you have ( since this post ) come up with a new product the cloudproxy WAF which potentially overlaps a bit. In other words should WordPress site customers be looking at the regular Sucuri service + the cloudproxy WAF which would double the cost per site.
Nice written …….
Thanks for sharing
Ruby
Expert Village Media
Thank you for the very useful post.
These tips are truly helpful in reducing security risks in WordPress. Thanks for sharing such an informative article. Cheers!
MUY BUENOS DATOS PARA TENER EN CUENTA. GRACIAS
I agree
Comments are closed.