While there are certainly sexier parts of WordPress Security the basics will protect your site 99% of the time. This is a very short practical guide to WordPress Security 101 it’s hopefully pragmatic and while opinionated doesn’t rely on a particular setup. This guide is also suitable for everyone, from a seasoned developer looking for a quick recap of good practices to bloggers and site owners who might be tacking this for the first time.
Users and You
Be it weak passwords, or social engineering within any site the squish humans are by far the easier target so it’s right we start with tightening your security up. If you have multiple users on your site then you also need to make sure they are following this advice.
Auditing Users
Let’s start nice and easy, go to your site admin area and user list. Check each and every user does they need to be there?
Does the web designer friend you got to help you still need an account?
Does every employee?
What about ex-employees?
Anyone who currently doesn’t do direct day to day work on the site, consider removing, reallocating their posts to someone else. Deleting users may feel harsh but it reduces your attack surface (the number of possible ways in).
If you are unsure drop the users role to subscriber you can always update the role later if they have a need.
Roles and Capabilities
WordPress has different roles each role is a wrapper for a group of capabilities. Capabilities are used to check can this person do an activity. They are granular and not hierarchical. Why is this important well two reasons:
Just because someone is of a given role doesn’t mean they don’t have other capabilities. That innocent looking subscriber might be a subscriber role, but may have capabilities reserved for admins.
Because it’s the capabilities not the role that are checked we can create new roles with defined capabilities using plugins like Members and User Role Editor
If you have multiple admin people consider setting their roles to Editor, then looking to create specific roles for that user or group of the user if there is a specific need that limits the capabilities that they need.
Passphrases and Password Managers
I know your password is not password123 but do you use the same password on every site? Maybe a handful? Well, when a site gets compromised your password gets leaked if I have your email address and your password getting into your site is very easy.
The rules for passwords is very easy:
- Passwords should be unique
- Passwords should be long much longer then you imagine.
Wait, what about special characters and all that other stuff? Over the last two decades, we have convinced people that df$53^ is somehow more secure than gentlefinishsymbolpersonal the later being a passphrase.
The passphrase even though it’s made up of random dictionary words is significantly harder to crack because of its length, indeed size really does matter. A passphrase is 4-5 random words strung together, now for added security, you can add in those special characters but the important part is length.
However you are a human, and generating a truly random unique passphrase for every site, unless you have some pretty impressive memory skills is not going to work so the alternative is Password Manager.
A Password Manager is software that sits on your computer phone and other devices with a stored vault of all your passwords encrypted. So when you create a new login for somewhere your password manager generates a long complex password string for you. It then stores that string, and next time you visit you get the password manager to either copy the password out of its vault or prefills it for you.
Password managers come in two types of services, which have centralised vaults meaning you connect to their services and self-hosted, where you host the vault and are responsible for it. While there are times you might want to host your password manager vault, for example, I do with my Bitwarden instances I would recommend you use a service like OnePassword or LastPass.
Two Factor
With the strong password/passphrase sorted the next step is to enable Two Factor authentication sometimes called multi-factor authentication. Two Factor Authentication requests additional verification after you successfully login by proving your own something, normally it asks for a code, this code might be sent to your device as say a text message or something on your device such as the Google Authenticator app generates the code either as a one time thing or a rotating code every 60s.
There are many Two Factor Authentication plugins for WordPress but my recommendation is two-factor primarily as it has been written by the WordPress security team with the ultimate goal of it going into WordPress itself.
Two Factor authentication + a strong passphrase/password prevents virtually all brute force attacks.
Updates
UPDATE ALL THE THINGS
I cannot stress this enough, want to stop things getting hacked, well after squish humans its squishy out of date sites. When a vulnerability is discovered plugin/theme and WordPress core developers roll out fixes in the form of updates. This means people on the latest version are no longer affected by that vulnerability but the act of releasing an update with a security fix means, now EVERY bad actor knows such a vulnerability exists. Suddenly your site is a target.
Update WordPress Core
There is no excuse to not update WordPress core, even between major versions that include from 4.9-5. The wonderful thing about the WordPress eco-system is if new features are added that you don’t want them then someone will have built a plugin to disable them.
If you have been avoiding updating to WordPress 5 because of Gutenberg install the classic editor.
By default WordPress automatically updates minor releases and the security team currently backport security fixes as minor releases for virtually every branch of WordPress back to WP3.7 though this is never guaranteed.
When I tell people to enable automatic updates, there are lots of push back, mostly by people claiming that they are worried it will cause a WSOD (White screen of death) the reality is you are much more likely to have a WSOD on a site without auto-updates where you are trying to update individual elements then keeping everything on the latest version.
Others say they test each release, and that sounds wonderful, do you? Do you really? Always? If you just answered yes 3 times then I would strongly recommend you look at acceptance testing as a way to automate that process.
Update WordPress Plugins
For exactly the same reason as WordPress core, your plugins are a huge attack surface and need to be kept up to date. Again I recommend automatically updating, including where you might have eCommerce and premium plugins. This also means if you have premium plugins you will always need to have a license to stay up to date. So consider the cost over the lifetime the plugin is on your site, not just the initial purchase.
How to setup automatic updates
This will depend, if you are on an awesome managed host, chances are they will do it for you. If you’re not then you can look at services like ManageWP, mainWP or similar. Otherwise, the Advanced Automatic Updater plugin does a fantastic job finally for the more technical WP-CLI is my prefered method.
Updating Themes
So we were talking about updating all the things, why not themes? Well, the short answer is yes update themes, especially commercial ones where you have bundled plugins. Indeed in such a scenario make sure the plugins can be updated independently of the theme, even if this means you have to buy the plugin as well.
The problem with themes is that people regularly make changes to them be those style changes or adding things into functions.php file. This makes it difficult to update because you will lose your changes.
The solution to this is to use a “child theme” which is a theme, that inherits everything from the parent theme, but has your changes in. Child Themes are pretty easy to build, though don’t be put off by the term developer it is really a case of copy and paste. You can also use a plugin to create your child theme such as Child Theme Generator just remember to remove it once you are done.
Once you are in a position that your theme can also be updated, you should consider automatically updating it like WordPress core and Plugins.
Monitoring
If we have everything automatically updating, the next thing is to automate checking it’s all working. I recommend 3 different areas to look at:
Uptime monitoring – This first class of monitoring simply checks if the server is up and responding with the correct HTTP status code. This doesn’t mean the site is working it just means at least its loading a page of some sort without the server believing there is an error. Good tools for doing this Pingdom, Updown.io, Statuscake.
Visual Regression testing – this is a fancy word for a tool which compares what the site looked like previously and compares it to what it looks like now. A good tool for this is VisualPing. When setting up a test, remember to select areas of a page that shouldn’t change, for example, I test the header and footer of my homepage, and my login page as well as my about page. These pages don’t go through radical updates and consequently are good canaries.
Error tracking – if you PHP error log starts filling with errors it’s a good sign something is broken. Tracking this can either be through looking at the logs on the server or using an exception tracking service like Honey Badger or Sentry.io. If you are not technical this one might seem daunting, so before installing or working with an Exception service its important to have a clean error log otherwise you will be bombarded with errors.
With recent versions of WordPress a new feature has been rolled out called WSOD protection, this is designed to stop your site showing just a white screen but instead provide notice to users to come back later and a way for admins to get into the admin area to fix issues. This helps reduce the potential risks to automatic updates as even in the worse case of a WSOD you still can access the site and fix it. If you ever need to rollback a plugin then you can use the WP rollback plugin.
Once the basics of external monitoring are covered there are two internal areas where I would recommend you consider monitoring:
File Integrity – While this won’t protect your site from being hacked, if files are modified and not by you its a good indicator that your site has been hacked. File integrity checkers, compare the files in plugins with the known good versions on WordPress.org there are several checkers out there one is built into WordFence another option is WP Fingerprint.
Site Activity monitoring – Keeping a log of what activities have occurred makes debugging incidents much easier. Who logged in, who edited that post, who installed that plugin. Why did Bob log in from China when he was in France? This sort of logging is normally done through a plugin like WP Security Audit or Stream. I like Stream because it has the ability to setup “connectors” small mini plugins that allow me to push the data somewhere else, for example, a remote server allowing me to look at the events, not on a potentially compromised machine.
Good Hosting
Trust me…
Good hosting makes a huge difference, they provide WAF (web application firewalls) and a lot of the security protections that you never see or hear about but they also should provide support as well. If the worst happens and you do get hacked, your host should help you get back up and running quickly. They should also be able to offer advice be it on the phone or email about security concerns you might have. Where possible look for containerised or VPS based hosting and avoid shared hosting.
That’s it
WAIT WHAT… that can’t be it what WAF, Security plugins, SSL certificates, Code Reviews. Hiding my logins, Static site generating, Locking IPs and and and…
Clearly there are a lot more things to security especially WordPress Security. This is not the exhaustive list or even a dent in the things you could do, indeed perhaps not even a comprehensive what you should do. However, this will get you 90% there with really simple things:
- Audit Users
- Lock Down users
- Update stuff
- Monitor stuff for when it breaks
- Get good hosting that does a lot of that for you.
Finally, plan bad stuff is going to happen so be ready, have a disaster plan, do you have backups? Have you tested them, if you haven’t tested them you don’t have backups you have prayers! Do you have access to technical contacts