So much mis-information about security has been circulating the WordPress world that most WordPress users believe that installing one single plugin is enough to protect their sites forever. There are literally thousands of random blog posts from companies trying to push their wares, that tell WordPress users how to secure their sites in just five easy steps (with step 5 being to install their plugin). In our world of TL;DR (too long; didn’t read), tweets, and quick emails, some things just take longer to explain than with 280 characters. If you’ve ever spent any time working in technology, you know there are many different paths that all lead to the same destination. The same is true in security – especially WordPress security. But, fear not! I’m putting this comprehensive guide together for people like you – the agency owner, the everyday food blogger, the editor of the newspaper, and the small business owner…basically every WordPress user. If you stick with me through this guide, you’ll have a good understanding of what security REALLY means, sans all marketing materials (except for maybe a shameless plug – this is my website, for heaven’s sake), and how to truly secure your site.
When it comes to security, there is not a silver bullet, no special sauce, no magic spell, no… well you get the idea. Security is multifaceted – multi-tiered if you will. That’s how we will approach securing your site. I’ve seen way too many people over the years say, well if you install “insert security plugin name here” then that’s all you need to do. Most people will do just that and then question why their site got hacked. Again, it’s just not that simple as you will see. One additional thing that you need to understand before we go farther – the most secure website is the one that’s not online. No matter what security measures you have in place, no matter how often you update; if someone wants in and has the knowledge, they will hack your site. But, we can make it extremely difficult for them. In this guide, I am assuming that you know some basics. You should know what a web server and browser are and what their purposes are.
This guide will be an ongoing project – if updates are added, they will be noted. Also, this guide will not promote an individual company nor product.
One more thing before we dive in. All of the “experts” say that I must establish credibility before you, the reader, will take me seriously so let me introduce myself and why I can write this guide and actually know what I’m talking about. My name is Adam. To date, I’ve spent a little over 18 years in the IT world. My first summer internship was to erase and format thousands of old floppy disk in rows and rows of filing cabinets located in an old dingy library basement. Since then, I’ve been a help desk tech, a network administrator, speaker, WordPress developer (still am), e-commerce support tech, business owner (still am), and finally a writer. I hold some certifications, including Security+ and Network+ and I have a bachelor’s degree in information technology. I’ve spoken more than nine times at WordCamps, some of which you can see on WordPress.tv ( fair warning – some of those are better than others…) now, on with the show.
As with anything you build, you should start with a strong foundation. A web server serves as our foundation and, rest assured, not all hosting companies are the same. There are many different web servers available today and unless you’re setting up your own virtual private server (VPS) you most likely will not be setting up the web server. But, the web server plays a very key role in securing your website. If the web server is setup incorrectly it can and will open your site up to attacks right out of the box. The majority of web servers these days are nginx or Apache based web servers based on one of the many flavors of Linux. There are still Windows based servers running IIS but they are few and far between in the WordPress world.
As an example, let’s say you chose to be on a shared host which has one web server handling multiple different WordPress installs and the web server doesn’t have some sort of method to jail (meaning separate each site virtually so that they can’t see each other on a shared host) each WordPress site. In this case, it’s super simple to cross infect sites. So even if you took all the time to update/protect/backup your site, some other person who didn’t spend that time maintaining their site could infect your site at the server level. So if the site https://joescandyshop.com has a vulnerable plugin on their site which was exploited and malware installed on their site, that malware is likely scripted to look for other sites on the server it’s running on. So, it does a scan to see what it has access to. In the process, because of the lack of hosting company’s knowledge, it’s able to infect your site.
When we talk about hosting companies, there are a lot of options. There are companies like Vultr, Digital Ocean, and Amazon that you can rent your own little server that you configure, manage, and secure your site. I wouldn’t recommend running your own server unless you absolutely know what you’re doing.
There are other companies that are just web hosting companies that aren’t specific to anything, they just serve static files, provide access to PHP or another web language. Companies like GoDaddy, 1&1, HostGator, SiteGround, and so forth. All provide basic web hosting that’s not specific to WordPress. The problem that I have with these companies is that they are not focused on just one industry. This isn’t to say that they don’t do a good job hosting WordPress sites – I know people at all of these companies that are very passionate about WordPress. I just question the shared platform in terms of security.
Then you have companies like WPEngine, SiteGround, KnownHost, GoDaddy and others who offer packages specifically for WordPress. The nice thing about their offerings is that they are focused specifically on hosting WordPress. Most of the time it is on the same platform as their shared hosting but setup differently. In the case of WPEngine, I’ve been pretty impressed with their setup over the years. KnownHost has popped up on my radar recently as well.
With all of that information, don’t you think a company that focuses directly on WordPress would have a better understanding of how to properly secure a server for WordPress? I certainly do and it’s been my experience that this is exactly the case.
I do want to point out an interesting fact about some web hosting companies that you may run into. Company acquisitions mean that HostGator, BlueHost, A Small Orange, iPage and others are all owned by the same company – Endurance International Group. Likewise, GoDaddy now owns Sucuri, a WordPress security firm.
I have seen so many security tutorials detailing how to harden your site by changing the default username, changing the login URL, changing the database prefix, etc. Well.. there’s nothing inherently wrong with doing those, but at this stage of the game I don’t see the point. Even the official WordPress Hardening guide mentions changing the prefix and renaming the administrative account to something other than admin but also note that in the official guide it states it “might” help. It’s good to read over this guide, but it’s written more for system administrators.
The first and most important piece of hardening a WordPress installation, for me, is to install a two factor authentication (2FA) plugin. While I don’t want to recommend any particular plugin, there are numerous ones in the WordPress plugin repository.
If you’ve been living under a rock for some time, 2FA simply adds an extra layer of protection to user accounts on your site. Not only must you have the username and password combination, but you also now have to have a one-time use code to login. Typically, this is generated by an algorithm via an app on your phone or SMS text message. Due to security issues with SMS 2FA, I’d recommend other popular methods like Authy, Google Authenticator, and the Microsoft Authenticator as opposed to the SMS option.
The problem that 2FA solves is how easy it is to steal usernames and passwords these days. Whether it be a commonly used password obtained from a data breach, a phishing attack, or just a weak password busted by brute force, attackers have a lot of resources to obtain your credentials. With 2FA, it almost makes those a non-issue.
One more note on passwords – even with 2FA, I highly recommend that you use strong passwords with every account. Pretty much every modern website that has functionality for accounts also now requires a secure password. Rather than using the same password for every site (which is a horrible idea anyways), you should seriously consider using a password manager. Again, I don’t want to recommend a particular company or product but some very common apps are 1Password, LastPass, and BitWarden.
Since WordPress 4.3, strong passwords have been enabled by default. I highly recommend keeping this the default behavior. If you want to read more on the reasons behind this, see this blog post.
I’ve come across numerous WordPress related sites that just write content to just have something on their site, and most of the time the information put forth is generally misinformation or just plain wrong. For example, one site that I was reading mentioned that having a particular backup plugin on their site was considered a security plugin, and their site was protected from attacks. While I agree that backups are a key part of a security strategy, a backup plugin alone is not a security solution. Backups are really outside the realm of this guide but it is important to note that backups are an absolute must.
Some hosting companies provide the backups for you, and others leave it up to the user. In either case, I’d recommend making sure you have solid and reliable backups by checking them often, make sure you can restore from them (before you actually have to), and make sure they are not stored on the same server as your website.
In the age of ransomware, if a site does get infected it is possible and probable that the malware would encrypt your backups as well. This is why it’s so important to keep your backups stored on another server or service. Many of the backup plugins today support backing up to Dropbox, Google Drive, etc. Take advantage of that.
A few backup plugins to consider are: iThemes BackupBuddy, Updraft, Duplicator, and VaultPress. Do some research on the plugins and try different ones to see what works best for you and your strategies.
I’d like to think that this has been drilled into everyone’s subconscious by now, but alas… it hasn’t. Just last year I ran across a site that had all updates disabled for both WordPress core and plugins. *gasp* Obviously that needed to change. But you may be asking or afraid to ask, why must we make sure WordPress is up to date? Why do we need to make sure the WordPress plugins are up to date? Well, let me explain the process.
When a WordPress plugin or even WordPress core is released, there are most likely hundreds if not thousands of changes to the code behind those applications. In the process of developing new features, it’s very probable that bugs and even security vulnerabilities are introduced in the code. Since WordPress and it’s plugins and themes are open source, anyone can see the code behind it so people who have good intentions can review the code and help fix bugs and security issues. However, there are also people with bad intentions out there that will review the code and use any security issues for personal gain. That could be selling that information to another third party or they could use that information to gain access to a WordPress site. The hope is that the good intentioned people will get to the issues before the bad.
If these bugs and security issues are reported properly, the developer can address the issue through a patch to their application and then you’re protected. This is why it’s so important to update regularly. If your site is running a vulnerable version of a plugin or theme, you’re much more susceptible to it being used against your site. There are automated bots that scan the Internet looking for these vulnerabilities.
And this topic does not just apply to WordPress, but pretty much any software ever written. If humans write it, there is always the probability of bugs and vulnerabilities. But that is one of the major benefits of open source projects.
Luckily for us, since WordPress 3.7 we have automatic core updates but by default, you still have to manually update plugins and themes. However, it is possible to enable automatic plugin updates and it’s fairly easy (see this article from Elegant Themes) – though there are some good reasons not to auto update themes and plugins, compatibility issues being the biggest.
By updating WordPress core, themes and plugins regularly, you will save yourself a lot of headaches and greatly cut down on your chances of being hacked.
Exploits and Zero Day Exploits
Since we’re on the topic of updates, let’s talk about exploits and zero day exploits. An exploit is simply code that takes advantage of vulnerabilities in software. Most of the time exploits can be mitigated by upgrading plugins and themes as discussed earlier. There’s an exception though – zero day exploits. Zero day exploits are exploits that can not be protected against by simply updating because a vulnerability has been discovered in core, plugins or themes that has yet to be patched. These are harder to protect against.
Protection against zero day exploits is possible but a little more challenging. Certain security plugins might be able to help mitigate these issues using a technique referred to as virtual patching – which is essentially just applying a set of rules that looks specifically for a zero day exploit and prevents it until an actual patch is released.
Another way to prevent zero day exploits is by blocking offending attackers; for example a plugin that uses a global blacklist to protect sites can block the source of these exploits by simply adding the attacker to the database.
As we talk about WordPress security plugins, it’s important to note that there are two different styles of security plugins – passive and active plugins. What I mean by this, is plugins like iThemes Security are purely passive. This plugin in particular takes a handful of steps to harden a WordPress site but does nothing to actually analyze the traffic as comes in. In comparison, plugins like Wordfence or tinyShield are both plugins that analyze the incoming (or outgoing) traffic to see if the traffic is malicious or potentially talking with a malicious host.
Passive plugins do things like harden WordPress and offer a malware scanner of sorts, but they don’t do anything for the active denial of active attacks. Plugins like iThemes Security and the Sucuri security plugin (not to be confused with their hosted Web Application Firewall) are a couple of examples of a passive plugin.
An active security plugin is one that analyzes the traffic that comes into your site. In no uncertain terms you could classify these plugins as web application firewalls (WAF). As mentioned before, Sucuri has a hosted product that is a WAF. A WAF will look at the traffic entering your site and determine (based on many different factors that vary from product to product) if the traffic is malicious or not. It attempts to do this prior to the request reaching your site, because if it reaches your site and it was malicious, well then you have a problem. Wordfence, tinyShield, and ninjaFirewall are examples of proactive security plugins.
I gave a presentation once where I asked the question, do you really need a security plugin for WordPress? The too long; didn’t read answer is “yea, probably so”.
One argument against security plugins on WordPress is speed and performance of the site. It’s no secret that running plugins that analyze your sites traffic takes up some server resources. In turn, that takes those resources away from serving your website. Is that a tradeoff you’re willing to make?
My viewpoint, and the reason that I developed tinyShield, is that the more you try to do in a single plugin, the more resources you’ll be taking away from the website you’re trying to protect. I’ve read numerous reports and have heard from several hosting companies that some of the big named security plugins actually cause more issues than they resolve in the midst of an attack. So, it was my goal to offload the processing power to servers made specifically for that task, and then just return the outcome of that analysis. This functions very much like a cloud hosted solution, but an onsite solution as well.
So, in short, yes it’s a good idea to have some sort of active security plugin on your site, or some sort of hosted solution like Sucuri. Do your research though, and do some testing as well to see what works best for you, your site and your visitors.
If you’ve looked into WordPress security, you may have ran across the term “site scanner”. Again, like all other security plugins on WordPress, there are many to choose from. Each one claiming to have the best, fastest, or most effective scanner. In my experience, they all rank about the same.
But the question is, what is a site scanner? A site scanner is essentially just a piece of software that acts much like a virus scanner would on a computer. The software will scan each file on a site and compare that file with a known list of malware.
There are a couple of issues with these scanners, though. First is the fact that they can miss infected files. Hackers use multiple different ways of obfuscating their attacks, and develop new ways of accomplishing the same task. You’re relying on the fact that the scanner you’re using has either seen that kind of infection before or the analysis is good enough to catch new styles of obfuscation.
Secondly, site scanners by nature are 100% reactive to an infected website. They will only notify you if they found an infected file (also known as Indicator of Compromise (IOC)). These scanners do nothing to prevent your site from being compromised in the first place.
If you’re building a business of cleaning up compromised WordPress sites, you’ll need a good site scanner (or perhaps even develop your own).
When I spent some time cleaning up infected sites, I had developed a small script library of tools to scan and disinfect compromised sites. Again, it’s still all reactive.
Some would say that monitoring a site is not related to security, while others say that it is. I’m in the camp that says it is. If you don’t know what your site is doing at any given time, you may miss an infected site. You may miss people trying to get into your site. You may miss that plugin update that fixed this crazy vulnerability. Do you see my point?
There are again a thousand different ways to monitor your sites. While I don’t have any particular method that I like to use, I will tell you one handy trick that I’ve found to ensure that a site is up and responding to request. Keyword monitoring.
Keyword monitoring is essentially having a service pull down your website and then scan the result for particular keywords. This is super helpful to know when your site is up and responding correctly versus if the webserver is up but not serving your website but some random error messages instead.
Again, look at some different options, make sure that whatever solution you go with can do exactly what you need.
Client Side Security
We’ve talked about server side security, we’ve talked about application security but we haven’t talked about client side security. Client side security is the precautions that you take on the computer that you are using to connect to your WordPress site to manage it. It’s the precautions that you take when connecting to the wireless network at the coffee shop (or, the ones you don’t take). It’s the anti-malware protection that you have on your desktop or laptop (or not).
As I’ve said, security is a multi-tiered solution. It doesn’t just stop at the server. As my friend and fellow security enthusiast Steve Schwartz says, you can be 99% perfect in locking down your WordPress site but it doesn’t mean anything if an attacker can get your credentials from your infected computer or sniff them out over the air from a insecure wireless network. The good news is that these issues are easy to address.
First, make sure that the wireless network that your connecting to is a secure network. Meaning that you have to put in a password to connect. In most modern operating systems (Windows, OS X, Linux), it will warn you if you’re attempting to connect to a unsecured wireless. If you must use a insecure network, be sure to use a VPN solution that you trust. A couple decent options are ProtonVPN and MullvadVPN.
If you control the wireless network that you’re connecting to, make sure that you’re using a complex password for your wireless network. It’s becoming super easy to crack weak wireless passwords now. For ideas on complex passwords, take a look at this well known comic from XKCD https://xkcd.com/936/. You can also generate wireless passwords from this site, https://xkpasswd.net/s/ (select wifi to the right).
It should go without saying, but let’s say it anyway – you should be running some sort of anti-malware solution on your laptop/desktop. I’ve always recommended to our IT clients that they pay for a solution instead of going with the free ones.
And lastly, update your machines. Don’t run an unsupported version of Windows. If you’re still on Windows Vista, fix that.
While tech support is outside the scope of this guide, check with your local tech repair shop if you need assistance. There are many qualified businesses that can help you secure your machine.
In closing this document, I hope that you now understand that security is no magic bullet. You can throw thousands of dollars at security and still not have a bulletproof site. There is an old adage in the IT world, “the most secure system in the world is the one turned off and sitting in the corner unplugged.”
You can assume a reasonable amount of security if you understand that security is a multi-level solution. Also, assume that if someone wants to attack your site bad enough, they will. The majority of attack out there now are carried out by automated bots that are looking for easy targets – but if someone has enough time, motivations and knowledge all bets are off. All we can do is make it harder for them to get in.