How to improve your WordPress security
WordPress can be a remarkable platform. However, it doesn’t necessarily have the best security record. If you cast about on the internet, you’ll soon find some horror stories about WordPress security issues. Should this be a show-stopper – or can these risks be mitigated?
WordPress updates
One of the more significant sources of security violations is caused by not completing the necessary updates of source code and libraries used in a tech stack.
WordPress has a steady release roadmap with frequent updates made. Security is taken seriously by the core developers, and security patches are also released and well documented. WordPress offers a bounty program sponsored by Automattic to seek vulnerabilities proactively. It is not too difficult to stay on top of this upgrade process.
Individual site owners with little or no development knowledge can use the built-in auto-update processes in WordPress to enable the system to look after itself. If you’re maintaining a site yourself, you definitely want to be making use of this to ensure security holes are patched as soon as fixes become available.
There is a risk of these updates breaking areas of your site, but this is rare when using well-written themes and plugins. WordPress will also only apply minor security fixes automatically to reduce the risks involved.
For commercial websites, a more robust strategy for dealing with security updates is required. Commercial websites should be hosted professionally, which should include support for a staging environment and the use of a code repository like GitHub. Security patches can then be staged, tested and released quickly once they have been published.
This sort of process is more time consuming, but it is designed to ensure the compatibility of all upgraded packages in a safe test environment before unleashing them on production systems. It’s safer.
BrightMinded always offers WordPress hosting and support packages. We believe any good web development company creating bespoke code and sites should be prepared to host and support their work. We also adopt a rigorous upgrade cycle for WordPress sites under our support.
WordPress plugins security
As a platform WordPress is very flexible, but this strength can also be a significant vulnerability. The plugin and theme-based architecture have made WordPress a very popular tool in the community. Anyone with a little coding experience can extend WordPress functionality, and you can find a plugin to do almost anything you could want a site to do.
And therein lies the problem. Just about anyone can write a plugin, but only competent and experienced engineers can guarantee to get it right. With so many plugins available, how can you tell if the full range of security issues has been addressed? How can you know if a plugin is safe?
Our advice is to get to know a small set of high-quality plugins that you know will play nicely together. This core set of plugins becomes a stable foundation upon which bespoke code can be developed. At BrightMinded, we use a core of 5 or 6 plugins to provide key functionality, such as Advanced Custom Fields and WordPress SEO (By Yoast). Everything else we do is bespoke development written to closely follow guidelines such as the Open Web Application Security Project (OWASP).
Over the years, we have seen sites created out of up to 50 different plugins. It is a nightmare to try and stay on top of updates, to be sure they all behave well as a whole and to be confident that they are secure.
If you have to use several plugins, you should make careful choices. Ensure they are actively maintained by looking at the release dates and developer activity. Have a look over reviews and ask the wider community for recommendations.
Also, be prepared to review and change plugins as functionality drifts, or development becomes stale. Always delete unused plugins (often any vulnerabilities can still be exploited in deactivated plugins).
Hardening WordPress
While WordPress is secure by default, there are a range of measures which can be taken to enhance security and to protect against targeted attacks. For example, by changing the default login URL to something less well known, you can protect against automated brute-force attacks against your username and password.
For sites we’ve built, we include a bespoke security plugin which includes common hardening techniques. Some of these techniques are also available in off-the-shelf plugins such as WordFence or iThemes Security. Remember to keep these updated though – security plugins have been known to themselves have vulnerabilities which have needed patching!
One area where WordPress is behind the times is with password security. Passwords are secured with md5, which has long been seen as outdated. However, WordPress makes it easy to upgrade the password security, which we generally do using the wp-password-bcrypt package. This is especially important if you are running any sort of membership site which requires a user login.
Beyond WordPress
Of course, the burden of responsibility for security goes beyond the WordPress installation itself. The environment in which WordPress operates should also be secured.
When using Apache as a web server package, you can enable mod-security. This is an apache plugin which offers a configurable collection of security hardening features at the application server level.
It works on the basis of rules which detect specific patterns in the request payload and may restrict or altogether disallow the request to be processed further by Apache. One may create local rules, specifically tailored to the application at hand. However, a comprehensive ruleset already exists, covering most security cases like SQL injection, cross-site scripting, etc. OWASP, for example, distributes their own ruleset which should be included when installing mod-security.
Note, however, that especially in the context of complex WordPress sites, the mod-security configuration will need careful consideration and testing as some of the rules may not play nicely with the intended functionality, sometimes with results that are not obvious from the user’s perspective. It is highly recommended to monitor mod-security logs during the testing and QA phase of a WordPress site and customise accordingly.
Finally, at the outermost point of contact with the internet, your servers should be protected by a dedicated Web Application Firewall (WAF). Today many data centres offer such a service capable of detecting and preventing larger-scale attacks such as DDOS. They can be used to close all unused ports and temporarily ban IP-addresses which appear to be scanning or probing for known vulnerabilities. Moving this sort of intrusion prevention to a dedicated machine helps remove the load from the server’s software firewall and apache’s mod-security.
Conclusion
Fundamentally WordPress is no less secure than any other CMS. Still, in practice, it is a favourite target for hackers due to its large market share – any security hole could be exploited across many websites. When you add to this a large number of available plugins and themes with little guarantee of quality, you can see how the risks increase.
However, the large market share of WordPress also works in its favour. WordPress has an extensive security community which means any flaws are usually found quickly before they can be actively exploited.
We have shown that a few simple steps go a long way to mitigating any risks. Many of the steps BrightMinded take to secure a WordPress based website, such as installing a WAF or attending to tech-stack updates properly would apply to any web-based operation – they are simply best practices.