5

essential

to
app

SECURING
your
roa ch e s

WordPress Site

1
 5
Essential Approaches
to Securing
Your WordPress Site 1 SITE security________________
Don’t Hesitate to Update
pg 3

Updating Made Easy

Streamline Your Plugins
WordPress is the web’s most popular Content Management System,
powering a full quarter of indexed sites. It’s been embraced by millions 2 DASHBOARD security___ pg 5
of casual bloggers for its ease of use and user-friendly interface, and its Restrict access by IP address
maturity, stability, and extensibility have made it a platform of choice for Password protect wp-login.php
high-profile businesses including CNN, TechCrunch and UPS. Together, Limit Login Attempts
WordPress users publish more than 58 million new pages each month.

Popularity, though, comes at a cost — WordPress’s universal appeal 3 USER security_______________ pg 7

makes it an incredibly high-profile target. Its open-source model allows Enable Two-Factor Authentication
vulnerabilities to be quickly discovered and promptly patched, but users Require a Minimum Password Strength
don’t always have time to update right away. As a result, some sites Enforce Password Expiration
continue to use vulnerable software even after security updates are
released, and that’s exactly what hackers are counting on. 4 CODE security______________ pg 9
Many attacks on WordPress are automated, requiring an attacker to Put Your Site to the Test
simply update a script to begin seeking out, identifying, and ultimately Fight Bots with CAPTCHAs
exploiting vulnerable sites. Automation makes it easy to cast a very wide Never Trust User Input
net and the potential payoff is great: If 99 percent of the more than 75
million WordPress sites are completely secure, the potentially vulnerable
one percent still includes more than 750,000 sites. Hackers may have the
5 SERVER security__________ pg 11
Set Proper Permissions
odds on their side, but that doesn’t mean you have to wave a white flag.
Use Your Firewall
There are five essential components of a secure WordPress site: Site Have a Backup Plan
security, dashboard security, user security, code security and server
security. And while there’s no such thing as a “hack-proof” site, you can
make yours a much more difficult target — and keep it out of the one
percent — by addressing these five critical areas.

2
 Don’t Hesitate to Update
The most important thing you can do to protect your WordPress site is to keep your software
up to date: That includes WordPress itself and every plugin and theme you have installed.
It’s advice we’ve all heard before, certainly, but
the scope of the threat often is overlooked. For
instance, Forbes attributed the leak that sparked
the Panama Papers scandal, in part, to outdated
WordPress and Drupal installations. And in 2014,
a vulnerability in the newsletter plugin MailPoet
1 led to more than 50,000 compromised sites —
despite the fact that a patch was released the
same day that the vulnerability was discovered.
SITE
So why do some site administrators hesitate
to update? Perhaps unsurprisingly, there are
several reasons that have nothing to do
security
with security.
1
Compatibility Concerns
Anyone can develop a WordPress plugin
or theme. The overwhelming majority are
thoroughly tested for compatibility and actively
maintained, but it’s safe to say that’s not always
the case. Beyond that, the sheer number
of available plugins — 43,916 currently are
listed at WordPress.org — prevent even the
most conscientious team of developers from
being able to guarantee that their plugin won’t
somehow conflict with someone else’s in every
possible use case.
Administrators primarily concerned with
maintaining compatibility may be tempted
to take a wait-and-see approach to theme
and plugin updates. Instead of acting quickly,
they may keep an eye out for issues flagged
elsewhere to help identify and resolve any
potential conflicts before updating an older
plugin or theme.
2
Lack of Time
In reality, the update process takes only a
moment, and even several pages worth of
plugins can be updated at once. Unfortunately,
administrators of sites that use several pages
worth of plugins have learned (often through
their experience with issue No. 1) to update only
one item at a time, test the site, and then move
on to updating the next one.
3 Lack of Awareness
By default, WordPress will automatically apply
security updates and minor version upgrades
to the core itself. Plugins and themes, on the
other hand, are a different story. Yes, you’ll see
an update notification and indicator each time
you access your dashboard, but not everyone
logs into their site each day. Plugins such as
WP Updates Settings, Advanced Automatic
Updates, or Update Control are available
to automatically apply updates to your other
plugins, as can software installers such as
Softaculous, but site administrators familiar
with issues No. 1 and No. 2 may find it easier to
simply log in regularly.
3

Updating Made Easy
stre a
If you’re not promptly applying updates to your WordPress site,
these four guidelines may help to change your mind:
Back up your site before updating: A recent restore point will
allow you to quickly revert any undesired changes to your site. Taking a
backup immediately prior to updating guarantees you’ll have the latest
possible version of your site ready in case you need it, and also gives
you a few extra moments to think through your update strategy.
Update during your time of lightest traffic: It may be the middle
of the night for you, but you’ll minimize the risk of your site visitors
noticing an interruption should there be a hiccup. You also may get
to sleep in the next morning instead of fielding calls about an exploit
featured on the news.
Apply one update at a time: Thoroughly test your site after
updating each plugin and, if a change needs to be reverted, simply
remove the plugin. You can do so from within the WordPress admin
area or by moving it out of the plugins directory via the command line
or FTP.
Use a development or staging site: If you don’t have a
development site and are concerned about potential issues following
an upgrade, it’s time to create one. It can be as simple as downloading
a backup of your site and restoring it to another WordPress installation
locally, on another server, or in a different directory on your existing
server. There are several WordPress plugins, including Duplicator,
which make this an easy task. By applying updates to a copy of your
site, you can quickly spot any potential issues that you’ll need to
resolve before updating your production site.
r p lug ins
mli ne you
Any plugin on your site that doesn’t receive
security updates or is poorly coded is potentially
vulnerable. You can reduce your risk — and your
site maintenance workload — by following
these guidelines:
Regularly audit plugins: In your site’s dashboard,
periodically click on the “View details” link next to each plugin
and have a look at its statistics. How long since its last update?
Is it still being actively maintained? What are other users
saying about it? If you see any red flags, find another plugin to
do its job.
Deactivate unneeded plugins: Many plugins are meant
to perform a very limited or even one-time task. Periodically
rank your plugins based on the critical functions they perform
for your site, and consider deactivating those that fall near the
bottom of the list.
Delete unused plugins: If you have inactive plugins that
you’re not planning on using in the near future, get rid of them.
Consolidate functions: Do you have multiple plugins that
perform the same function, such as caching or generating
forms? If at all possible, pick one and stick with it.
No exceptions: These guidelines should be applied to all
plugins, even the ones mentioned in this book. Don’t take a
plugin’s listing here as an exemption; security depends on all
plugins being subject to the same level of scrutiny.
4
 Would-be attackers and their methods are as varied as their targets. But, as in the real world,
they can almost always be counted on to pursue the path of least resistance. A burglar who
wants into your home is first going to check for open windows and doors; likewise, someone
who wants to compromise your WordPress site is going to start at the login page.
Any of these tips will help you lock it down. You may not be able to use them all, but know
that each additional measure will further increase your site’s ability to repel a full-on,
automated assault.

Restrict Access by IP number of administrators, editors, and authors

may not be able to pin down everyone’s IP
2 With this approach, you’ll not only need a valid
addresses. And administrators who frequently
use a cellular network or public wifi would no
username and password combination to log in
longer be able to log in to WordPress from
to WordPress, but you’ll also need to access the

DASHBOARD
those networks because they utilize dynamic
page from an authorized IP address. Putting
IP addresses.
this technique to work is as simple as adding
your administrators’ IP addresses to the site’s
.htaccess file. Password Protect wp-login.php
security Obtain your public IP address by visiting a
site such as http://ip.liquidweb.com, and
once you have all of your authorized users’ IP
When you add password protection to your site’s
login page, you’re requiring anyone attempting
to log in to first provide a username and
addresses, add the appropriate rules to the site’s password that’s unique to the login page itself
.htaccess file in this format: before they can load the page and enter their
credentials. There are two important reasons to
<Files wp-login.php>
consider this approach.
order deny,allow
#Begin authorized IPs First, an attacker trying to brute-force their
allow from x.x.x.x way in will be far less likely to overload your
server by repeatedly hitting the login page, a
allow from x.x.x.x
common tactic.
#End authorized IPs
deny from all Secondly, this form of authentication lets you
</Files> use anything for a username. That’s important
because any of your site editors or authors can
both publish and edit posts (at least their own),
This method provides rock-solid protection, making their accounts potential targets for
but it’s not ideal for everyone. Sites with a large someone determined to deface, discredit,

5
or disrupt your site. Because usernames are published with articles, a
would-be attacker already has half the information they need to take aim
at these accounts. This method doubles the number of credentials needed
to log in and makes a would-be attacker’s work that much more difficult.
Many web hosts have a control panel tool that you can use to password
protect files. If yours doesn’t, you’ll want to use a web-based tool such as
Htpasswd Generator to generate a password file (.htpasswd), and place
it in your home directory (above your site’s document root). Then add a
rule pointing to its path, along with the expected username, in your site’s
.htaccess file:
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Restricted access”
AuthType Basic
require user UsernameHere
</Files>
! Don’t Use “admin”
Early versions of WordPress defaulted to the username
“admin”. As a result, it’s predictably the very first username that
someone attempting to access your dashboard will try. If you
have “admin” as an administrative username, immediately make
a new account and transfer admin’s posts to that new account.
Then, rather than deleting admin, consider changing the
account’s role to subscriber and securing it with a particularly
long and complex password. If you do, an attacker will never see
the “Invalid username” error message when targeting admin, and
may concentrate their attacks on that username. Should their
efforts ultimately be successful, they’ll be rewarded with
the ability to edit the hacked account’s user profile.
Limit Login Attempts
Any password is crackable with enough time, determination, and
computing power. But that doesn’t necessarily make it inevitable. Stop
attackers in their tracks by limiting the number of tries they get to guess a
user’s password.
This can be done by using a lightweight, narrowly-focused plugin such
as Limit Login Attempts, or any of the more popular comprehensive
WordPress security plugins. Beyond limiting login attempts, the full-
featured security plugins include a number of other features which can be
of tremendous value if used correctly:
iThemes Security: Also provides two-factor login authentication,
•
user action logging, IP blocking, form protection with Google
reCAPTCHA, security scans, and more, including the ability to rename
default WordPress pages.
WordFence: Also provides two-factor login authentication, IP
• 
blocking and rate-limiting, a basic firewall, service monitoring,
caching and more.
All-in-One WP Security & Firewall: Also provides IP blocking, form
•
protection, monitoring and scanning, a basic firewall, and more.
BulletProof Security: Also includes a basic firewall, security and
• 
error logging, database backups, and more.
It’s important to note that any all-inclusive plugin may carry more overhead
and may conflict with other active plugins you’re using that normally
perform some of the same functions. If you elect to use one of these
plugins, it’s important to use only one of them and closely follow the plugin
developer’s recommendations.
6
 It bears repeating that any site can be compromised. In the last year, thousands of
WordPress sites were compromised: Sites belonging to individuals, schools, charities, and
businesses large and small — even a Microsoft site was not immune.
These are the “one percent” of sites that attackers work so hard to find, the smallest sliver
of an almost incomprehensibly large install base. Some were left exposed by outdated
software, but in other cases attackers targeted a much more common vulnerability: The site
users themselves.
Of all the tricks and tools hackers have at their disposal, brute force can sometimes be the
most effective weapon. A brute force attack is simple, and a bit of a gamble, but it’s hardly
3 a fair bet. It boils down to a battle of wits between a human being and a computer program.

USER
Enable Two-Factor Require a Minimum
Authentication Password Strength

security
Two-factor authentication is already a
requirement with many banking websites, and
your site users probably are already using it
with services from Google, Dropbox, or Paypal.
The reason for its near-universal adoption is
simple: It works. Requiring a user to log in with
a one-time-use code tied to a personal device in
addition to their username and password can cut
the chances of an imposter successfully logging
in to nearly zero. Instantly bring this level of
security to your WordPress site with the Google
Authenticator plugin, or by enabling two-factor
authentication in one of the comprehensive
security plugins highlighted earlier.
Users are constantly bombarded by variations of
the “use strong passwords” plea, and there’s no
reason to assume that they’ll be more receptive
to the message just because it comes from you.
As we’ve noted previously, strong passwords
can be hard to remember and some people will
continue to use “Passw0rd1” for as long as they
have the choice. WordPress includes a password
strength meter, and will generate strong
passwords by default, but if you want to require
even stronger measures, many of the popular
WordPress security plugins allow you to set a
specific minimum password strength.

7
Enforce Password Expiration
i s no contest
hine
Even the most secure password won’t stay that way forever,

vs. mac
man
and that’s why security experts also recommend changing
passwords frequently. Yes, that’s more of the sort of advice
people don’t want to hear but, of course, there are plugins
for that, too. WP Password Policy Manager for instance, can
be set to automatically expire passwords after a specified
time. One thing to keep in mind, though, is that restoring your Your site users have to keep track of at least several dozen
site’s database from a backup will also cause any passwords passwords in their everyday lives. They know they’re not
changed since the backup was taken to revert to their previous supposed to use the same password on multiple sites, and
values. To minimize the potential impact on your users, don’t they also know they should use only strong passwords. But
set a password expiration date that’s shorter than the length people have much better things to do than keep track of a
of time you retain backups. In most cases, changing passwords long list of unpronounceable passwords they can’t possibly
two or three times a year is sufficient. be expected to remember.

Your would-be attacker, on the other hand, is running a script

powered by an algorithm written for the sole purpose of
guessing passwords. It knows every word in every dictionary
in every language and is capable of trying all of them within
seconds. And, thanks to data posted online following
innumerable other security breaches, it also knows the top
10,000 or maybe even 100,000 most common passwords.

You know exactly how this contest plays out, so why

place a bet? Follow the guidelines presented here
and put your home-field advantage to work.

8
 If you followed the guidelines up to this point, then your site is up to date and freed from the
burden of nonessential plugins. Your dashboard is secure and you’ve given your site users
no choice but to adopt best practices with respect to their login credentials. Now it’s time to
make sure that you’re holding up your end of the bargain.

Put Your Site to the Test Pull the plug on these bots by enabling the
CAPTCHA option on your form plugin, and
periodically survey your site to ensure that
It may sound like a Murphy’s Law for the
there are no “submit” buttons unaccompanied
modern age, but it holds true: Anything that
by a CAPTCHA.
can be exploited will be. The good news is
4 that you don’t have to wait until it’s too late
to learn about vulnerabilities on your site.
Popular security plugins iThemes and All-in-

irst
CODE sf
One WP Security & Firewall as well as Anti-

t hi ng
first
Malware Security and Brute-Force Firewall
include scanners, and sites such as WordPress
Security Scan, WPScans, and Sucuri can

security
thoroughly examine your site and reveal
potential vulnerabilities. To stay informed,
you’ll also want to regularly check the WPScan
If your site uses any legacy code (in this
Vulnerability Database for a detailed analysis
case, code specifically written for PHP
of each WordPress core, plugin, and theme
version 5.4 or earlier) that’s keeping you
vulnerabilities as they’re discovered.
from updating to a currently supported
software version (whether PHP, MySQL, or
the WordPress core itself), then updating

Fight Bots With CAPTCHAs that code should be a priority project.

Nearly any form you’ll encounter on a
modern website is protected by a CAPTCHA
(“Completely Automated Public Turing test to
tell Computers and Humans Apart”). They can
be annoying, but they can also severely limit
the damage that can be inflicted by malicious
bots. While these automated form-fillers are
effective (and prolific) advertisers, the links they
post can lead your site visitors to malicious,
or at the very least inappropriate, websites.
While there may be no direct security
implications in the legacy code itself, the
process of recovering from a potential
compromise could require you to migrate
your site (or restore it from a backup) to
a new server. In that event, it’s entirely
possible that a new server will not support
the same software version your site
requires — especially if it’s past End of Life.
9
 Never Trust User Input
Checking user input, or validating, ensures that the data you’ve requested of users matches what they’ve submitted. WordPress includes a number of methods to not
only validate, but also clean up user input and screen output. Using them appropriately can help protect your site from code injection, database manipulation, and
buffer overflows. You can find detailed examples of each function in action at WordPress.org.

Core Functions Sanitizing Functions

is_email(): Email validation is required while submitting comments,
• Sanitizing cleans user input, ensuring that it can be stored in the
contact forms, and creating an account. WordPress uses this function database without risk. WordPress offers numerous sanitizing helper
to check whether a submitted email address is valid or invalid. functions, including:

is_serialized(): Checks to ensure that data can be written to the

•
CATEGORY FUNCTION EXPLANATION
database in a form that can be safely stored, and retrieved in a form
that PHP can understand. WordPress uses this function while storing Email sanitize_email() Strips out all characters that
options, metadata, and transients. cannot appear in an email
address.

Option sanitize_option() Sanitizes various option values

based on the nature of the
option.

sanitize_file_
Escaping Output
File names Removes special characters
* name() that are illegal in filenames
on certain operating systems,
Escaping output helps ensure that your data is presented on the page as well as special characters
as it should be. If a malicious individual can inject script into your Web requiring escaping to
application’s output, they can execute any type of script in a visitor’s manipulate at the command
browsers and effectively control that visitor’s user experience. To line.
preclude that possibility, be sure to escape output where appropriate. Text field sanitize_text_field() Sanitizes a string from user
Here’s a quick rundown of the most common escaping functions: input or from the database.
esc_attr(): Encodes the <, >, &, “ and ‘ (less than, greater than,
•  Classname sanitize_html_ Sanitizes an html classname so
ampersand, double quote and single quote) characters. class() it contains only valid characters.
esc_textarea(): Encodes text for use inside a <textarea> element.
• 
User name sanitize_user() Sanitizes a username by
esc_html(): Escaping for HTML blocks.
• stripping out unsafe characters.
• esc_url(): Recommended for sanitizing URLs in text nodes, attribute
nodes – or, as WordPress recommends, just about anywhere else.
esc_js(): For inline JavaScript. This escapes single quotes,
•
htmlspecialchar “ <> &, and text strings for echoing in JavaScript.
10
 Set Proper Permissions
All WordPress files and folders should have
proper permissions and ownership. This basic,
if often overlooked, step can deny attackers
the ability to upload malicious files and easily
execute code that can compromise not only your
site, but also your server.
All WordPress directories should have “0755”
permissions, and files should always have “0644”
permissions. There are a very few cases which
5 are exceptions to this rule, which can depend
on your PHP handler and your hosting
environment, but “0777” permissions on
SERVER
directories are never acceptable from a security
standpoint. Typically, if you have shell access,
you can quickly set proper permissions with the
following commands:
security Set Folder Permission:
find /path/to/your/wordpress/install/
-type d -exec chmod 755 {} \;
File Permission:
find /path/to/your/wordpress/install/
-type f -exec chmod 644 {} \;
Note: Be sure each of the code snippets above are
run on a single line
If you’re running into errors when installing
plugins and uploading media, contact your
hosting provider to make sure that PHP is
running with the correct user — and that folders
are owned by the same user.
Use Your Firewall
Regardless of where you host your WordPress
site, you should have access to a basic firewall.
Whether it’s stock iptables or a software firewall
built on top of it such as the Advanced Policy
Firewall (APF) or ConfigServer Security & Firewall
(CSF), you’ll want to ensure that it’s enabled
and properly configured. At the very least, you
should try to limit SSH access to the server to
your IP address, and you may wish to restrict
FTP access as well. In addition, your web host
may provide an application firewall such as
ModSecurity (modsec); if they do, you can use
custom rules to further enhance the security of
your WordPress site.
Have a Backup Plan
No matter how aggressively you enforce your
site security plan, there will always be a chance
(however remote) that it could be compromised
at some point. Simply put, the odds will never
be 100 percent in your favor. By following these
guidelines, you can dramatically reduce your
risks and ensure that your site is not among the
one percent that are so attractive to attackers,
but you can never completely eliminate any
possibility of a compromise.
What you can do, however, is guarantee that
any damage done can be quickly reversed, and
regularly backing up your site and database is
the way you do it. Whether you use full-account
backups through your web host’s control panel,
full-server backups through your web host’s
11
management interface, or a plugin solution such as Backup
Buddy, you’ll want to make sure that you’re at least backing
up your full WordPress installation directory and database.
Ideally, you’ll want to back up your site at least once a day,
and retain several days worth of daily backups. You’ll also be
well-served to retain at least two or three weekly backups, and
monthly backups for as long as you have disk space to hold on
to them.
If you elect to use a plugin or other on-server backup solution,
be sure that you’re regularly downloading them from the
server via FTP or SFTP and storing them locally. Not only will
you know that you’ve got them in a safe place, but you’ll also
preclude the possibility of an attacker deleting the backups as
soon as they get access to your site.
clu s ion
in con
WordPress is the most popular Content Management
System in the world, and for good reason. It’s an
incredibly powerful, mature, and stable platform
that’s embraced and championed by a passionate
community of designers, developers, and users
of every skill level. Its ease of use and endless
extensibility means that it’s equally capable of
powering simple blogs with a few regular visitors and
international corporations with a worldwide audience.
As the dominant platform, it is an especially attractive
target for attackers, but the number of people
devoting their talents to keeping WordPress secure
far outnumber those seeking to do harm. Because it’s
open source, every line of code is open to inspection
and scrutiny, making the platform completely
transparent and, many would argue, considerably
more secure than any software relying solely on
security through obscurity.
By keeping the core, plugins, and theme up to
date, using only actively-maintained plugins,
and securing access to your dashboard,
you can help your site stand up to the most
sophisticated attacker. And by following these
basic guidelines for user, code, and server
security, you can make a would-be attacker’s
job far more trouble than it’s worth and,
ideally, quickly send them off in search of an
easier target.
12
 Find Your Hosting Solution Today
www.liquidweb.com/wordpress | (800) 580-4985 | sales@liquidweb.com

Liquid Web is a privately held managed web hosting company founded in 1997. We own and operate three Data Centers in Lansing, Mich., a software development office and Data Center in metropolitan Phoenix,
Ariz., a development space in Ann Arbor, Mich., and a Data Center in Amsterdam, NL. Our client base spans more than 150 countries and includes more than 30,000 customers, and our rapid expansion has earned
us a spot on INC. Magazine’s 5000 Fastest Growing Companies list for nine consecutive years, beginning in 2007.

Liquid Web is committed to providing the most comprehensive hosting solutions and customer service available. Members of our Heroic® Support are professionally educated, certified by Cisco and Red Hat, and
specialize in areas such as Technical Support, Server Setup, Database Administration, Advanced Networking, Security, Migrations, System Restoration, and more.

13