Professional Documents
Culture Documents
5 Essential Steps To Secure Your WP Site
5 Essential Steps To Secure Your WP Site
essential
to
app
SECURING
your
roa ch e s
WordPress Site
1
5
Essential Approaches
to Securing
Your WordPress Site 1 SITE security________________
Don’t Hesitate to Update
pg 3
2
Don’t Hesitate to Update
The most important thing you can do to protect your WordPress site is to keep your software
up to date: That includes WordPress itself and every plugin and theme you have installed.
It’s advice we’ve all heard before, certainly, but they may keep an eye out for issues flagged
the scope of the threat often is overlooked. For elsewhere to help identify and resolve any
instance, Forbes attributed the leak that sparked potential conflicts before updating an older
the Panama Papers scandal, in part, to outdated plugin or theme.
WordPress and Drupal installations. And in 2014,
2
a vulnerability in the newsletter plugin MailPoet
1 led to more than 50,000 compromised sites —
Lack of Time
despite the fact that a patch was released the
same day that the vulnerability was discovered. In reality, the update process takes only a
SITE
moment, and even several pages worth of
So why do some site administrators hesitate plugins can be updated at once. Unfortunately,
to update? Perhaps unsurprisingly, there are administrators of sites that use several pages
several reasons that have nothing to do worth of plugins have learned (often through
security
with security. their experience with issue No. 1) to update only
one item at a time, test the site, and then move
1
on to updating the next one.
Compatibility Concerns
Anyone can develop a WordPress plugin
or theme. The overwhelming majority are 3 Lack of Awareness
thoroughly tested for compatibility and actively By default, WordPress will automatically apply
maintained, but it’s safe to say that’s not always security updates and minor version upgrades
the case. Beyond that, the sheer number to the core itself. Plugins and themes, on the
of available plugins — 43,916 currently are other hand, are a different story. Yes, you’ll see
listed at WordPress.org — prevent even the an update notification and indicator each time
most conscientious team of developers from you access your dashboard, but not everyone
being able to guarantee that their plugin won’t logs into their site each day. Plugins such as
somehow conflict with someone else’s in every WP Updates Settings, Advanced Automatic
possible use case. Updates, or Update Control are available
to automatically apply updates to your other
Administrators primarily concerned with plugins, as can software installers such as
maintaining compatibility may be tempted Softaculous, but site administrators familiar
to take a wait-and-see approach to theme with issues No. 1 and No. 2 may find it easier to
and plugin updates. Instead of acting quickly, simply log in regularly.
3
r p lug ins
Updating Made Easy mli ne you
stre a
If you’re not promptly applying updates to your WordPress site,
these four guidelines may help to change your mind:
Back up your site before updating: A recent restore point will Any plugin on your site that doesn’t receive
allow you to quickly revert any undesired changes to your site. Taking a security updates or is poorly coded is potentially
backup immediately prior to updating guarantees you’ll have the latest
vulnerable. You can reduce your risk — and your
possible version of your site ready in case you need it, and also gives
you a few extra moments to think through your update strategy.
site maintenance workload — by following
these guidelines:
Update during your time of lightest traffic: It may be the middle
of the night for you, but you’ll minimize the risk of your site visitors Regularly audit plugins: In your site’s dashboard,
noticing an interruption should there be a hiccup. You also may get periodically click on the “View details” link next to each plugin
to sleep in the next morning instead of fielding calls about an exploit and have a look at its statistics. How long since its last update?
featured on the news. Is it still being actively maintained? What are other users
saying about it? If you see any red flags, find another plugin to
Apply one update at a time: Thoroughly test your site after do its job.
updating each plugin and, if a change needs to be reverted, simply
remove the plugin. You can do so from within the WordPress admin Deactivate unneeded plugins: Many plugins are meant
area or by moving it out of the plugins directory via the command line to perform a very limited or even one-time task. Periodically
or FTP. rank your plugins based on the critical functions they perform
for your site, and consider deactivating those that fall near the
Use a development or staging site: If you don’t have a bottom of the list.
development site and are concerned about potential issues following
an upgrade, it’s time to create one. It can be as simple as downloading Delete unused plugins: If you have inactive plugins that
a backup of your site and restoring it to another WordPress installation you’re not planning on using in the near future, get rid of them.
locally, on another server, or in a different directory on your existing
server. There are several WordPress plugins, including Duplicator, Consolidate functions: Do you have multiple plugins that
which make this an easy task. By applying updates to a copy of your perform the same function, such as caching or generating
site, you can quickly spot any potential issues that you’ll need to forms? If at all possible, pick one and stick with it.
resolve before updating your production site.
No exceptions: These guidelines should be applied to all
plugins, even the ones mentioned in this book. Don’t take a
plugin’s listing here as an exemption; security depends on all
plugins being subject to the same level of scrutiny.
4
Would-be attackers and their methods are as varied as their targets. But, as in the real world,
they can almost always be counted on to pursue the path of least resistance. A burglar who
wants into your home is first going to check for open windows and doors; likewise, someone
who wants to compromise your WordPress site is going to start at the login page.
Any of these tips will help you lock it down. You may not be able to use them all, but know
that each additional measure will further increase your site’s ability to repel a full-on,
automated assault.
DASHBOARD
those networks because they utilize dynamic
page from an authorized IP address. Putting
IP addresses.
this technique to work is as simple as adding
your administrators’ IP addresses to the site’s
.htaccess file. Password Protect wp-login.php
security Obtain your public IP address by visiting a
site such as http://ip.liquidweb.com, and
once you have all of your authorized users’ IP
When you add password protection to your site’s
login page, you’re requiring anyone attempting
to log in to first provide a username and
addresses, add the appropriate rules to the site’s password that’s unique to the login page itself
.htaccess file in this format: before they can load the page and enter their
credentials. There are two important reasons to
<Files wp-login.php>
consider this approach.
order deny,allow
#Begin authorized IPs First, an attacker trying to brute-force their
allow from x.x.x.x way in will be far less likely to overload your
server by repeatedly hitting the login page, a
allow from x.x.x.x
common tactic.
#End authorized IPs
deny from all Secondly, this form of authentication lets you
</Files> use anything for a username. That’s important
because any of your site editors or authors can
both publish and edit posts (at least their own),
This method provides rock-solid protection, making their accounts potential targets for
but it’s not ideal for everyone. Sites with a large someone determined to deface, discredit,
5
or disrupt your site. Because usernames are published with articles, a
would-be attacker already has half the information they need to take aim Limit Login Attempts
at these accounts. This method doubles the number of credentials needed
Any password is crackable with enough time, determination, and
to log in and makes a would-be attacker’s work that much more difficult.
computing power. But that doesn’t necessarily make it inevitable. Stop
Many web hosts have a control panel tool that you can use to password attackers in their tracks by limiting the number of tries they get to guess a
protect files. If yours doesn’t, you’ll want to use a web-based tool such as user’s password.
Htpasswd Generator to generate a password file (.htpasswd), and place
This can be done by using a lightweight, narrowly-focused plugin such
it in your home directory (above your site’s document root). Then add a
as Limit Login Attempts, or any of the more popular comprehensive
rule pointing to its path, along with the expected username, in your site’s
WordPress security plugins. Beyond limiting login attempts, the full-
.htaccess file:
featured security plugins include a number of other features which can be
<Files wp-login.php> of tremendous value if used correctly:
AuthUserFile ~/.htpasswd
iThemes Security: Also provides two-factor login authentication,
•
AuthName “Restricted access” user action logging, IP blocking, form protection with Google
AuthType Basic reCAPTCHA, security scans, and more, including the ability to rename
require user UsernameHere default WordPress pages.
</Files>
WordFence: Also provides two-factor login authentication, IP
•
blocking and rate-limiting, a basic firewall, service monitoring,
caching and more.
6
It bears repeating that any site can be compromised. In the last year, thousands of
WordPress sites were compromised: Sites belonging to individuals, schools, charities, and
businesses large and small — even a Microsoft site was not immune.
These are the “one percent” of sites that attackers work so hard to find, the smallest sliver
of an almost incomprehensibly large install base. Some were left exposed by outdated
software, but in other cases attackers targeted a much more common vulnerability: The site
users themselves.
Of all the tricks and tools hackers have at their disposal, brute force can sometimes be the
most effective weapon. A brute force attack is simple, and a bit of a gamble, but it’s hardly
3 a fair bet. It boils down to a battle of wits between a human being and a computer program.
USER
Enable Two-Factor Require a Minimum
Authentication Password Strength
security
Two-factor authentication is already a Users are constantly bombarded by variations of
requirement with many banking websites, and the “use strong passwords” plea, and there’s no
your site users probably are already using it reason to assume that they’ll be more receptive
with services from Google, Dropbox, or Paypal. to the message just because it comes from you.
The reason for its near-universal adoption is As we’ve noted previously, strong passwords
simple: It works. Requiring a user to log in with can be hard to remember and some people will
a one-time-use code tied to a personal device in continue to use “Passw0rd1” for as long as they
addition to their username and password can cut have the choice. WordPress includes a password
the chances of an imposter successfully logging strength meter, and will generate strong
in to nearly zero. Instantly bring this level of passwords by default, but if you want to require
security to your WordPress site with the Google even stronger measures, many of the popular
Authenticator plugin, or by enabling two-factor WordPress security plugins allow you to set a
authentication in one of the comprehensive specific minimum password strength.
security plugins highlighted earlier.
7
Enforce Password Expiration
i s no contest
hine
Even the most secure password won’t stay that way forever,
vs. mac
man
and that’s why security experts also recommend changing
passwords frequently. Yes, that’s more of the sort of advice
people don’t want to hear but, of course, there are plugins
for that, too. WP Password Policy Manager for instance, can
be set to automatically expire passwords after a specified
time. One thing to keep in mind, though, is that restoring your Your site users have to keep track of at least several dozen
site’s database from a backup will also cause any passwords passwords in their everyday lives. They know they’re not
changed since the backup was taken to revert to their previous supposed to use the same password on multiple sites, and
values. To minimize the potential impact on your users, don’t they also know they should use only strong passwords. But
set a password expiration date that’s shorter than the length people have much better things to do than keep track of a
of time you retain backups. In most cases, changing passwords long list of unpronounceable passwords they can’t possibly
two or three times a year is sufficient. be expected to remember.
8
If you followed the guidelines up to this point, then your site is up to date and freed from the
burden of nonessential plugins. Your dashboard is secure and you’ve given your site users
no choice but to adopt best practices with respect to their login credentials. Now it’s time to
make sure that you’re holding up your end of the bargain.
Put Your Site to the Test Pull the plug on these bots by enabling the
CAPTCHA option on your form plugin, and
periodically survey your site to ensure that
It may sound like a Murphy’s Law for the
there are no “submit” buttons unaccompanied
modern age, but it holds true: Anything that
by a CAPTCHA.
can be exploited will be. The good news is
4 that you don’t have to wait until it’s too late
to learn about vulnerabilities on your site.
Popular security plugins iThemes and All-in-
irst
CODE sf
One WP Security & Firewall as well as Anti-
t hi ng
first
Malware Security and Brute-Force Firewall
include scanners, and sites such as WordPress
Security Scan, WPScans, and Sucuri can
security
thoroughly examine your site and reveal
potential vulnerabilities. To stay informed,
you’ll also want to regularly check the WPScan
If your site uses any legacy code (in this
Vulnerability Database for a detailed analysis
case, code specifically written for PHP
of each WordPress core, plugin, and theme
version 5.4 or earlier) that’s keeping you
vulnerabilities as they’re discovered.
from updating to a currently supported
software version (whether PHP, MySQL, or
the WordPress core itself), then updating
Nearly any form you’ll encounter on a While there may be no direct security
modern website is protected by a CAPTCHA implications in the legacy code itself, the
(“Completely Automated Public Turing test to process of recovering from a potential
tell Computers and Humans Apart”). They can compromise could require you to migrate
be annoying, but they can also severely limit your site (or restore it from a backup) to
the damage that can be inflicted by malicious a new server. In that event, it’s entirely
bots. While these automated form-fillers are possible that a new server will not support
effective (and prolific) advertisers, the links they the same software version your site
post can lead your site visitors to malicious, requires — especially if it’s past End of Life.
or at the very least inappropriate, websites.
9
Never Trust User Input
Checking user input, or validating, ensures that the data you’ve requested of users matches what they’ve submitted. WordPress includes a number of methods to not
only validate, but also clean up user input and screen output. Using them appropriately can help protect your site from code injection, database manipulation, and
buffer overflows. You can find detailed examples of each function in action at WordPress.org.
sanitize_file_
Escaping Output
File names Removes special characters
* name() that are illegal in filenames
on certain operating systems,
Escaping output helps ensure that your data is presented on the page as well as special characters
as it should be. If a malicious individual can inject script into your Web requiring escaping to
application’s output, they can execute any type of script in a visitor’s manipulate at the command
browsers and effectively control that visitor’s user experience. To line.
preclude that possibility, be sure to escape output where appropriate. Text field sanitize_text_field() Sanitizes a string from user
Here’s a quick rundown of the most common escaping functions: input or from the database.
esc_attr(): Encodes the <, >, &, “ and ‘ (less than, greater than,
• Classname sanitize_html_ Sanitizes an html classname so
ampersand, double quote and single quote) characters. class() it contains only valid characters.
esc_textarea(): Encodes text for use inside a <textarea> element.
•
User name sanitize_user() Sanitizes a username by
esc_html(): Escaping for HTML blocks.
• stripping out unsafe characters.
• esc_url(): Recommended for sanitizing URLs in text nodes, attribute
nodes – or, as WordPress recommends, just about anywhere else.
esc_js(): For inline JavaScript. This escapes single quotes,
•
htmlspecialchar “ <> &, and text strings for echoing in JavaScript.
10
Set Proper Permissions Use Your Firewall
All WordPress files and folders should have Regardless of where you host your WordPress
proper permissions and ownership. This basic, site, you should have access to a basic firewall.
if often overlooked, step can deny attackers Whether it’s stock iptables or a software firewall
the ability to upload malicious files and easily built on top of it such as the Advanced Policy
execute code that can compromise not only your Firewall (APF) or ConfigServer Security & Firewall
site, but also your server. (CSF), you’ll want to ensure that it’s enabled
and properly configured. At the very least, you
All WordPress directories should have “0755” should try to limit SSH access to the server to
permissions, and files should always have “0644” your IP address, and you may wish to restrict
permissions. There are a very few cases which FTP access as well. In addition, your web host
5 are exceptions to this rule, which can depend may provide an application firewall such as
on your PHP handler and your hosting ModSecurity (modsec); if they do, you can use
environment, but “0777” permissions on custom rules to further enhance the security of
SERVER
directories are never acceptable from a security your WordPress site.
standpoint. Typically, if you have shell access,
you can quickly set proper permissions with the
following commands:
11
management interface, or a plugin solution such as Backup
Buddy, you’ll want to make sure that you’re at least backing
clu s ion
in con
up your full WordPress installation directory and database.
Liquid Web is a privately held managed web hosting company founded in 1997. We own and operate three Data Centers in Lansing, Mich., a software development office and Data Center in metropolitan Phoenix,
Ariz., a development space in Ann Arbor, Mich., and a Data Center in Amsterdam, NL. Our client base spans more than 150 countries and includes more than 30,000 customers, and our rapid expansion has earned
us a spot on INC. Magazine’s 5000 Fastest Growing Companies list for nine consecutive years, beginning in 2007.
Liquid Web is committed to providing the most comprehensive hosting solutions and customer service available. Members of our Heroic® Support are professionally educated, certified by Cisco and Red Hat, and
specialize in areas such as Technical Support, Server Setup, Database Administration, Advanced Networking, Security, Migrations, System Restoration, and more.
13