Robert Rand
WordPress Security: Setting your Shields to Maximum
Get The Print Version
Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.
A link to download the PDF will arrive in your inbox shortly.
In sci-fi flicks, spaceships have shields. To advance the plot, these shields have to be lowered from time to time. This can leave highly advanced (and very expensive) spaceships susceptible to attack. It inevitably happens at the worst possible time!
WordPress sites face a similar dilemma. If you want the site to be accessible and performing well for visitors across the globe, you can’t have the shields at maximum. You need website visitors to be able to reach and surf your website.
On top of that, maintenance, upgrades and improvements, and adding new features to your site can occasionally lead to new security vulnerabilities.
However, if you have a good crew, good technology, and good procedures, you can thwart intruders from coming aboard and wreaking havoc.
WordPress is the most popular content management system (CMS) in the world, used to operate websites ranging from small blogs to large corporate and news websites. It’s also a popular CMS for businesses and organizations that operate online stores.
Whether you’re part of a team that uses WordPress as part of your ecommerce site or for a simple blog, the last thing you want is to leave your website vulnerable to cyber criminals.
These bad actors have many reasons for attacking websites, and in many cases, they aren’t interested in your organization or the content of your site. They commonly use automated systems to scour the internet for vulnerable sites and take advantage of holes in your virtual armor.
That’s why it’s important for all users to take the security of their WordPress software seriously, or risk the repercussions.
If your WordPress website falls victim to a security breach, it can wind up costing you not only time and money to remediate, but also your organization’s reputation, trust, and — in cases with compliance requirements — fines or other penalties.
There are frequent security patches and software update releases for WordPress. A public roadmap discloses the planned release schedule for new versions of the WordPress core software. Unscheduled minor releases are published as needed.
In fact, in 2019, WordPress was still publishing updates for versions as old as 3.7, even with version 5.3 already available and in use. If you add up all of the WordPress updates released in 2019 for the various actively supported versions of WordPress, you’ll find over 70 releases.
Additionally, WordPress has a bug bounty program published through HackerOne since July 2016. This allows the CMS to reward experts for finding security flaws, giving WordPress a chance to release patches before bad actors take advantage of the vulnerabilities.
An up-to-date, properly hosted and operated WordPress website with firewalling, malware scanning, and intrusion detection is considered sufficiently secure. However, not all WordPress website owners follow these best practices.
For instance, according to a report by Sucuri, “2019 saw more high-severity vulnerabilities, partly due to the rise of attacks targeting the improper use of the WordPress update_option() function and other broken-by-design vulnerabilities.”
That same report identified that WordPress instances are more likely to be up to date than many other CMS instances because today’s versions have an automatic update feature already built in. Even so, Sucuri reported that 49% of WordPress users’ software was out of date.
Beyond updating WordPress, the same report also noted that “…well over two-thirds of websites found using PHP are using versions that have reached EOL, are not receiving security updates, and are therefore vulnerable.”
In other words, even if a WordPress site is updated and secured using best practices, the server where the website resides may not be receiving proactive maintenance and management services, leaving sites on that server vulnerable to an attack.
Not all hackers have the same reasons for trying to break into your site. This means that there are different attack vectors that you need to address proactively. Perhaps more importantly, it highlights the fact that your WordPress site is a target regardless of who you are or what your website’s content is about.
Most commonly, these are instances of information theft, by intercepting sensitive information as it’s being transmitted. For example, if your site has ecommerce functionality or submittable forms, bad actors may want to gain access to that information as it’s submitted through your site.
Another common attack involves gaining access to your account with your web hosting company to send out spam emails. This can negatively impact the deliverability of your future email campaigns.
While skimmers attempt to steal data as it’s being transmitted, phishing attacks attempt to convince users to share sensitive information directly, by exploiting their trust in your website or in whatever content they’ve added somewhere within your site. One way is by adding a web form that isn’t normally present in your website.
Content injection refers to an attack that modifies the content of your site in some way, either by adding text or inserting links to another site to improve its SEO rankings. A common example is what’s known as a Pharma Hack, wherein bad actors use your website to promote their knock-off or other pharmaceuticals.
Regardless of why someone wants to keep your website from operating normally, they can try to tie up your website/hosting account by getting in the way of legitimate users. A Denial of Service (DoS) attack comes from a single computer or web server and Distributed Denial of Service (DDoS) attacks come from larger networks of systems that can generate a surge of traffic and be harder to block.
Rather than insert something malicious into your site, some bad actors will simply try to redirect traffic from your webpages. Those sites might be their own spam websites, websites that include malware, phishing sites, or others.
Many cyber criminals rely on installing malware on the computers or cell phones of end users. Some will add malware to your website in the hopes that your website visitors will download and install it onto their devices. Sometimes that malware is disguised as something that seems like it belongs in your website, or it’s added to downloadable content that’s already included. In other cases, it’s set to automatically download when someone visits your website.
Rather than sneaking information away from your website in the metaphorical shadows, some cyber criminals will encrypt your data or steal all of your files and backups. Then they’ll charge you ransom to get your site back — a one-time payment which often must be made with cryptocurrency. Keep in mind that your only guarantee in these situations is the word of the perpetrators of this cyber crime, so victims that do pay a ransom may find themselves out of their data AND a ransom payment.
Whether bot attacks are a nuisance or a high-level security threat depends on their use case. Sometimes, bots are used to submit spam through your contact forms. In other cases, they’re attempting to place ecommerce orders with stolen credit cards or test username and password combinations to gain access to the admin area of a site.
The good news is that even with many hackers in the world seeking to break into WordPress sites, WordPress is a mature and popular software. The WordPress community has developed a variety of tools and best practices to keep your website safe and secure. These include a mix of web development, hosting, and admin best practices. You can rest assured that this community will continue to make security solutions available as any new threats arise.
It’s important to have your web hosting environment properly maintained and managed. A good host will holistically address important issues like firewalling and the patching of server software. Your web host should be able to address any compliances that you’re responsible for, such as PCI Compliance in the case of ecommerce websites. Teams like JetRails provide this type of holistic service, allowing you to rely on a trusted vendor to upkeep your hosting for you.
A WAF is an important part of any hosting environment that contains a publicly accessible WordPress website. There are many cost-effective WAF providers, like Cloudflare, that can help to proactively block a variety of security threats from DDoS attacks to malicious bots.
Even with the strongest security measures, it’s important to be on the lookout for any security risk or signs of malicious code. A malware scanner, such as the server-side scanner provided by Sucuri, can help alert you to issues and give you a chance to address them before more significant damage is done.
You can also use tools like Sucuri’s file change monitoring tool or Tripwire’s file integrity monitoring solutions to track any changes to your WordPress site that may not have been initiated by you or your team.
If you don’t have your own 24/7 website security professionals on staff to utilize and leverage tools like Cloudflare and Sucuri for you, you can outsource this to a team with a Network Operations Center (NOC) like JetRails. JetRails will setup and configure your WAF, Malware Detection, Intrusion Detection, and more, while also fully managing your WordPress hosting environment and the underlying server/cloud platform.
The latest versions of WordPress include auto updating for the core WordPress software. Whether or not you auto-update, installing patches quickly after they’re released is important. So is keeping your WordPress theme and plugins up-to-date. Just as important, you should be selective about installing extras like plugins, and review plugins from time to time to remove software that you no longer need. In essence, this cuts down on your software footprint, lessening the amount of software you have to worry about potentially being compromised in the future.
Some information in life is “Need to know.” In the case of security access, similar guidelines apply. Users should only get access to your WordPress admin and/or hosting account when absolutely necessary. When they do, their level of access should be set accordingly. For instance, when you create WordPress user accounts, you can set roles such as Editor, Author, or Contributor for users that aren’t true admins.
Above and beyond simply having a firewall and WAF, you can take advanced steps to keep your site protected from brute force attacks. This includes lockdown of your WordPress admin so that only visitors with whitelisted IP addresses can access the page.
You can also utilize two-factor authentication or Captcha technology to make it harder for hackers to try different usernames and passwords until they ultimately gain access to your admin panel. In addition, limit login attempts a visitor can make before they’re locked temporarily or permanently banned from your site.
All websites should use an SSL certificate to load securely over HTTPS. This is doubly important for login pages, where you need your username and password to be encrypted from the time you enter your credentials to the time they’re received at your web hosting server. Similarly, you should use strong passwords and usernames, and the URL of your wp_admin page should be changed to be unique and hard to guess.
Additionally, you should audit the user accounts in your admin from time to time and prune obsolete accounts that you may have otherwise accidentally left active, like an account from a former employee. In general, you should have a policy of forcing users to update logins after a period of time to limit the risk of old, compromised, or weak passwords.
In the case of a significant security incident, you may be looking to backups to restore your website. Having backups of your WordPress files and database is crucial, but so is the location of those files and the volume of backups being stored. Whether your security incident was perpetrated by a foreign hacker or a former employee, if your backups are sitting inside of your hosting account, they could be deleted by the time you get to them. It’s important to keep backups stored somewhere other than your own server.
Additionally, in case you don’t notice that your site has been compromised immediately, having backups that go back for at least a few weeks can be very important. This is usually something that you’ll arrange with your web hosting provider.
Now that we’ve established that WordPress sites, like other sites built with popular software platforms, are often targeted by criminals and hackers, and we’ve hit on some important tools to help protect your site, it’s time to look at what you can do to verify the security of your site. After all, security is a moving target, and a single security hole or vulnerability is all that a hacker needs to ruin your day/week/month/year.
Many weaknesses in WordPress instances come from hosting accounts that contain out-of-date software, or that don’t adhere to proper firewalling and security practices. Consider a hosting security audit to make sure that your hosting environment is indeed safe.
Make sure that WordPress, your WordPress Plugins, and WordPress Themes are up to date. Be sure that all instances of WordPress (or other software) in your production server are similarly up-to-date.
There are free scans that you can run at a variety of sites, such as:
Keep in mind that a free scan will not be able to give as in-depth an analysis as a paid product. This is partly because these free scans will passively check items externally. Many paid scanners, on the other hand, will access your site through additional access that you provide — allowing them to more accurately and deeply scan your site.
You may think that your site is ready for a burst of traffic, but with a load test, you don’t have to think — you can know. A load test simulates a traffic surge, which will help you to understand both how your site reacts to healthy traffic increases, and to even a minor Distributed Denial of Service (DoS) attack.
Having an SSL is important, but your SSL could be out of date or misconfigured. A quick free SSL test can help you to spot obvious issues with your SSL that you can resolve with your web host.
Make sure that the only user accounts for your WordPress account and hosting account belong to active users and vendors. Verify that you’re adhering to the principles of least privileged access. Ensure that usernames and passwords are strong and are relatively recent. To keep your own passwords secure, consider using a password manager like LastPass.
Don’t assume that your backups are healthy. Check. You should verify that you have enough historical and recent backups, including files and databases. You should also spot-test to make sure that these are consistent. For instance, if your backups aren’t saving properly and are corrupted, it won’t matter how many you have.
There are a variety of WordPress security plugins, like WordFence, that can help you to monitor a variety of facets of WordPress security and better protect your site. WordFence in particular will alert you to a number of different security issues that you can then address.
There are a variety of tools available online to check your domain and your IP address for blacklistings. In essence, this tells you if different security services believe your systems have been compromised.
In some cases, you may be identified as a source of spam emails. In other cases, your site may appear as a source of malware. Regardless of why your site is blacklisted, this can tip you off to a problem. Blacklistings can stop users from accessing your site or receiving your emails. Just be wary of unscrupulous blacklists, which exist to charge you fees to become whitelisted.
If you don’t have the time and/or expertise to confidently determine if your site is safe and secure or to manage a variety of security systems and vendors on an ongoing basis, consider a formal security audit or ongoing managed services provider that can help track and maintain security by working with you and your web developers.
Nothing on the web is inherently secure. This is doubly true for websites and resources that are made available to the public at large. Websites that use WordPress are made secure by their owners following best practices and leveraging tools, systems, and perhaps most importantly, teams of people that will proactively help them keep their sites safe and secure. WordPress can be a secure platform to operate your website, but only if you make security an ongoing priority.
Robert is the head of partnerships at JetRails, a mission-critical ecommerce hosting service that provides Headless Commerce website hosting for BigCommerce users. Robert has over a decade of experience in helping merchants benefit from sound ecommerce and Digital Marketing strategies, assisting organizations of all types and sizes to grow and succeed via digital commerce. Robert is a frequent author and thought contributor in the ecommerce industry, and is the host of The JetRails Podcast.