Similar to all other type of IT security, WordPress security is neither just about hardening nor a one-time process. It is a continuous evolving process, including a number of procedures that from time to time need to be revisited. As a matter of fact, the processes of securing your WordPress websites and that of keeping your WordPress secure from malicious hacker attacks for a number of years are two different ball games.
This article explains the process needed for the latter. It uses the WordPress security wheel which highlights the four different stages that you must go through to ensure the long terms security of your WordPress websites and blogs.
1. WordPress Hardening
First things first; secure your WordPress website. I won’t be diving deep into the subject of how to secure your WordPress website since you can find ample of information about that in our WordPress security blog. Though here are some basic pointers to help you get started:
- Take care of the defaults, for example rename the WordPress database prefix and do not use predictable and default usernames, like admin.
- Apply secure WordPress database privileges.
- Access the WordPress admin pages over HTTPS (SSL) and implement two-factor authentication. Alternateively add an additional layer of security by implementing HTTP authentication for your WordPress admin pages.
- Install a WordPress firewall plugin or use an online WordPress firewall service. If you are new to firewalls I would recommend you to first read this detailed article about What WordPress firewalls are.
- Use strong credentials, including very complex password and use the WordPress user roles.
There are many other WordPress security hacks you can apply to improve the security posture of your WordPress website. Refer to our WordPress security tutorials and tips to keep yourself informed.
2. Monitoring Your WordPress
Considering the fact that there is no bulletproof security solutions, logs and WordPress audit trails play a major role in managing the security of your WordPress websites. You can use a plugin such as WP Security Audit Log to keep an eye on everything that is happening on your WordPress website. The benefits of keeping an audit trail on WordPress are multifold; it allows you to keep track of your users’ productivity and at the same time it allows you to identify suspicious behaviour at an early stage, thus helping you thwart any possible malicious hacker attacks before they actually happen and damage your WordPress website.
Logging Can Also Be Used for Forensics
Logging can also be used for forensic purposes. Should a malicious hacker gain access to your WordPress website you can use the logs to analyse from where the hacker gained access to your WordPress, and what he did. By identifying the source of the attack you can fix the exploited vulnerability and remove the malware from your WordPress, to ensure your website is not hacked again and re-infected once cleaned.
Web Server, Database Server and Other Logs
Don’t limit yourself to WordPress logs only. There are many other logs that can help you keep an eye on what is happening on your WordPress and web server in general. From time to time you should analyse the web server logs, the database server logs and also the PHP error logs. Such log files contain a wealth of information that can also help you ease the process of troubleshooting both security and non-security WordPress problems.
3. Test the Security of your WordPress
Once you harden the security of your WordPress website and implement all the monitoring tools, it is time to test the security of your WordPress website. Yes, you’ve read it correctly, testing.
During the testing phase you can use the same tools that malicious hackers use to find security weaknesses in your WordPress websites. By emulating malicious attackers you can get a better understanding of the state of security of your WordPress website, hence can further improve its security posture. The testing phase also allows you to confirm that the security and WordPress monitoring solutions you have just implemented are working. For example confirm that all suspicious behaviour is being logged.
Tools for Testing the Security of Your WordPress
There are many tools you can use to test the state of security of your WordPress website, most of which are available for free. You can use WPScan to scan your WordPress and use a scanner such as Nmap to scan the web server.
A proper penetration test should include more than just two scans, though with these scans you can at least address the basics. Speak to WordPress security professionals for a complete security audit, or else install Kali Linux, an open source operating system fully loaded with security tools and get started for yourself.
4. Continuously Improve and Manage the Security of Your WordPress
Improve the Security of your WordPress
Once you are ready with the hardening, enabled all logging and tested everything it is time for the next phase; managing and improving the security of your WordPress. New exploits, vulnerabilities and security tricks are discovered on a daily basis therefore you have to keep on improving the security state of your WordPress. Do not shy away from the continuous part of it, it is not as hard as you’d think.
It all starts with keeping ALL your software up to date. By all software we mean the WordPress core, plugins and themes, the web server including the operating system, the network services and frameworks, your own computer including the operating system, FTP and SSH client software etc. So basically anything that can be updated should be kept up to date.
Manage the Security of Your WordPress
Once at this stage you should go through the cycle again each time you update your software, install something new or add new functionality on your WordPress. It might sound like too much but once you get into the cycle it does not take a lot of time. Keep in mind that while you have the difficult job to find and close all possible security flaws in your website, an attacker has the easy job of only finding one to break into your website.
5. Keep Yourself Informed on WordPress Security
Keeping yourself informed is a very important aspect of WordPress security. It might not be part of the security wheel but by knowing about the latest WordPress security issues and tricks you can stay one step ahead of the bad guys. It is granted that if WordPress security is not your cup of tea, you will never be able to do a proper penetration test as WordPress security professionals can. Though by keeping yourself informed and taking all the basic precautionary measures you are protecting your WordPress from more than 90% of the typical WordPress attacks.
To keep yourself informed follow the RSS feed of WP Security Bloggers, an aggregate of the top WordPress security websites. And do not forget that the WordPress security wheel needs to keep turning so for every change or something new you implement on your WordPress you have to;
- Harden it
- Monitor it
- Test it
- Manage it