One of the most effective security best practises that is commonly overlooked in a WordPress website is the principle of least privileges, also known as principle of least authority or
principle of minimal privileges. The idea is very simple; you do not grant a user or process more rights than it needs to accomplish a task.
Why Many Do Not Use the Principle of Least Privileges in WordPress?
I audited many WordPress websites and one of the most common problems is WordPress users’ roles. In a typical environment every user is given WordPress administrator role, even when the user just needs to input content which was written by someone else. The same applies to files and directory permissions; all of which are configured with the less restrictive permissions.
WordPress administrators take such approach because it is the easy way out. Rather than checking what the user needs to do, we prefer to just assign him the administrator role so he or she can do his work without asking for any assistance. The same with files and directories permissions. For example some WordPress plugins store cache files or other data on the file system, i.e. in the WordPress directories. It is easier to simply configure 777 permissions in the /wp-content/plugins/ directory because all plugins will work and you do not have to stay troubleshooting and tweaking permissions each time you install a new plugin.
Hence to avoid a bit of extra work and troubleshooting, and because allowing “all privileges” will always work many tend to ignore the principle of least privileges and leave their WordPress websites and blogs open for malicious hack attacks.
Applying the Principle of Least Privileges for WordPress
The below is a list of where the principle of least privileges can be applied to a WordPress website or blog, thus ensuring more secure WordPress websites and blogs.
WordPress Database User Privileges
Starting with the most basic; WordPress user database permissions or privileges. For normal daily WordPress operations such as writing and publishing of content the WordPress database user only needs permissions to read, write, update and delete the data from within the database and does not need to modify the WordPress database structure. Changes to the WordPress database structure are only needed when installing a new plugin that creates new tables in the database or when you update WordPress and there are changes to the WordPress database schema.
In an ideal environment, to harden the security of your WordPress you should configure secure and restrictive WordPress database privileges and only revert to all privileges when installing a new plugin or updating WordPress. For more information on WordPress database privileges you can also read Why minimum MySQL user WordPress database privileges improve security which explains in more detail what are the repercussions of insecure configuration.
WordPress Users Roles and Privileges
This is the most common problem; just assign the administrator role to every user so everyone can do his job without asking you any questions. It is true though WordPress users make mistakes, or better, any user can make mistakes including administrators. Users also like to mess around. Hence if you give them admin access they can install plugins and if you allow them to do so, they will indeed install a plugin without asking, thus potentially jeopardizing the security of your WordPress blogs and websites.
WordPress has a number of built-in user roles and capabilities. Use them wisely as explained in Use WordPress User Roles and Capabilities for Improved WordPress Security. There are also a good number of plugins which you can use to create new roles should the built-in list not suffice.
Files and Directories Permissions
When installing WordPress you should configure the least possible file and directory permissions for WordPress to work. It is very easy to do so and you can find ample of documentation of how to harden the permissions of your WordPress installation.
By hardening the file and directory permissions you might also restrict some WordPress plugins from functioning, though this should not be an issue. As explained earlier on you might need to install plugins which need to store data in their installation directory. If it is so do not simply configure 777 permissions to the plugin directory because that is the easy way out. If need be contact the plugin support and hosting provider to ask which directories the plugin needs to write to so you can configure the adequate permissions specifically for that directory.
WordPress Plugins Configuration
Not all administrators are equal; it is common to have a lead admin in a group of WordPress administrators. Typically it is the founder of the website that has no other option but to allow admin access to other users to help him with day to day running of the website. Many WordPress security plugins can store sensitive data, such as a WordPress security audit log.
Such plugins typically allow you to restrict access to other WordPress administrators. Use such features. These are the small things that will help you keep control of everything that is happening and ensure the security of your WordPress.
FTP Access for Third Party Contractors
When you hire a designer or a plugin’s support team needs FTP access to your website you’d grant them full access to the root of your website. This is not necessary; if you hired a designer all he needs access to is the theme’s directory so restrict his access to that directory only. The same with plugin support teams. If they need access to check log files give them FTP access to the plugin’s directory or to the location where the plugin stores the log files. In case you have doubts about what access is required do not be shy to ask, after all you are the one who cares most about the security of your WordPress.
Use the Principle of Least Privileges for WordPress and Beyond
The above is just a list of the most common WordPress scenarios where the principle of least privileges is often overlooked but can be easily applied. It is definitely not a complete list and there are many other situations where this same security principle can be applied. There are many other components that make part of a WordPress website especially when you look at the complete environment and include the web server, the database and the location where it is stored, customizations and much more. It all depends on you though.
Don’t shy away from applying the principle of least privileges simply because things don’t work out straight out of the box. Yes, most of the time you have to spend a few hours doing some tweaks and troubleshooting for a plugin to work or to allow access to a user but those few hours are nothing compared to the time and money you need to spend if the security of your WordPress is jeopardized.