WordPress security is not unlike many other areas of IT security. It’s not a one time fix. It is something that is never actually finished. Whilst there are several steps you can take to improve your WordPress security, your site and business requirements will change. So adopting a point-in-time security assessment will only give you a false sense of security. Instead, the winning strategy is to follow a continuous process. A process of constantly testing your defenses and iterating on that to improve your website’s security posture.
This article aims to offer a simple to follow long-term iterative process you can implement to ensure your WordPress security efforts are continuous and continue to be relevant to the threat landscape you and your business are operating in.
1. Test WordPress Security
Most WordPress security journeys start here; you’ve noticed something misconfigured about your WordPress installation, or you read about using tools like WPScan or nmap to assess the security of your WordPress website. Maybe you’ve been the victim of a security incident and you’d like to read up on how to test your WordPress security.
Security testing is a vital step in a continuous WordPress security strategy. By looking at your website through the same lens as that of an attacker, you are able to better understand its security posture. This means you get to know what can be done to harden your defences against weaknesses you identified. See step #2 for more detail on this.
If you’re not sure where to start with testing your WordPress security, hire a third-party professional. Of course, nothing stops you from gradually building up your knowledge to pentest your WordPress website yourself.
2. Hardening WordPress
Once you have an understanding of what your security testing has uncovered, it’s time to harden your WordPress installation. By default, WordPress is reasonably secure. However, there are plenty of choices, optimizations and changes you can make to your WordPress setup and server infrastructure to make an attacker’s life harder. Many of these optimizations — many of which may depend on your use case. This process is usually referred to as “security hardening”, or simply, “hardening”.
Hardening your WordPress installation is certainly not a one-time affair. You will need to install new plugins and extend your WordPress site’s functionality to accommodate changing business needs. Certainly there is no shortage of resources to get you started with shoring up WordPress security. The following are two core principles you should stick to when hardening your WordPress setup.
Run less software
Initially “run less software” doesn’t sound very helpful. However most probably you are running more software than is necessary. This also means more room for attackers to exploit potential weaknesses within that extra software.
If you’re not sure where to start, start by taking a look at your WordPress plugins. Ask yourself what you can do without and remove. Apply the same principle to PHP extensions, web server configuration, and operating system tools and network services.
Stripping away software is generally not an easy process to begin with. However, each time you’ll go through this exercise it will become harder. Though the outcome of running a leaner system is worth the effort.
Aside from always making sure to test out any changes in a testing or staging environment, you also want to make sure you do not remove software such as your WordPress firewall, WordPress activity log, or your WordPress file integrity monitor plugins, which are there to improve your WordPress security.
This also applies to deactivated plugins and themes. Deactivated plugins should be deleted straight away, because in some cases, their code can still be exploited if vulnerable. In regards to themes, your website only uses one theme. Maybe two if you have a child theme setup. Delete all the additional themes on your website, including the default ones shipped with WordPress.
Least privilege principle
WordPress does not need the root MySQL user to run. Likewise, it’s a bad idea to run most software as root on Linux servers (equivalent to Administrator on Microsoft Windows). Only use the admin / root accounts if there is a justifiable reason to do so.
To such an extent, as a general rule always try your hardest to give an application or user the least privileges possible to get the job done. Of course, running everything as root or administrator means everything will work without bothering about privileges. However, it’s potentially very dangerous. Running applications (including tasks like cron jobs) with administrative privileges may allow an attacker or a malicious plugin to cause more damage in the event of a security breach.
If you’re not sure where to start, start by taking a look at who is an administrator within WordPress and decide if you need to limit that in some way — while you’re at it, you may want to make sure you’re accessing the WordPress admin via HTTPS (SSL), and that you have implemented two-factor authentication (2FA) (or that at least you’ve implemented HTTP authentication for your WordPress admin).
Of course, there are several other WordPress security hardening tips you can put in place to improve the security posture of your WordPress website. Refer to our WordPress security tutorials and tips to learn more.
3. Monitor WordPress
Logs are absolutely crucial to maintaining any system secure. They are the closest thing we have to a time machine. Being able to answer what happened and when is an indispensable tool when investigating a security incident. Having access to the right logs could spell the difference between noticing that an attacker has gained a foothold onto your website, and letting a heist go unnoticed until it’s too late.
Complementary to logging is monitoring. At its most basic form monitoring waits for some event to occur (usually by periodically looking at some log), records it and usually is configured with some kind of alerting system to alert a system administrator that something occurred (such as a WordPress intrusion detection system). While many system administrators would typically monitor CPU and memory usage, they might be missing monitoring access to WordPress.
WordPress activity logs
Being able to look back at a WordPress activity log to figure out exactly what a user has done within a particular time frame is a crucial analytical tool in an investigation. Additionally, you would want to be able to correlate this information with web server, PHP error and database logs. Here are a few tips to make sure you’re covering at least basic log handling correctly.
- Make sure you are properly rotating your logs in order to ensure you don’t run out of disk space
- Back up your logs periodically to an off-site backup (e.g. Amazon S3 or Digital Ocean Spaces)
- figure out how long you want to retain the logs and configure the activity log retention policies. At least 1 year retention is advised
- Make sure you have a quick way to access important information in your logs during an incident
Apart from the WordPress activity logs, as a site administrator you have access to many other logs, such as the web server logs, PHP logs, and many others. Refer to the list of log files for WordPress administrators to learn more about all the different log files you have access to. The posts also highlights how you can use the information from all of the logs to trace an incident or attack.
4. Improve your WordPress security
Once you’re done with the cycle outlined above, the next step is to try and analyze what you can do better the next time around. As discussed in the beginning of the article, bear in mind that security is a continuous process — try and keep up to date with WordPress security news, and critically, make sure you’re always on top of WordPress security updates.
Once you go through this process a few times, try and document specifics about your own process. Make it routine that you follow every so often. Furthermore, whenever you introduce changes to your WordPress website, keep security in mind. Follow the iterative WordPress security process of Testing, Hardening, Monitoring and Improving your website’s security whenever you make a change on your website.