Protect your WordPress site and its network
by Costel Anton
Secure and Protect your WordPress site and its network
Successful WordPress WordPress is secure, but as with any technology that’s experienced such rapid growth, following a series of best practices can help keep it that way. In this white paper, we’ll dig into 10 best practices for keeping your WordPress deployment secure. Whether you’re using WordPress to power your blog or your Enterprise website, following these best practices will help you protect your site from possible attacks and vulnerabilities, and ensure that your WordPress deployment is secure and successful.
WordPress as an Enterprise Platform
From single developers to Fortune 100 companies, the number of organizations turning to WordPress is skyrocketing. To date, there are more than 68 million active WordPress sites serving a whopping 3.5 billion pages each month. More than half of the top 100 blogs on the Internet now run WordPress, and not just for their blogging needs; many organizations leverage WordPress for their entire web presence. All told, nearly a quarter of all sites on the web are WordPress sites. Check out some of the more notable sites running on WordPress: https://wordpress.org/showcase.
WordPress Security Misconceptions
It’s no question that WordPress security is mission critical. And when kept up-to-date, WordPress is extremely secure. Te WordPress open source project has a large, talented, and dedicated set of contributors who manage regular releases, patches, and security fx schedules to complement carefully vetted feature introductions. Te sheer number of eyes and hands across the world working in common cadence on the WordPress project is a key enabler of WordPress’ success and growth as a web platform.
However, security goes beyond the WordPress core code base. Security management responsibilities still ultimately fall on internal IT departments, primary users, and external platform providers. It’s imperative that all parties understand potential risks, and how to mitigate them.
Securing Content Systems
In most organizations, security is the responsibility of IT managers and their departments. For these technical leaders, security is a challenging topic to address in any environment; especially one with complex components, and the involvement of multiple departments such as Marketing. WordPress deployments are a key example of this. Whether securing critical core business data systems or reviewing the risks posed by a WordPress site, IT managers know that they need to have profciency in the tools used in every part of their enterprise.
With each part of an IT infrastructure having its own security best practices to follow, patching regimes to adhere to, and security assurances to validate, building in-house expertise may not be feasible or cost-efective. Even when such experience is present, a single security ofcer or small team usually cannot match the breadth and depth of a service provider that specializes in running a platform securely at scale. Tus, seeking an experienced partner to help with WordPress-specifc security needs will reduce risk. Providers like WP Engine allow organizations to focus on other IT initiatives and take the heavy-lifing and worry away from the IT team. Now, let’s discuss some provider-agnostic WordPress security best practices, the specifc benefts of Managed WordPress platforms (like Promo SEO), and ways to ensure WordPress security for successful deployments within an Enterprise.
WordPress Security Best Practices
Whether the choice is made to leverage a partner to assist with WordPress deployments, or an organization wishes to attempt to confgure things itself, here are common ways to proactively think about WordPress security and stay ahead of any possible issues
Generally, WordPress security problems arise from three primary culprits:
• Out-of-date WordPress installations and weak password policies
• Inadequately developed or tested plugins and themes
• A default server environment and LAMP stack, poorly tuned for WordPress
The following 10 best practices can mitigate these issues and ensure a more secure and successful WordPress deployment, regardless of provider or method of hosting.
1. Make WordPress core code updates quickly.
Keeping “core” up-to-date is incredibly important for security. Un-patched core installations are ofen a primary attack vector since many of the WordPress updates and patches are designed to improve security. Using a tool like WP Updates Notifer can help organizations stay on top of important updates to the WordPress core. It’s important to always watch for updates and to make them as soon as possible.
2. Proactively upgrade plugins and themes as new versions become available.
Along with outdated core WordPress components (as listed above), out-of-date plugins and themes are among the most easily compromised components of a WordPress installation, particularly due to a lack of current patching. Te plugin dashboard provides notifcations as updates become available. Additionally, auditing currently installed plugins is easy with the “Plugins Last Updated” plugin or the “No Longer in Directory” plugin. “Plugins Last Updated” shows when an installed plugin last received an update, as long as it’s listed in the WordPress.org plugin repository. Complementarily, “No Longer in Directory” scans plugins to check for ones that have been removed from the WordPress.org repository.
If the plugin has been removed, there is usually a good reason why, whether it is a security issue, poor performance, or other such culprits.
3. Prevent snifed login attempts.
Securing the wp-login.php and wp-admin areas of a WordPress installation with an SSL certifcate and/or VPN solution can greatly reduce snifed login attempts. Additionally, utilizing a login solution based on directory services such as Google Apps Authentication, LDAP, or SAML is an important step in adding security to the login process. A great plugin for Google Apps Authentication is: Google Apps Login. Furthermore, some organizations go as far as eliminating local WordPress login support altogether. Additional security is achieved by ONLY allowing logins from a particular set of users from a particular domain with one of the authentication mechanisms above. Overall, this not only reduces the chance of compromised WordPress accounts, but allows for hassle-free account creation and management as well.
4. Enforce strong passwords.
Weak passwords are one of the easiest ways to fall victim to brute force or “dictionary” attacks. It is imperative to ensure all users use strong passwords. An easy way to achieve this is by enforcing use of the “Force Strong Passwords” plugin.
In addition to a strong password creation policy, IT managers should regularly change administrator account passwords as well. Te “Expired Password” plugin is an easy way to manage this for all users. Lastly, remembering complex passwords that change ofen can be difcult. Suggest using something like 1Password or LastPass to users helps to manage these passwords securely and easily.
5. Remove the “admin” account.
Te “admin” account is a default account on every WordPress installation. If the “admin” account is kept active and not disabled or removed, half of the puzzle is already solved for an attacker. Te attacker no longer would need to guess a username AND a password to compromise a blog or website; a password is all that is needed. Removing the “admin” account or changing the username prevents a WordPress site from being open to automated attacks. Doing this is as easy as logging into your WordPress account, going to the “users” section, and deleting or renaming the “admin” account/username. To be continued by Promo SEO Protect your WordPress.
June 16, 2017