The Basics of WordPress Security

The basics of WordPress security begins with your hosting platform. I use HostGator. Use a non-shared hosting plan. If you can afford the bill, sign up for Managed WordPress or VPS account. If you’re the WordPress designer and you can’t afford those hefty prices and you like to learn everything you can about WordPress (even what to do when your site gets hacked), then get started on the Hatchling plan with HostGator and make backups every week so you can always restore your site. You’ll learn how to fix those hacks, if that’s your thing. If it’s not your thing, make it so…so that you know how to fix your clients’ hacked sites. Here is my affiliated link, give me some luvin’ and get yourself a discount on HostGator when signing up or use this coupon code on checkout, lionsdendesigns.

Why should you use a Managed WordPress or VPS account? First, it’s your own server, no one else is getting hosted on it as your neighbor such is the case with shared hosting. If that neighbor gets hacked, it’ll slow down your site or the hack may come across to you. Second, Managed hosting means that there is a dedicated team watching your server, keeping it as secure as possible and Managed WordPress is that same thing plus tech gurus who are passionate about all things WordPress. A VPS account, correct me if I’m wrong, doesn’t have a special team behind it but you are the person who works on everything even when it breaks. You still have tech support available in a chat window, a phone call away or a support ticket away. I find the former two are faster in response time and the latter is best when you need to pull up a history of activity on the ticket. Hosting, the kind you choose should be a no-brainer, but when you’re new you don’t know where to start and you usually choose what is the cheapest solution and some fall for the FREE deals.

The first line of defense in all of hosting and following sections I’ll write about, this being a subtle ‘zero’ or the least thought about topic of consideration, is your choice of usernames and passwords. I’ve had way too many clients always default to these two habits. The first is choosing a username that the whole of WordPress new sites used to have on install, ‘admin’ (no longer the case) and second, choosing a password that was easy for them to remember from anywhere. And then using that same combination on every single online account they had, even their personal accounts. Yikes! And even after I had generated a secure password for them, they changed it to something “easier” to remember. That always makes me feel extremely uneasy because I already can guess what’s in their site’s future. I have my clients’ best interest in mind when I generate those cumbersome passwords.

Over the years, I moved away from usernames and passwords that were too simple to remember. I recommend using a password manager that’s encrypted and you pay for some portion of it. There’s 1Password and LastPass, to name two. I’ve moved across multiple operating systems, many a time. These systems require you to remember a single username and password (which I’ve made long and complicated), then you store all your sites usernames and passwords in an encrypted file. In other words, it uses your login as a key to access the encryption and decrypt it for your eyes only. Within the manager, I generate usernames and passwords for clients, starting at 20 characters or above. The longer, more complicated to remember, less repeats in a row, no patterns, symbols, capitalization, etc., the harder it is crack. Mind you, the cracker is a bot or program, not a human being. The easier you make the password for you to remember, the shorter amount of time it takes to crack it. I also encourage that you setup two-step authentication wherever it’s made available as an added security level.

The second line of defense is your installation of WordPress. I’ll cover the basics here and in a future post, I’ll get into the nitty-gritty of installation. You all know about those easy-to-use install services on your hosting platform for installing WordPress. Where you put in the directory, the name of the site, the username and password, and you’re done under five minutes. Those services, if used, are not providing you with a secure install. They are not using multiple passwords for all doors, they are leaving some settings insecure. Most WordPress installs are found in the root, the public folder, instead of in a nondescript subfolder.

The third line of defense is keeping your WordPress backed up regularly, keeping your WordPress platform updated, keeping your plugins updated and keeping your themes updated. Use themes from a trusted source, a proven WordPress theme designer, or the WordPress themes directory.

The fourth line of defense is to install safe and secure plugins that provide automated scanning for viruses, provide a firewall, have other settings that close all “holes” in your WordPress platform, and provide a weekly to bi-weekly backup of all files in your site and database, and can be extended with a paid service to monitor your site for suspicious activities. Not knowing what you’re doing when you use these plugins and their settings can cause you to break your site. Avoiding them can leave you open to vulnerabilities. To name two, Wordfence and Shield WordPress Security.

The fifth line of defense is to verify your site with Google Webmaster Tools so you get a notification when your site has gone down or Google is seeing a virus or malware, and can also provide you with solutions.

The sixth line of defense is to use an SSL with your domain name. If you only use the root domain, then a Single-site SSL is just what you need. If you plan to have subdomains, such as blog.yourdomain.com or store.yourdomain.com, then a Wildcard SSL is your choice. Expect to pay $50+ per year. Having an SSL changes your site’s address from HTTP to HTTPS. It also is great for boosting your SEO by Google’s standards.

The seventh line of defense is to keep your computer, on which you do all your work, clean and up-to-date. Some viruses or malware have been written about to traverse across and infect your site. Keep your Wi-Fi secure with WPA2 instead of open for any Joe or Jill to access it. Turn on NAT control and AP isolation. If you’re running a home-based local server, you should already know that it should be on the wired DMZ of your router and be using a dedicated IP address line (a separate internet line from your home’s use).

If you need help implementing these WordPress security tips, I am available for hire.

Written with Desk PM.

Share on:

  1. Fellow, Desk.pm user, Daniel Brinneman recent wrote an article on how to harden a WordPress website. Daniel’s piece is well written and covers the basics. Please visit his site.

    While Daniel and I use basically the same process I wanted to cover the personal process I used for securing my WordPress websites. For brevity, I didn’t go into detail about how to carry out each step. I may cover these steps in a later article.

    Hosting Provider

    Let’s start with the hosting provider. I want one that is reliable, available and secure. I use a non-shared virtual private server (VPS) hosting plan with Digital Ocean1. Digital Ocean calls these droplets. Digital Ocean has multiple data centres in multiple locations globally offering five popular Linux distributions that can be automatically pre-installed upon deployment of a server: Ubuntu, CentOS, Debian, Fedora, and CoreOS. While I can certainly build my web server stack from scratch I trust the staff at Digital Ocean. I opt to use one of their pre-packaged LAMP/WordPress stacks.

    Each digital ocean SSD VPS comes with full root access, a choice of operating systems, and the ability to customise the configuration. With a shared hosting plan I would be concerned that a compromise on another tenant’s account could lead to a compromise of the entire host. With a dedicated VPS, I can configure as much or as little security as I consider acceptable.

    Operating System Hardening

    On a *NIX system, the root user is the administrative user that has very broad privileges. Because of the heightened privileges of the root account, I would discourage regular use of the root account. This is because part of the power inherent with the root account is the ability to make very destructive changes, even by accident.

    Since, with root, I have complete control the system, I start my hardening process at the operating system level by immediately changing the root password after the server is created. I choose a long and complex password but something that I can also remember. I then create a new non-root account and add it to the sudoers file. Using the new account (via sudo) I change the server SSH configuration to disable root access to SSH, create 4096 bit SSH keys for remote authentication, then disabling and removing any unneeded services, and then install and configure file integrity monitoring software. Next, I harden the web server. I generate and install TLS (not SSL) certificates, configure the web server with Forward Secrecy, OCSP stapling, Public Key Pinning (HPKP) and Strict Transport Security (HSTS).

    Server Services

    One I complete work on the web server it is time for MySQL and WordPress. I change the MySQL database password, run the MySQL security script to remove all defaults etc.. I then login to WordPress and create a new admin account — again with a suitably long randomly generate password — before deleting the old admin account. I then install and configure a web application firewall with specific rules around the wp-admin URL and when to alert me. I then install a WordPress security audit plugin with rules about acceptable actions and when to alert me. I then delete all default posts and pages.

    Just a Bit More

    Finally, I configure CloudFlare or some other content delivery network to help with any denial of services issues. Most of these also offer a web application firewall and robust analytics.

    From a security operations perspective, I use the VaultPress service to do daily backups and I check to make sure backups are complete. I have a weekly reminder in my calendar to check the Linux server and the WordPress install for security patches and to check my server logs.

    I also perform my vulnerability scanning using various open source tools.

    I only install plugins and themes from reputable sources. I try to reduce the use of plugins as much as possible to mitigate the risk of exploitation. Plugin updates are part of my regular weekly security checks.

    If you need help implementing these WordPress security tips, I am available for hire.

    This post was syndicated to How to Secure a new Linux WordPress Server.

    1. Use my referral link to get a discount on Digital Ocean when signing up, and help me keep my site going. ?