Web designers and organisations love WordPress. For years its been the go-to content management system (CMS) for websites. The platform provides site owners with a dizzying array of tools to simplify content creation and management.
Whilst this popularity has created a much loved and well supported platform, a recent report from Sucuri highlighted that 90% of recorded CMS breaches were attributed to insecure WordPress installations.
Now before you hit the uninstall button, its important to point out that despite this statistic, WordPress is still deemed to be a secure platform when effectively managed and configured.
One key area of risk, is the installation of plugins and modifications such as themes. If you build and supply WordPress sites, or your business relies upon them, then reducing breach risk is key to assuring your organisations reputation and financial interests.
Indeed, in a post GDPR world, if you also process personal data on your site and are unfortunate enough to suffer from a breach. It will help, if your organisation can demonstrate it took all reasonable steps to protect that data.
So with this in mind and having encountered some interesting installations over the past 18th months, I've compiled a short list of things you can do right now to improve your WordPress security.
Tip 1 - Stay up to date
The site looks great, you are getting lots of visits and its been running smoothly for the past several months...
If you haven't thought about it already, now is the time to ask yourself - "When did we last apply any patches or updates?"
Its important to remember that in addition to updating WordPress, you also need to address any plugins, themes and addons you are using. You should also determine if the server hosting your site is being updated regularly as well. I know its obvious stuff, but we still see lots of organisations overlooking these basic points.
Poorly implemented and out of date plugins are often used as a means of breaching installations. Make sure to only use those from trusted sources, that are well supported and regularly updated.
No one wants the headache of an update that doesn't apply properly and breaks your site. We understand that and yes, sometimes a philosophy of what isn't broken, doesn't need fixing applies.... but not in this case.
You should try to forward plan and test updates before deploying them to your site. This will ensure you can deal with any problems away from the eyes of your customers. Planning updates will get you into a routine of doing them regularly. Its much easier to apply small updates often than many infrequently.
If your website has been built by a supplier, do they regularly update it and take steps to secure it? Do you have this written into a service agreement? If you aren't sure, it might be a good time to check.
Tip 2 - Take regular backups and test them
It's unfortunately the case that even the best prepared organisations can still experience a breach. It's better to view such events as a case of when, not if.
But that's fine because you take regular backups right?
If that question makes you scratch your head... before you rush off to review the situation, have a think about the following questions.
How often do you backup? - The more frequently data changes on your site the more often you will want to backup. How much content or data are you willing to loose if your site is heavily corrupted?
Have you ever tested your backups? - The worst time to figure out how to restore a backup or learn that they are corrupt, is during a crisis. Take time to train and practice restoring your site. This will give you the confidence to respond quickly and effectively should you need to restore an installation.
Where are your backups stored? Is there a risk they could be accessed or modified? Ensure an air gap (some isolation) exists between your installation and backup locations.
With reference to Tip 2 - Backup before you update your site. Just in case something goes wrong.
Consider how your backups are protected. Both when being transmitted and sitting in their storage location. Should you be using encryption? Do you have strict controls around access to them? Assess the risks and create / implement a plan to reduce them.
At what level are you backing up? - You could backup the entire WordPress installation if backing up at server level. Or... you might have a separate backup of the database and another for individual files. Make sure your backup regime gives you the option to restore a site in its entirety or components such as files at a more granular level (e.g. config files).
WordPress and your hosts control panels should provide a multitude of tools to help with this task. There is also a range of (reputable) plugins available - One of the more popular is Updraft, which deals with a great number of the questions raised above.
Tip 3 - Password and login basics
You've bookmarked it for convenience... you know? the link which lets you login to the admin screens? No? Well that's ok... because its /wp-admin everyone knows that right?
Which is part of the problem....
When organisations install WordPress, a lot of defaults such as the URL for the admin panel never get changed. As a result, robots, scripts and hackers can find these pages easily and have crack at guessing your password. Consider the following to improve your password and login security.
Change the default login URL for administration panels to something less obvious (security plugins discussed below can help with this task).
Make sure your site communicates securely with web browsers over SSL / HTTPS. This will ensure that any data exchanged with your site is encrypted.
Review WordPress user accounts regularly and only assign permissions to them that are absolutely needed. Don't have lots of administrators running around on your site.
Limit the number of login attempts a user can make to reduce the risk of a brute force or password guessing attack.
Avoid obvious usernames - Its been this way for decades and I know its breaking with the norm but... you don't have to use Admin or Administrator as your username. By ducking convention and going with something different you will help reduce the likelihood of a successful password attack.
Two factor authentication - Layers of authentication are extremely useful in preventing a successful attack. If a password is guessed or exposed, then having another factor of authentication could be the backstop that saves the day. There are a large number of plugins available but Google Authenticator provides a free entry point and is worth a look.
Tip 4 - Monitor your site and review logs
Generally attackers like to stay under the radar for as long as possible. This gives them time to do things like extract data and insert malicious code or payloads. The longer your site can act as a vessel for their objectives the better. As a result of this stealthy approach, many breaches can go unnoticed for extended periods of time.
The chances of detecting a breach early can be increased, through effective monitoring of your installation. There are a number of plugins available which monitor and report on areas such as - changes to files, failed logins, configuration changes, user creation / changes, and much more.
Unauthorised changes, if detected, could provide you with the opportunity to stop an attack before significant damage is done.
But whilst monitoring is beneficial, it is important to have someone in the organisation who reviews alerts regularly and acts upon the warnings provided.
Monitor and look out for bad things happening on your site
Make sure you have someone who reviews warnings / alerts
Have a plan to respond to incidents and investigate them (This might mean engaging with external expertise).
Tip 5 - Use Security Plugins
Securing and hardening a WordPress installation manually can be daunting for the non technically minded. This is why security plugins are a useful way of simplifying the process. If its difficult we tend to avoid it, so making protection as easy as possible, is a must, to encourage organisations to do more.
There are a plethora of plugins out there, but two worthy of mention are
Both are popular and many active installations. They offer a vast range of tools to help site owners with security topics such as:
Passwords and access control
Hardening your installation
All In One WP Security & Firewall is a free solution whilst Wordfence provides a number of free features and reserves others for their premium offering.
We hope you found these tips useful, if we can help further please do feel free to get in touch.