Proper WordPress security requires a two-pronged approach. Secure servers used for hosting, and proper application-side security.
At CynderHost we take care of the former, through filesystem isolation, security scans, and audits, vulnerability scanning, and protection against various attacks (especially for our high-performance users).
You, the webmaster/site owner also play an essential role in WordPress security though. You’re responsible for keeping your application secure, which is what we’ll be covering here.
Without one of these, your site isn’t secure, and you could be easily hacked or infected with malware.
Passwords #
Strongs passwords are arguably the most integral part of securing your site. Not having a strong password is equivalent to using the same key to lock your house as your entire neighborhood. Attackers and automated bots very frequently attempt to brute for your WP Admin administrator account with common password combinations.
While brute force protection helps prevent compromise, it’s ultimately not effective if your password isn’t strong, as attacks have hundreds of thousands of devices they can cycle through. As a rule of thumb, passwords should be 12 characters or more at a minimum and contain a special character, capital letter, lower case letter, and numbers. We recommend 16+ character passwords.
If you have trouble coming up with a password, we recommend utilizing WP’s built-in password generator with a secure third-party password manager.
Dual Factor Authentication #
If your password were to be leaked, it doesn’t matter how strong it is, malicious actors would have access to your site.
To help prevent this, we also recommend implementing 2FA for your WP Admin. You can utilize a plugin such as Loginizer or WordFence to have an OTP (one-time passcode) sent to a device you control when you try to log in.
Nulled Themes and Plugins #
Don’t use them. Period. We cover more here.
Plugin/Theme/Core Updates #
Keeping your files, plugins, themes, and WP core up to date is another essential part of proper WP security. Outdated plugins lack the proper security patches, may have vulnerabilities, and may no longer be supported by plugin authors.
When in doubt, turn on minor core, plugin, and theme auto-updates so you can keep your sites up to date.
WAF #
(A web application firewall…not waffles)
A WAF is a firewall that sits between your visitors (the end-user) and your site. It intercepts all requests and scans them for potentially malicious actions. This could include zero-day exploits, SQL injections, XSS attacks, and more.
Utilizing a WAF will impact your site’s performance. In most cases though, the tradeoff isn’t big, and keeping your site secure is more important. Here’s more on how a WAF works.
There are many different vendors to choose from. We recommend WordFence (the plugin) as a WordPress-side WAF, and Cloudflare, Incapsula, or Sucuri as a cloud-based WAF. Using two is usually redundant and not needed, as long as the one you are using provides aquedate protection.
Keep in mind, no WAF is 100% accurate. You’ll likely deal with false-positives (which you can whitelist) – and false negatives (where the WAF doesn’t detect a malicious request). Therefore, the other parts of WP security are still extremely important.
Note: High-Performance hosting users have a WAF built-in. As such, an external/third-party WAF is not recommended.
PHP Versions #
You may not believe it, but many WordPress sites still run on PHP 5.6…or earlier. These versions are no longer maintained (End of Life) and riddled with security issues. If you’re not on a supported PHP version (see: https://www.php.net/supported-versions.php) then upgrade as soon as possible. Just take a backup before you do.
Security Audits #
Even if you follow all the guidelines above, your site may still be hacked. Why? Zero-day vulnerabilities that have not been discovered by security researchers may exist in the wild, actively being exploited.
Knowing you’ve been hacked is the first step to recovery. Run monthly, or weekly scans of all your files to ensure they are clean and free of malware. We recommend using WordFence for our shared hosting users. High-Performance customers have their sites automatically scanned periodically, server-side – and can run a security audit directly from the panel.
Backups #
Uh-oh! So you’ve been hacked. Now what?
While you could go through the tedious process of cleaning your site manually or paying someone to do this, we generally recommend:
- Backing up the current state of your site
- Restoring to a previous backup
- Scanning, and verifying the site is clean
- Figuring out/patching any attack vectors
- Monitoring closely for more attacks/exploits
Of course, this is contingent on you having backups. We keep automated, daily (at minimum) backups of your site you can restore to. That said, it is highly recommended that you keep your own backups. This can be done through a plugin like WP Vivid Backup & Restore, Akeeba Backup and Restore, or Updraft.
If you find your site is hacked, please reach out to our support team. We may be able to clean it up for you.
Minor Tweaks, and Advanced Security #
If you know what you’re doing, proceed. Otherwise, contact us or skip this section.
Disallowing PHP Execution in wp-content/uploads #
Many exploits rely on improper file-upload sanitization in order to upload PHP scripts and execute them. Preventing these uploads and execution can help prevent backdoors or further attack vectors. A plugin like WordFence can do this for you, as well as our high-performance panel (“Check Security” -> “Forbid execution of PHP scripts in the wp-content/uploads directory(can be reverted)”)
Preventing WordPress Filesystem Modification #
Danger: This could break your site.
You can prevent anyone, including yourself, from modifying WordPress core, plugin, and theme files. This prevents attackers from injecting malicious code into WP Core, as exploits commonly do.
This will also break WP Core updates, plugin and theme updates, and any other feature that modifies WP Core.
Please take a backup before doing this.
To lockdown, your filesystem, select all the files (not folders) and change the permissions to r–r–r– (read-only/444). Folders should have r-xr-xr-x permissions (0555). Exclude the wp-content/uploads folder from this, as you need to be able to write to that folder in order to upload media files.
If you’re on your own server, you can chattr +i all your files to prevent chmod() calls from changing permissions. This is not recommended.
Disable XMLRPC.php #
If you don’t need it, XMLRPC can be disabled to reduce attack surface. To disable XMLRPC, you can add the following to your functions.php
// Disable use XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );
// Disable X-Pingback to header
add_filter( 'wp_headers', 'disable_x_pingback' );
function disable_x_pingback( $headers ) {
unset( $headers['X-Pingback'] );
return $headers;
}
Or this to your .htaccess:
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
If all of this is way over your head, just contact us.