What You Need To Know About WordPress Site Security
Our Austin WordPress Beginner classes continue our “Back to WordPress Basics” series with our annual discussion of how to secure and maintain your WordPress site. Now that you have your WordPress site up and running it is time to address site security and administration. As the popularity of WordPress has increased so has it’s attractiveness to hackers.
Nick Batik’s presentation focused on the basics of keeping your WordPress site secure and talked about some of the current crop of WordPress security plugins and services available to keep your site and your online community safe. Nick specializes the system design and implementation of custom, often complex WordPress-based solutions that address client data management issues. As the back-end developer, he creates the core computational logic of the website or information system to implement the customized functionality and deals with client security concerns every day.
Securing Your WordPress Site
Securing your website, databases and files have become a mandatory task of every WordPress site manager, administrator, and owner. The core of WordPress is a fairly secure system and is designed for ease of updating and a fast development cycle. Most WordPress security problems are easy to control and are due to either poor judgment by the end user, poorly coded themes and plugins, or bad hosting.
Keep Your Version of WordPress Up-To- Date
Time and again, we hear of people who disable WordPress core updates because “an update might break one of my plugins.” This is seriously flawed reasoning. If you had to choose between losing all your content, or worse, compromising confidential client information due to a hacked site and a temporarily broken plugin, which would you choose?……Seriously, you are actually thinking about this… WordPress core updates fix recently discovered security problems. If your site isn’t updated — it is vulnerable! Plugins that are incompatible with the latest versions of WordPress are only going to stay that way for a very short time. A hacked site, on the other hand, is a far more permanent problem. Advanced Automatic Updates Plugin adds options to WordPress’ built-in Automatic Updates feature. Security updates and supports installing major releases, plugins, themes, or even regular SVN checkouts!
Update All Your WordPress Plugins
Security vulnerabilities are frequently found in third party WordPress plugins — Even the most popular and trusted plugins can have vulnerabilities. Professional Plugin developers handle security fixes quickly release an update. Then it is your responsibility to update to the latest version. If decide to skip the latest security update, your site is vulnerable to hackers.
Remove Any Inactive or Unused Plugins
The more plugins you have installed on your site — the greater your risk for having a vulnerability in one of those plugins. A Security Best Practice to minimize risks is to completely uninstall any plugins you are not using. How do you tell which plugins are not being used? They are marked as ‘Inactive’ in the Plugin section of the WordPress admin. Delete them!
Update Your Themes
The same logic that applies to WordPress core updates and plugin updates, applies to themes. Securing WordPress means that all themes need to be kept updated to their latest versions. The main reason site owners may decide to ignore the Theme upgrade usually goes like this, “OMG! I made changes to my Theme- If I update I’ll lose them ALL!”
This is why we stressed the importance of using ‘Child Themes’ rather than making any changes to the actual theme. When you make all charges in your Child Theme you can easily update to get the latest fixes and security updates without breaking your Theme’s changes. It is also a very good security practice to promptly remove all unused themes from the backend of your site. You can check which themes requiring updates from the Appearance > Themes section in the WordPress admin.
Learn To Fear FREE
Only install themes, plugins, and scripts from their Official source. Using any software from a Free, Pirate site is never a good idea! Many of these Free Download pirated themes have maliciously tweaked scripts that install a backdoor, which allows your site to be remotely controlled by hackers. Why would you trust a source whose business model is based on stealing other designers’ work?
Where Can You Find Vetted, Free, WordPress Themes?
The WordPress.org Theme Directory is the safest place to find Free WordPress Themes. If you missed the WPATX Beginners’ class on How WordPress Themes Work please go: https://www.slideshare.net/sbatik/how-wordpress-themes-work
Choose a Secure WordPress Hosting Service
Security conscious hosting services will have a dedicated security team who monitor the latest vulnerabilities and preemptively apply rules on their firewalls to mitigate any hack attacks on your site. Shared Hosting solutions are always a bit tricky because you can’t control the site hygiene of your neighbors. Every Developer has their own favorites for managed hosting, we prefer WP Engine. For inexpensive hosting, we use two vendors SiteGround and GoDaddy.
Make Sure Your Site is Running the Latest Version of PHP
The global WordPress statistics page shows: Only 1.7% of WordPress installations run on the latest version of PHP (7) 19.8% run version 5.6, which is still supported The balance of WordPress installations almost 80% run on versions that are no longer supported!
PHP, the underlying engine of WordPress, gets regular version and security updates If your site is not running on PHP7 that means known security issues are not be fixed and your site is vulnerable to exploitation. PHP version updates depend largely on your hosting service. A good hosting service should make the latest PHP versions available for use with your WordPress installation.
Change the Admin Username
Hackers LOVE folks who chose ‘admin’ as their default Administrator Username. The easiest way to secure your WordPress admin login against brute force attacks is to change the default “admin” username to something more difficult to guess. If your username currently is “admin” you can change it by replacing it with a new, less obvious administrator username and delete the old admin user. This is quick and easy WordPress security step to stop simple hacking attempts. There is a Username Changer Plugin that is a handy, easy to use, Plugin for WordPress Beginners.
Always Use Strong Passwords
Do you have any idea how many WordPress sites have either ‘12345’ OR ‘password’ as a PASSWORD!!!
Of course, there is the other favorite username and password combination all site security professionals find on compromised sites — admin/admin. Hackers know users are prone to using simple, easy to guess passwords, so they use lists of commonly used passwords to gain control of your site ‘Brute-forcing a password’ is when hackers try these common passwords over and over again.
Don’t Reuse Passwords
Users don’t want to remember long complicated passwords for each of their accounts. Got it! That is why the are password manager services like KeePass that generate nice long encrypted user names and passwords and store them securely. Use a password manager — or risk compromising all of your accounts.
Avoid Plain-Text Password Transmission To Protect Your Password(s)
Internet traffic is being constantly ‘sniffed and snooped’ Don’t send passwords over email, chat, social networks or other unencrypted forms of transmission. Sensitive data must always be sent in encrypted form. Implement HTTPS on your WordPress site, particularly on your backend, to avoid passwords being sent in plain-text. Don’t use plain FTP when accessing your site. Use SSH or FTPS to encrypt data transmission. To do this you’ll need to setup an FTPS account on your hosting server.
Only Update Your Site From Trusted Networks
Users Who understand and value Internet Security would NEVER update a website from an untrusted network such as the ‘FREE’ Wifi connection at a local coffee house. Only update your site from trusted networks, such as those at your home, office or your encrypted Hot- Spot.
Use a Local Anti-Virus
Viruses are designed to spread themselves as far and wide as possible. Many office workstations being used by WordPress Administrators are infected with at least one virus. These viruses can snoop passwords, credit card, and other personal information. Make sure your local workstation is running a good and updated antivirus to prevent it from getting infected and spreading to your website. ClamAV is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.
Enable Google Search Console
Google Search Console is a free service offered by Google that helps you monitor and maintain your site’s presence. Google Search console will advise you if your website starts to host any malicious files. This tool is not preventative – it is a handy ‘Malware-Heads-Up.’
Secure WordPress With a WordPress Security Plugin or Service
All WordPress Developers have a favorite set of tools for each task. When dealing with WordPress site security, our go-to security plug-ins are; WordFence, iThemes Security Pro, Sucuri Security, and the Sucuri free website malware and security scanner.
Sometimes Your Only Option Is Just Restore From Backup
Bad things happen to good websites. Not only do they hacked, but can fall victim to accidents, power failures, and technical mishaps. As a WordPress site owner, manager or developer, you have to have a Plan to backup and restore your site(s). Actually, you need to backup and periodically, test your backups. The plugin, BackupBuddy handles WordPress backup and restore like a champ. What good is a backup if you don’t also have a way to restore your WordPress site?
A solid WordPress backup solution must include both components, both a complete backup and a full restore. Unlike other WordPress backup plugins, BackupBuddy backs up your entire WordPress installation, including your media library, themes, plugins, widgets, content, settings plus your database. Most backup plugins only back up your WordPress database—that won’t be enough to restore your site in its entirety. The Backup Buddy plugin is a quick and easy way to restore your full WordPress site. If something goes wrong, BackupBuddy can get your site up and running by using the restore function. Backup Buddy is an iThemes product and comes with great support. \
Advanced WordPress Tips For Security Geeks
Limit Login Attempts
The Limit Login WordPress plugin detects a number of incorrect login attempts and denies that user the possibility of trying again for some time. This, of course, makes the brute- forcing attempts much more difficult to succeed and significantly improves your WordPress security.
Enable Two-Factor Authentication
(2FA) on your site. With 2FA process in place, besides your regular password, you will also need a time-based security token that is unique to each user. This token also expires after a period of time usually 60 seconds. The security token is typically generated by an app such as the Google Authenticator.
Ensure File Permissions Are Correct
PHP and WordPress, in general, use a set of permissions associated with files and folders. In general, your web server typically needs to be able to write files for WordPress to work correctly, but the public internet NEVER needs to have write access to your files.
Block Malicious Countries
IP Geo Block plugin protects your site against such threats of attack to the back- end of your site not only by blocking requests from undesired countries but also with the original feature ‘Zero-day Exploit Prevention’ (WP-ZEP). It also blocks undesired requests to the login form (login attempt), comment form (spam and trackback) and XML-RPC (login attempt and pingback).
Change the Default Table Prefix
Changing Table Prefix is mainly useful if you have not changed the database prefix at the time of installation and want to change post installation to make your website more secure and protected from SQL injections.
Disable PHP Execution
One of the first things a hacker would do if they got some kind of access to your site would be to execute PHP from within a directory. Add the below code to the .htaccess file in the root directory of your WordPress installation:
<Files *.php>
Order Allow, Deny
Deny from all </Files>
Segregate Your WordPress Databases
If you run multiple websites on the same hosting server account, you might be tempted to create all of the sites in the same database — Please don’t. This practice creates an inadvertent security risk, because when one website suffers a successful hacking attack, the other sites that are running on the shared host with the same database will in all likelihood also be compromised. Lazy equals pain…during the WordPress install, create a new, segregated database, with a unique database name, database user name and password, unrelated to any other sites or logins you have.
Restrict Database User Privileges
Best WordPress site security practice indicates that the database user only needs the following privileges for most day-to-day operations, data read and data write privileges to the database: SELECT, INSERT, UPDATE and DELETE.
Disable File Editing
You can (and should) disable file editing for WordPress administrators after your website goes live through the following command in the wp- config.php file:
define(‘DISALLOW_FILE_EDIT’, true);
Secure Your wp-config.php File
*add the following to your .htaccess files
<files wp-config.php>
order allow,deny
deny from all
</files>
Disable XML-RPC
Beginning in 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed.
XML-RPC is considered by many to be one of the biggest security risks to WordPress.
Set WordPress Secret Authentication Keys
You might have come across these eight WordPress security and authentication keys in your wp-config.php file and wondered what they are.
You may also have never seen or heard about them. They look something like this:
define(‘AUTH_KEY’, ‘j+Oq5CL Z6M?dc|9KwWv(k9&RK[,>K@vGRY0AvEPrnHav-wq.+&d))-Y}22tD JE’);
define(‘SECURE_AUTH_KEY’, ‘Vk~ Qe#?z7GKB>%F2MFOF?6~j#f&FJMG.Y@;~Hlih8jf[}Cgl@-<>w[C -j.E@D#’); define(‘LOGGED_IN_KEY’, ‘YR,_/w.(Ud*.,/(aBmNs?JQGmC4W@<vu_(G:!+@x*?x}?g+8h[vJF!dCsekIf009’);
define(‘NONCE_KEY’, ‘yY%{Hx|-WsSSVVFp2h+to5bl;uZ|Za,uT;qC;!b<Oew!NIjrNE#B}N#b4Y45^eh6’); define(‘AUTH_SALT’, ‘mHq/^I#e-;<`(i}@B_ik`9nVbiS4f^PFI+-ZP((p(M%]!x+:)45BRTTdzAZ<^c3{‘); define(‘SECURE_AUTH_SALT’, ‘+cE7REA-3}V|0Dd#ze8ml=%3;GdRw!EuPGJaOoM}qUd;}doDslqweWY7sJX 9Yab’);
define(‘LOGGED_IN_SALT’, ‘A-&{HPc3#P/5-aK88R!~ A9q|PbZrxC9#ZtOie%E~ld;*?x4V)Zd4lPZBX(j?U]y’);
define(‘NONCE_SALT’, ‘O[byb]ByAxb!Q1l8Z>nyh|EwAECr-HXCQQI;fE|q[YY1|tpve8:EZ&X-TPqFnS#v’);
define(‘LOGGED_IN_KEY’, ‘YR,_/w.(Ud*.,/(aBmNs?JQGmC4W@<vu_(G:!+@x*?x}?g+8h[vJF!dCsekIf009’);
define(‘NONCE_KEY’, ‘yY%{Hx|-WsSSVVFp2h+to5bl;uZ|Za,uT;qC;!b<Oew!NIjrNE#B}N#b4Y45^eh6’);
define(‘AUTH_SALT’, ‘mHq/^I#e-;<`(i}@B_ik`9nVbiS4f^PFI+-ZP((p(M%]!x+:)45BRTTdzAZ<^c3{‘);
define(‘SECURE_AUTH_SALT’, ‘+cE7REA-3}V|0Dd#ze8ml=%3;GdRw!EuPGJaOoM}qUd;}doDslqweWY7sJX 9Yab’);
define(‘LOGGED_IN_SALT’, ‘A-&{HPc3#P/5-aK88R!~ A9q|PbZrxC9#ZtOie%E~ld;*?x4V)Zd4lPZBX(j?U]y’);
define(‘NONCE_SALT’, ‘O[byb]ByAxb!Q1l8Z>nyh|EwAECr-HXCQQI;fE|q[YY1|tpve8:EZ&X-TPqFnS#v’);
Some Additional Resources Mentioned During Meeting
PHP Compatibility Checker Plugin — The WP Engine PHP Compatibility Checker can be used by any WordPress website on any web host to check PHP version compatibility.
BackWPup — This backup plugin can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and much more, see list below. With a single backup .zip file, you are able to easily restore an installation.
Followup to the WordPress Permissions Discussion
Everything You Need to Know About Changing File Permissions you can find in the WordPress Codex — the Official Source for all things WordPress.
The Permission plugins mentioned are User Role Editor — This WordPress plugin lets you change user role (except Administrator) capabilities easy, with a few clicks. Just turn on check boxes of capabilities you wish to add to the selected role and click “Update” button to save your changes.
Press Permit Core — is an advanced content permissions system. It is derived from Role Scoper, but with extensive improvements in versatility, performance and user- friendliness.
Our Favorite WordPress Security Blogs
Follow Sucuri on Twitter for latest news on exploits —@sucurisecurity and @sucurilabs
Follow Wordfence Security news on Twitter @wordfence
Source For Free SSL Certificate
Some Hosting Companies will give you a complimentary SSL as part of your hosting package – Ask your current hosting company about their SSL policies while you inquire about what version of PHP they are running
After Class Resources
I hope these class notes help. I have included a link to the class Slidedeck below. I’m sorry if the transfer from Keynote to PowerPoint format sometimes does odd things to the headers and some images. Deepti and I urge you to join and perhaps contribute to the Austin WordPress Tribe by volunteering to take notes for our wpauston.com website, present at WPATX meetups or helping with our annual WordCamp. You can always find the current class schedule at https://www.meetup.com/austinwordpress/ We look forward to seeing you at an Austin WordPress Meetup soon.
Follow Sandi Batik @sandi_batik / @WPATX / Contact me at: handsonwp.com / LinkedIn https://www.linkedin.com/in/hsandrachevalierbatik
Follow Nick Batik @nick_batik / @WPATX / Contact me at: pleiadesservices.com / LinkedIn https://www.linkedin.com/in/nicholasbatik
Leave a Reply