WordPress Security

Making WordPress a fortress.

WordPress is the most popular Content Management System (CMS) in use today. That makes it a super attractive target for hackers and online ne’er-do-wells. To keep your WordPress safe from the invading hordes, you need to harden it.

WordPress is one of the most highly used content management systems in the world, a popularity spurred on because it is open source. While we love open source, that means that the code is also freely available to hackers. For this reason, White Sunrise takes extra security seriously for any WordPress installation.

WordPress frequently updates its platform for various reasons, including security. The WordPress community takes security very seriously, but the only way to take full advantage of the security upgrades provided by them is to make sure you are on the latest version and always stay updated.

Some WordPress users do not like updating their installation. The difficulty of updating WordPress varies, and is based on a number of factors. These reasons include:

  • Age of the current WordPress version.
  • The number of plugins installed.
  • The type and configuration of plugins installed.
  • Conflicts with new WordPress versions and plugins/themes in use.

Due to the nature of these variables, White Sunrise approaches this process on an hourly basis, or provides an estimate after gaining access to the server to assess the nature of the variables listed above.

The White Sunrise base security package is the minimum that White Sunrise would suggest for any WordPress client. It is a cost effective package that will close up the most common exploits in WordPress that hackers use. The base security package involves:

1. Remove the default user accounts.

All basic WordPress sites have a few standard user accounts and names, such as “admin.” These accounts are a primary target for a hacker.

The process of removing default user accounts is not a simple procedure for the average WordPress user. However, removal of these accounts is one of the simplest ways to stop a hacker in their tracks. White Sunrise simply reconfigures WordPress to remove these default accounts and their IDs, instantly frustrating and stopping any attempt to gain access to those accounts.

2. Secure the upload directory.

By default, the upload directory is the only folder required by WordPress to be writable by public upload. This makes it a prime candidate for exploitation by malicious users.

By modifying the server settings, White Sunrise can prevent server-side scripts from being uploaded to this directory. This preventative measure keeps malicious code from being loaded to the server, without breaking the default WordPress functionality.

3. Change the database extension.

In WordPress, most of the troublesome SQL injection attacks are based on the WP_ extension. By changing this, White Sunrise can wipe out that threat quickly and easily.

4. A full site backup.

One of the most important things for an organization to possess is a full-hardened backup of their WordPress site and database. A full site backup is the best way to minimize downtime in the event of a problem. This preventative measure not only helps in the event that the site is hacked, but also in case the site is mistakenly take down by user error. SSH access is required to accomplish this task in its entirety.

Unlike some backup services, the backup provided by White Sunrise is fully extractable both to an individual file level or for a site-wide restore.

5. Plugin installation.

There are thousands of WordPress plugins, some not as trustworthy as others. Several WordPress plugins offer heightened security for sites, and White Sunrise will install those that can be relied on. These include:

Bullet Proof Security

The BulletProof Security WordPress plugin helps to prevent many of the common attacks leveraged against WordPress sites, including cross-site scripting and SQL injection hacking. Unlike other security plugins, this plugin primarily uses the .htaccess file for enforcing security, making it lightning fast and nearly upgrade proof.

Limit Login Attempts

This WordPress plugin limits the number of attempts to log into an account in order to prevent “brute force” style hacking attempts, as well as social engineering attempts on known accounts.

For WordPress users looking to increase their security beyond the basic package, White Sunrise offers additional options. These advanced security options are not included in the basic packaged because they affect the standard user interaction with WordPress. However, these security integrations make the site nearly impenetrable to remote hackers.

1. Two-stage authentications.

A two-stage authentication implementation requires users to login twice to access the admin panel. While this seems unnecessary, this almost completely prevents unwanted access to the WordPress administration area.

The additional stage is hardcoded directly into the server, and cannot be affected by uploaded scripts or standard penetration methods. The username and password would also be different than the one used by the default WordPress login.

2. IP-based authentications.

An IP-based authentication implementation only allows certain IP address to access the WordPress administration panel. Clients provide White Sunrise with a list of IP addresses that would be granted access. Only those IP addresses may access the WordPress administration panel.

This option can be just as secure as the two-stage authentication, but without the hassle of needing two sets of credentials.

3. Locking file permissions.

Part of WordPress’s flexibility comes from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files. White Sunrise will set file permissions to secure your WordPress installation.

4. Restricting database user privileges.

For normal WordPress operations, such as posting blog posts, uploading media files, posting comments, creating new WordPress users and installing WordPress plugins, the MySQL database user only needs data read and data write privileges to the MySQL database. These include SELECT, INSERT, UPDATE and DELETE.

Therefore, any other database structure and administration privileges, such as DROP, ALTER and GRANT can be revoked. By revoking such privileges, containment policies are also improved.

5. Securing wp-includes to block user access.

A second layer of protection can be added to WordPress by addressing places where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.

To make sure that the code below is not overwritten by WordPress, White Sunrise will place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

6. Securing wp-config.php.

White Sunrise will secure the important wp-config.php file by moving it to a directory above your WordPress installation. Storing the file outside of the web-root folder adds a layer of security.

7. Disable file editing abilities.

The WordPress dashboard, by default, allows administrators to edit PHP files. This gives them the ability to alter plugin and theme files as needed. However, this is often the first place attackers will use if they are able to login, since it allows for code to be executed. By disabling the ability to edit those files from the dashboard, another level of security is in place.

8. Forensic logging.

Forensic logs can be your best friend, when it comes to security. They can tell you what was done, by whom, and when. While you may not be able to get the specific user, you will be able to see the IP address and the time. Additionally, you can see the following common attacks with these logs:

  • Cross-site scripting (XSS)
  • Remote file inclusion (RFI)
  • Local file inclusion (LFI)
  • Directory traversal attempts
  • Brute force attempts

Forensic logs give you a good picture of what has happened on your site.

9. Intrusion detection and monitoring.

Think of it as a burglar alarm for your WordPress site.

Despite all of your preventative efforts, you may still find your site has been hacked, or an attempt to hack it has been made. That’s why intrusion detection and monitoring is important. It helps you react faster, find out what is happening, and recover your site more quickly.

adamWordPress Security