Open in app

Sign in

Write

Sign in

Securing WordPress, again.

Rick Calder
calder.io
Published in
8 min readDec 20, 2016

Fair warning, this isn’t your normal “install these 3 dozen plugins to make sure you’re safe!” WordPress security post. It’s a bit more technical than that, although I am going to touch on some plugins. This is also a high level view of the things you can do, there is going to be very little direct explanation on exactly how to accomplish these things.

WordPress runs the web!

WordPress is popular, according to Manage WP 18.9% of the web runs on WordPress. That’s impressive and at the same time a little scary. Scary because I am willing to bet less than 10% of those WordPress sites are secured very well and honestly the structure of WordPress on its own isn’t really that secure.

WordPress is designed so that its entire folder structure is in the web root, meaning it relies on specific permissions and files to make sure that the critical files aren’t publicly accessible. That in itself is a security concern, but WordPress is designed to be easy to use, a one click install on most (if not all) hosts, and many hosts don’t allow access to folders above the web root and even if they did the average user wouldn’t be able to set it up so it worked that way.

Its popularity is also its downfall

The fact that WordPress is so popular and “easy” to use makes it a particularly juicy target for hackers. It gives a simple script millions and millions of sites to target. The other issue with WordPress because of its popularity, is the way its ecosystem of plugins has exploded. There are thousands of plugins available to do everything imaginable on your website, from things so basic they don’t really need a plugin like adding Google Analytics code, to complex e-commerce systems.

This is a great thing for developers and users. It means you can add complex functionality quickly and easily without reinventing the wheel and often with no actual coding at all. However, it also adds another layer to the security issue. There are very good WordPress plugin developers, but there are also very bad ones, and the very “house of cards” nature of building a WordPress site means a single bad plugin can negate most, if not all, of your security measures.

But I run a small website, I’m not even a target for hackers

This is a misconception many have, why would anyone want to hack me? I have nothing to offer, no e-commerce, no critical data, no celebrity photographs.

To be honest you’re probably right, the chances you or your website are actually the final target for hackers is negligible. Hackers probably don’t care about the data on your site. What they do care about is the processing power of the server your website lives on, they also care about the processing power of the computers of your visitors.

Attacks on major sites are almost always carried out by botnets, a network of compromised computers that act as a single entity to carry out an attack. That attack can be a brute force attempt to compromise important systems, or a DDOS (dedicated denial of service) which floods major internet sites with so many requests that they are unable to keep up and slow down or actually go offline so they are unavailable to everyone.

Your small bakery, or mechanic, or widget website isn’t the actual target, but if they’re insecure they can easily become part of the botnet used to attack the major targets, and worse they can be used to distribute malware that infects your users and makes their computers part of a botnet.

You ARE a target.

What can you do?

Update

It doesn’t matter if you’re an experienced developer, or a user that followed web tutorials and one click installs to get your WordPress site up and running, the single most important thing you can do to keep your site safe is make sure the WordPress core and all your plugins are up to date. As I mentioned, WordPress and its plugins are a giant house of cards and they are complex software. This means vulnerabilities in security will be found, not might, will.

Automattic (the creators of WordPress) and most good plugin developers, will keep an eye out for these vulnerabilities, fix them and release updates for these fixes. So making sure your site is completely up to date is critical.

Strong user names and passwords

Everyone knows that strong passwords are important, in fact WordPress forces you to check a box stating that you know you’re using a weak password if you choose to do so (don’t choose to do so!). There are a number of password generators (WordPress has one built in) and a number of tools you can use to remember these strong passwords for you (LastPass, 1Password, etc). So do use a strong password. Also don’t use common usernames like admin.

Move your login page

This is one of the few plugin measures I’m going to mention, and there are a couple of plugins that do this. The one I normally prefer is Rename WP Login but it does seem the author of this plugin is no longer updating it. I’ll test some other options and address this with an update later!

The basic premise here is the majority of WordPress attacks are brute force attacks. Meaning scripts that are trying to log into your site using common user names and a library of passwords. The vast majority of these scripts are going to try and hit /wp-login.php since that’s the default location for the login page. Using a plugin (or custom code) to move your login page means anyone trying one of these scripts on your site is going to hit a 404 instead of the login page, rendering the attack useless.

Change your directory structure

This one is pretty involved and isn’t for the faint of heart or average user but it can provide an added layer of security. As I said earlier WordPress is a target for hackers because it is so popular and its code is almost always exactly where WordPress’s base install puts it.

This means everyone knows exactly where your admin files reside, where your plugin and theme files are etc.

Somewhat like moving your login page, this is a bit of security by obscurity, which isn’t the best option by any means. However when added to other measures it does help. If your plugins reside in /content/plugins instead of /wp-content/plugins, then a hacker trying to target your plugins directly isn’t going to have the correct path.

At calder.io we have a custom install loosely based off of Bedrock by Roots. It’s not only more secure, it’s also a better folder structure than the base WordPress install and allows for dependency management via Composer which makes updating and rolling back dependencies (like plugins) a walk in the park!

Install a security plugin

This is the second time I am going to suggest using a plugin for your security. Again there are a number of options available here, but my personal favourite is WordFence. It’s very easy to set up and has some powerful tools such as a firewall, limiting login attempts, automatic IP blocking and real time scans.

It also offers 2FA (Two factor authentication) requiring you to use a combination of your username/password and a cell phone authentication scheme to log in to your site.

WordFence is just my personal favourite, but you should have a security plugin installed and properly configured, regardless of which one you choose.

Use fewer plugins

No seriously, stop that. Don’t use a plugin for something as basic as adding your Google Analytics code. I saw a blog post on Twitter the other day “The fifteen must have plugins for every WordPress install!” and just cringed. Not everything has to be a plugin. If you have a lot of functionality you require and don’t have the ability to write the code yourself, at least try to find suitable plugins that encompass more than one of those requirements. The less cards in the house, the less likely one of them brings it all tumbling down.

Use “good” plugins

I mentioned earlier that there are very good WordPress plugin developers as well as not so good ones. There are also multiple plugins to accomplish every task you want your site to be capable of. It is up to you to make sure you’re choosing the right one for the job.

Here are just a few things you can do to make sure you’re choosing the right one for your purposes and one that is well maintained.

Research — Google is your friend, search what it is you want to do, find a few plugins and read the reviews. Like anything else you want to see that other users are having a good experience with a plugin.

Wordpress’s plugin directory — Check the rating system and approximate number of installs. If a plugin has a good rating and thousands of installs it is likely a decent solution. Each plugin also has a “Support” tab on the main directory page, take a look at the posts there. Are there any obvious problems? Does the plugin author actually contribute and answer questions? Another thing to check is the “last updated”. Does it seem like this plugin is well maintained or has it been 2 years since it was last updated? Remember things change, an out of date or un-maintained plugin can be a problem. The other thing to be aware of here is the tested version, does the plugin say it is compatible with the latest version of WordPress (note this can tend to be behind a bit, especially immediately after a WordPress core update, just make sure that it’s a relatively recent version and not something 3 years old!)

Turn off file editing in the WordPress admin panel

In the off chance someone does gain access to your WordPress backend you can avoid that having even worse consequences by disabling file editing from the backend. This will stop anyone with unauthorized access from adding any insecure scripts and functions to your theme and plugin files.

Just add this one line to your wp-config.php file.

define( 'DISALLOW_FILE_EDIT', true );

Use environment variables in your wp-config.php

Your wp-config file contains a lot of sensitive data that a hacker would love to get their hands on, so not actually storing that data in the file itself makes your install a lot safer.

There are a number of ways to set and retrieve environment variables but in my opinion using PHP DotEnv is the easiest. This article by Scotch.io explains most of the methods including DotEnv of storing and retrieving environment variables and this one by Roots explains what parts of your wp-config should be stored directly in the file, which should be in environment variables and why.

Harden WordPress

Since WordPress is such a complex piece of software, Automattic provides a guide on how to harden it against attacks. I strongly suggest reading and implementing the suggestions outlined in the guide!

Conclusion

WordPress is a very powerful tool for creating websites, and an incredibly powerful one. It is unfortunately also a very popular target for hackers and it is your responsibility to protect your site, your users and the rest of the internet from those hackers.

Take your website’s security seriously, it matters!

If you’d like to discuss a security audit or a support package to help you take care of these issues feel free to contact me at https://calder.io

WordPress
Web Development
Web Security

--

--

Rick Calder
calder.io

Written by Rick Calder

72 Followers
Editor for

https://calder.io My opinions are my own.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams