WordPress security essentials
Just about eight months ago, SecurityArchitecture.com joined the multitude of websites running WordPress. This change, after more than five years online with a largely custom-coded PHP and HTML setup, enabled a number of stylistic and functional improvements, and facilitated the consolidation of the SecurityArchitecture blog with the rest of the content presented on the site. Adopting a popular platform like WordPress offers a lot of advantages, not least of which is that almost anything you want to do has already been done by someone using WordPress. Similarly, almost any problem or technical issue you might encounter has also been seen (and usually resolved) by someone else. The widespread implementation of WordPress combined with its (relative) ease of use has some negative aspects as well, however, particularly when it comes to cyber security. In much the same way that Microsoft’s Windows operating systems and Windows products face the largest proportion of attacks, malware, and attempted exploits, WordPress is a popular target for attackers, meaning essentially everyone running a WordPress site, no matter how small or off-the-radar, is likely to see a lot of attempted intrusions. While WordPress is famous for its “5-minute install” and an administrative dashboard that requires WordPress users to have little or no technical knowledge to be able to produce a high-quality website, there is almost nothing in the standard installation instructions about security and many WordPress sites are highly vulnerable to attack.
For a site focused on information security, there is an implied obligation to do more (in some cases much more) than the bare minimum when it comes to security. Taking proactive steps to implement a variety of security controls should, however, be a priority for any website. Classic definitions of security include the distinct and inter-related objectives of confidentiality, integrity, and availability, each of which is necessary to maintain the operational state of an application and the data it contains. Conventional information security models also distinguish between preventive, detective, and corrective controls, where we use preventive controls to try to keep unintended or undesirable events from occurring, detective controls to discover when such things have happened, and corrective controls to respond or recover after unwanted events occur. Each of these types of controls is important for a WordPress site, or any application or environment subject to attack. For a web-based application like WordPress, preventive controls typically include firewalls, access controls (like requiring users to log in with a password), and user education like security awareness training. Detective controls include network and application monitoring, vulnerability and malware scanning, and review of audit and event logs. Corrective controls include incident response procedures, file and database backup and recovery capabilities, and (not to be overlooked) planning in advance what to do when something goes wrong.
The good news for WordPress users is that there are multiple security plugins available that enhance site security, provide routine (even continuous) monitoring, and help administrators remove and repair whatever changes or damage an intrusion has caused. A quick online search for “WordPress security plugins” will return dozens of tools and lots of reviews and opinions about which plugins are the best. It is a pointless exercise to try to arrive at a set of recommendations that will work for every WordPress site, since the features and functional purpose of each site is different. From prior experience across multiple WordPress implementations, however, we believe it is a good idea to select and install security plugins that will 1) strengthen access controls; 2) monitor WordPress for activity or changes that could indicate an attempted or successful intrusion; and 3) help “clean” a compromised site and restore normal function. Most available security plugins overlap to some extent in the features they offer, but to provide a complete set of security controls site administrators often need to deploy more than one tool. Most popular free security plugins provide several of these capabilities that can, if configured and used properly, strengthen protection for WordPress sites.
- Website firewall
- IP address blacklisting
- Brute force prevention
- Login monitoring
- Malware scanning
- File integrity checking
- File permissions
- Database backups
- Activity logging
For commercial, professional, or high-traffic sites, administrators may also want to consider additional subscription services such as active scanning, web application firewalls, denial-of-service protection, and post-intrusion cleanup and restoration services.