In this post we collect the main suggestions to increase security of your WordPress.
When marked with “(custom server)” are suggestion to be use when you have your own dedicated server.
-
- Keep your server and applications updated. (custom server)
This is the first and the main suggestion. We will repeat it millions of time: update your application, update your plugin, update your themes. These are the main source of vulnerability and you need to take them always updated. When a vulnerability is disclosed, your are under risk. If the update breaks your theme, change the theme, do not postpone updates. Refer to the official guide Updating WordPress. The same for your plugin. So take your backups to roll back in case of blocking problems, and keep all your components updated. From the Operative system to Apache httpd with its modules, PHP version, WordPress application, WP plugina and themes. - Secure your server ports. (custom server)
Be sure your server is accessible only on the minimum ports necessary. If it is a linux server scanning the port your will find only 22 and 80 opened (443 if you use https). If you see more ports, close them because they are not needed. If you have an external firewall or and external service acting like a firewall (Example: AWS Security group) it is the best solution. In case your server is a public server without any appliance in front of it, use iptables to open only the port you need. This is an example of a simple standard iptables file# Firewall configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMITFor ssh remember to secure linux ssh with public key as described in detail in the post.
Please do not install any not strictly necessary software like webmin, phpMyAdmin or similar. They can be a source of problem. Start always from a Linux minimal installation and add only waht you really need. - Choose reliable components
When you need a component, theme or plugin, choose one reliable from a trusted source. Get them from the internal repository (do not download components from internet), get the one full compatible with your WP version, last update must not be older than 1 year (better if less than 3 months), with 4-5 start evaluation and I suggest component with a higher number of downloads. - Clean up your WordPress installation
Remove any plugin or any theme you do not need anymore. Backup will be faster and you will reduce the possible vulnerabilities generated by installed plugins. - Backup your WordPress
It is not a direct security suggestion, but it is how you prepare yourself in case you need to manage any emergency. Make backup frequently, store backups outside your server (otherwise it is the same as not doing them), do not overwrite backups and take care of retention: if you take the last 7 daily backup, and you realize somebody deleted your posts after 8 days it was done, today is too late!! Better to keep your last 4 “Sunday” backups together with your last 7 daily backups. You can manage backup by yourself or use any “ready to use” plugin. Remember to backup your system configuration files too (httpd, fail2ban, etc) - Enable 2 steps authentication
You can add an extra security level to your login with a OneTimePassword. After you fill in your username and password, WP asks you an additional password, every time different, you can retrieve with an App in your smartphone, you can receive it via email o via sms. This complete the triplet for the secure login: something you are (username), something you know (password) something you have (your token to generate the OTP). There are many plugin to implement 2 steps authentication. We choose Google Authenticator as OTP generator, it is a simple app for your smartphone, light and very easy to setup. Looking for Google Authenticator in your Plugin repository you will find many plugin to implement it. - Keep attackers out of your server (custom server)
Block all IP trying to login to your WP unauthorized. You can do it automatically using fail2ban. Here a detailed instruction in the blog Protect WordPress Login with Fail2Ban - Install a WAF – Web Application Firewall (custom server)
Install in your dedicated server a WAF like mod_security, or ask to your provider if they have available shared devoced like IDS/IPS (Intrusion detection system / Intrusion prevention system). These systems if regularly updated can block any attack to your application, like sql injection, cross site scripting, block specific application vulnerabilities. - If possible use https protocol to login (custom server)
Check if https is available in your platform or in your server, just call your WP homepage with https://…… If it works you can force your login to use https, just add to your wp-conf.php these 2 linesdefine(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true); - Administrators should not Blog (custom server)
Keep username of administrators as secrets as possible, so use Editor to write blog and Administrator only to manage administrative tasks. There is the risk to duplicate some users (I have 2 personal users, one administrator and one editor), but it is a best practice. Trying to break in, username is half of the work.
- Keep your server and applications updated. (custom server)
