How to Secure your wordpress
How to secure your WordPress.
In this post I’ll be covering the basic steps you’ll need to undertake to secure your WordPress. This isn’t meant a a concise list of everything that you might need to do. What this post covers is the bare minimum you’ll need to undertake with regard to securing your WordPress installation.
Before you begin securing your WordPress.
The first thing to bear in mind when using WordPress was that it was originally developed to be a blogging platform. Blogs provide functionality that’s specific to blogs, such as users registering so they receive updates about new posts, maybe even contribute to blog posts, and so that they can comment on blog posts.
If you’re using WordPress to publish a site, rather than a blog, you don’t need the functionality of a blog. So you’re going to need to turn some of the blog type functions off.
Why?
It’s not the functions themselves that are the problem, it’s what could potentially be done with them.
Let’s, for example, say you leave user registration enabled. This means anyone can register, and they’ll get a login for your site. They can’t do much with this login alone, but if you’re accidentally running something with a user privilege escalation vulnerability they could then use this to turn their user in to an administrator and then take over your site.
I’ll admit the risk isn’t enormous, but it is there, and you have to bear in mind that your site is on the internet, so anyone in the world can access it.
There’s quite a bit of “this kind of thing” in WordPress, so part of securing your WordPress involves turning things off.
The other thing to bear in mind is that a lot of probing (looking for mechanisms in sites that can be exploited) is fully automated and hundreds of checks for mechanisms to exploit can be carried out in under a minute.
So as well as turning off some blog functions, you’re also going to need to take some additional steps to make sure that your WordPress isn’t prone to being hacked.
There are generally two key principles that will help you gain a reasonable perspective of security:
- Prevention is better than cure. Try not to get hacked in the first place.
- Assume your site will be probed or targeted. Because, at some point, it probably will.
So now let’s take some steps to secure your WordPress.
Turning off the Blog functions.
User Registration.
First, you’ll need to disable user registration if your site doesn’t need this functionality. You might need this functionality if you are running a blog, and would like people to be able to contribute, or if you’re running an online shop and would like visitors to be able to register accounts. If you don’t need people to be able to register for your site, turning off user registration is advisable.
As I’ve mentioned above, disabling user registration is a precautionary measure against allowing people to create users within your WordPress installation. This prevents users from being able to make use of user privilege escalation vulnerabilities should there be any.
To do disable user registration, hover over “settings” and then click on “general”:
If you then scroll down, you’ll see an “anyone can register” tick option, untick this, then click “save changes” at the bottom of the page, like this:
User registration has now been disabled for your WordPress installation.
Comments
Comments aren’t really a security risk, but they can still be abused. Comments being enabled allows visitors to be able to comment on your site’s posts or pages. The abuse that comments suffer from mostly consists of visitors leaving spammy comments that contain links. The presence of these links gives where the link leads to more backlinks or a higher domain authority. It’s effectively SEO spam. Although this is annoying, it’s not a security issue in itself.
If you’d like to disable comments, you’ll need to log in to your WordPress, then hover your mouse over “Settings” in the menu on the left hand side, then click “Discussion”, like this:
You’ll then be presented with WordPress’ “Discussion” settings. In this area we need to untick “Allow people to submit comments on new posts” and we also need to tick “Users must be registered and logged in to comment”, like this:
And now we need to save these changes….. by clicking “Save changes” at the bottom of the page, like this:
You should, by now, have user registration disabled, and also comments disabled. Due to this, nobody can create users within your WordPress, and nobody can leave spammy comments on your site’s posts or pages.
Regularly Apply Updates to your WordPress.
The next thing we’re going to do is install a plugin that force automatic updates.
Why?
Vulnerabilities in plugins, themes and WordPress core are frequently discovered. From the authors perspective it’s not always easy to know if the code they’re deploying is always 100% secure. It’s when a vulnerability is discovered that malicious parties try and exploit it. The authors release updates to patch against discovered vulnerabilites.
If you don’t apply available updates, then you’re potentially running a vulnerable site. Also, if you’re thinking you’ll do this manually, you might want to think again (or never go on holiday). Not applying updates is almost like asking to be hacked. Apply your updates people!
So let’s install an update manager plugin. We’re going to install Easy Updates Manager.
Install an updates Manager plugin.
In this example, we’ll be using the “easy updates manager” plugin to automatically apply updates.
To install a plugin, hover over on plugins then click on “add new”:
As we want to install the Easy Updates Manager plugin, just type:
easy updates manger
In the “search plugins’ box, then wait.
And you’ll then see this:
Now click on “Install now” in the easy updates manager section, like this:
Then wait a few moments, and the”install now” button will turn in to an “Activate” button, click this:
You’ve now installed and activate the Easy Updates Manager plugin. Now we need to configure it.
Hover over “Dashboard” at the top of the menu on the left, then click on “Updates Options”, like this:
You’ll now be presented with the options available to configure Easy Updates Manager, which looks like this:
The objective here is to apply any and all available updates as and when they become available. This is quite straightforward to achieve, you just click on “Enable all updates”, then wait a few moments, then click on “Auto update everything”. Like this:
Well done, your WordPress installation is now going to update itself (even when you’re on holiday).
The next step is quite vital to securing your WordPress installation.
Install and configure a security plugin.
Yes, that’s right, you need to install and configure a security plugin.
There are a lot of security plugins available. Maybe around 1000.
The one we’re going to use is called “Solid Security“. The reason we’re using this plugin is because I’ve had good experience with is as have some of my customers. They also send a monthly email with recent plugin, theme and WordPress core vulnerabilities listed in it, which is a handy resource.
Solid Security is quite lightweight and doesn’t have much of an impact on things like page load times and site performance where as other security plugins can, with their base config in effect, do things like log all site requests in your site’s database, so you end up with more processing when a visitor accesses a page, and a massive database. There is a small database overhead when using Solid Security, but it’s not that big, and you’re most likely going to have some sort of overhead when using any security plugin.
You can used a different security plugin if you like, but if you do, make sure that you:
- Have brute force protection in place and block accordingly
- Restrict access the XMLRPC (unless your site requires this function)
- Restrict access to the REST API (unless your site requires this function)
- Protect theme and plugin PHP
What you’re doing with the above is respectively:
- Preventing repeated password guessing (given enough guesses, a computer can work out a username and password).
- Disabling a login mechanism (XMLRPC) that’s often not taken in to account.
- Restricting access to a programming interface that provides a way to retrieve, create, update, and delete data from a WordPress website remotely.
- Protect theme and plugin PHP from being accessed and potentially exploited directly.
OK, so let’s install and activate Solid Security. The installation process is the same as you carried out for easy updates manager. Firstly, click hover over “Plugins” in the menu on the left hand side, then click on “Add New”:
Then, in the “search plugins” box toward the top right type:
solid security
Then wait a few moments:
And you’ll see Solid Security in the search results. Click on “install now” in the Solid Security section:
It will take a few moments to install Solid Security. When this has completed, click “activate now” :
Once the activation has completed, refresh the page and you’ll see “security” in the menu on the left hand side. Hover over security then click on “setup”:
You’ll then be presented with a page of options. This is the beginning of the iThemes security wizard that will walk you through the basic security configuration.
Initially you’ll be asked to choose an option that best describes your site:
What you’ll need to choose here is dictated by the type of site you’re making. Usually “brochure” or “portfolio” are suitable if you’re making a site simply to promote yourself or your business.
I’m going to select “Brochure” option, although if you intend to run a blog or a shop you’d want to click on the respective option. Let’s go with the brochure for now:
On the following page it’s advisable to enable the “Enable Security Check Pro” option, then click Next:
Whether you enable Solid Security check pro is up to you. Whilst this is maybe more secure and does carry out a “is this is nasty IP requesting my site” type check, that does turn this:
Hey server can I have this site? Sure here it is.
In to:
Hey server, can I have this site? Let me check with Solid Security… Solid Security can this IP have this site? Let me check, OK, that’s a good IP you can give it the site. Thanks, I’ll give them the site. Hey, that site you wanted here it is.
What I’m saying here is that activating this option adds additional transactions in to a a page request, involving an external source, which might have a load time overhead, but enabling this option will enhance security for your site.
On the following page, you’re asked to choose if you’re making a site for yourself or someone else:
The reason you’re being presented with the option above is because if you are making a site for someone else, you might want to control what they do and don’t have access to. For example, if you’re making a site for a customer you might not want them to be able to adjust security settings.
If you ARE making a site for a client, you’ll need to have the client’s users in place already as the subsequent options dictate what they can and can’t do.
For simplicity’s sake, I’m going to select “my own website” so that we can see the respective options.
On the following page, it’s advisable to enforce a password policy.
Enabling a password policy makes users select strong password and also stops them from being able to set passwords that have previously been leaked or obtained by malicious parties (this helps prevent password stuffing). Click next to proceed.
You’ll then be presented with some IP address related options. I’d suggest setting the “security check scan” in the “proxy detection” section:
The Security Check Scan option helps prevent IP address spoofing, which can be used to negate features such as site lock outs (you want malicious login attempts to be blocked by site lock outs, for example).
You can add your IP address in the “Authorised IP addresses” section to prevent you locking yourself out (by entering incorrect passwords multiple times), but unless you’re using a static IP address, your IP address will change, which negates the authorisation. It’s up to you if you do this, but you’ll most likely still need to be careful when entering passwords.
Again, click “Next” to proceed.
You can also enable 2 factor authentication if you want. Two-Factor Authentication greatly increases the security of your WordPress user account by requiring additional information beyond your username and password in order to log in. This is usually a code emailed to a specified email address.
It’s a good idea to have 2 factor authentication enabled to add an additional layer of security to your site’s login mechanism.
After enabling 2 factor authentication, click on “firewall”:
And you’ll then be presented with firewall options:
The firewall is essentially blocking based on activity, or certain access types that your site detects.
You need the firewall rules engine to be enabled to allow for blocking to take place under certain conditions, such as a known bad user agent, or bot trying to access or break in to your site.
For example, if someone tries to break in to your site by repeatedly guessing a password, it would be a good idea for them to be blocked. The local brute force protection option enables this type or protection.
The network brute forcing option does need an API key (which is emailed to you), but this effectively allows sites to collaborate and share information about know bad actors.
It’s advisable to enable and configure all the firewall options, then click “site check”:
Enable the site scan to allow Solid Security to scan your site and alert you if problems are found:
The “Utilities” section jsut covers the “security check pro” option which we enabled earlier, so click next:
You’ll then be presented with “user group” options:
No matter which of the 2 options you select here it takes you to the same page, where you can configure groups of users, and what the groups of users can do:
Whether you’ll need to configure user groups and manage what they can and can’t do depends a lot on how your site works, and who adds content to it.
If it’s just going to be you updating the site, and you always want administrator access, there’s only one administrator user, which is you, so you’d simply set the administrator user according to how you want to work.
If you’re making the site for a customer and they’re an Editor user, you could potentially limit access to certain things such as the ability to administer security settings, and if they don’t want to use it you could potentially disable two factor authentication.
If the site is a blog with contributors, or a store that allows users to create accounts, you can use the “contributors” and “everyone else” options to restrict what these users can do, or enforce strong passwords, and maybe disable two factor authentication for store accounts if you want to.
Once you’ve specified you preferred options click next.
On the final page of the wizard, you need to specify a “from” address that Solid Security will use to send notifications from. You can make this up apart from the bit after the @sign which is advisable to be your site’s address. The main thing is that you’ll need to get notifications from Solid Security, these will be sent to the email address you used when installing WordPress. Once you’ve entered an email address, click “Complete setup”:
On the next page click “Settings” to access additional settings:
Once on the settings page, you can click on “Advanced” on the left hand side to see some further additional connfiguration options:
On the advanced page, click the small down pointing arrow on the same line as “system tweak settings”:
And you’ll see additional system tweak options:
It’s generally a good idea to have the system tweak options all ticked (as above).
What these options do is protect aspects of your WordPress installation that malicious parties could potentially use to gain helpful information or access to parts of your WordPress:
Protect system files: This prevents certain files (that might give away information that’s helpful to hackers) from being read externally.
Disable directory listing: This prevents the file structure of your WordPress being exposed if part of it isn’t functioning correctly.
Disable PHP in uploads/plugins/themes: This prevents the PHP of uploads, plugins and themes being accessed directly by an external source. External PHP access is often how hackers will exploit a vulnerability in a plugin’s PHP (for example). Enabling this prevents a lot of potential exploits being usable.
If you expand the WordPress Tweaks section by clicking the small down pointing arrow on the same line as “WordPress Tweaks”:
And you’ll see additional WordPress tweak options:
Disable the file editor. This disables the wordpress theme and file editor, which could potentially be used to add malicious code to your site’s files.
Set “XML-RPC” to disable if you can (you may have to leave this enabled if your site needs xmlrpc to function). The xmlrpc function has it’s own authentication mechanism, so if you don’t protect this it can be used to brute force access to your wordpress.
Then scroll down, and in the REST API section select “Restricted Access” to prevent public access to information that you believe is private on your site.
There is a “hide login” section that you can use to change the wp-admin part of your back end login to something else. You can configure this if you like, but don’t forget what you set this to!
Once you’ve configured the above, click the save button:
Congratulations, you’ve taken the fundamental security steps to bring a base level of security in to effect on your WordPress installation.
