How to Secure your wordpress
How to secure your WordPress.
In this post I’ll be covering the basic steps you’ll need to undertake to secure your WordPress. This isn’t meant a a concise list of everything that you might need to do. What this post covers is the bare minimum you’ll need to undertake with regard to securing your WordPress installation.
Before you begin securing your WordPress.
The first thing to bear in mind when using WordPress was that it was originally developed to be a blogging platform. Blogs provide functionality that’s specific to blogs, such as users registering so they receive updates about new posts, maybe even contribute to blog posts, and so that they can comment on blog posts.
If you’re using WordPress to publish a site, rather than a blog, you don’t need the functionality of a blog. So you’re going to need to turn some of the blog type functions off.
It’s not the functions themselves that are the problem, it’s what could potentially be done with them.
Let’s, for example, say you leave user registration enabled. This means anyone can register, and they’ll get a login for your site. They can’t do much with this login alone, but if you’re accidentally running something with a user privilege escalation vulnerability they could then use this to turn their user in to an administrator and then take over your site.
I’ll admit the risk isn’t enormous, but it is there, and you have to bear in mind that your site is on the internet, so anyone in the world can access it.
There’s quite a bit of “this kind of thing” in WordPress, so part of securing your WordPress involves turning things off.
The other thing to bear in mind is that a lot of probing (looking for mechanisms in sites that can be exploited) is fully automated and hundreds of checks for mechanisms to exploit can be carried out in under a minute.
So as well as turning off some blog functions, you’re also going to need to take some additional steps to make sure that your WordPress isn’t prone to being hacked.
There are generally two key principles that will help you gain a reasonable perspective of security:
- Prevention is better than cure. Try not to get hacked in the first place.
- Assume your site will be probed or targeted. Because, at some point, it probably will.
So now let’s take some steps to secure your WordPress.
Turning off the Blog functions.
First, you’ll need to log in to your WordPress, then hover your mouse over “Settings” in the menu on the left hand side, then click “Discussion”, like this:
You’ll then be presented with WordPress’ “Discussion” settings. In this area we need to untick “Allow people to submit comments on new posts” and we also need to tick “Users must be registered and logged in to comment”, like this:
And now we need to save these changes….. by clicking “Save changes” at the bottom of the page, like this:
So you’ve just turned off comments, which is good… but turning ON “Users must be registered and logged in to comment”… why? Well, what we’re going to do next, is turn off user registration, so nobody can register themselves. To do this, in the menu on the left hand side hover your mouse over “Settings” then click “General” like this:
And now we need to make it so that people can’t register. Do this by unticking “Anyone can register”, like this:
And then we need to save this change, just like we dod before, by clicking “save changes” at the bottom of the page. Like this:
OK, well done, that’s part of the effort, but by no means all.
The next thing we’re going to do is install a plugin that force automatic updates.
Vulnerabilities in plugins, themes and WordPress core are frequently discovered. From the authors perspective it’s not always easy to know if the code they’re deploying is always 100% secure. It’s when a vulnerability is discovered that malicious parties try and exploit it. The authors release updates to patch against discovered vulnerabilites.
If you don’t apply available updates, then you’re potentially running a vulnerable site. Also, if you’re thinking you’ll do this manually, you might want to think again (or never go on holiday). Not applying updates is almost like asking to be hacked. Apply your updates people!
So let’s install an update manager plugin. We’re going to install Easy Updates Manager.
Removing unused plugins.
Before we install an updates manager, we’re going to do a little tidy up as well. To do this you’ll need to click on “Plugins” in the menu on the left hand side:
This will show you the currently installed plugins. Although you haven’t installed these, they come as part of the base WordPress install, so they’re installed by default.
We’re going to delete these.
There are two reasons.
- All installed plugin’s code is executed when a page of your site is requested. More plugins = more code = longer to load. We want a nice fast site though, don’t we?
- More plugins = more code bases. More code bases = more potential vulnerabilities.
What do these plugins do? I might need them!
Seeing as you asked…
Akismet is an antispam plugin for blog comments. It stops people leaving spam comments on your blog. You’re not going to be running a blog, you’re going to make a website, and you’ve already disabled comments, so this plugin is currently useless to you. See points 1 and 2 above.
Hello Dolly displays lyrics from the song Hello Dolly in the top right hand corner of pages when you view them when logged in to your wordpress admin area. Handy, eh? It’s also there to be used as a template for people writing their own plugins, but we’re not going to be doing that. See points 1 and 2 above.
Deleting a plugin is straightforward. You just click on the word “delete” on the same line as the plugin you’d like to delete. A word for the future though: A plugin has to be deactivated before it can be deleted. Neither Hello Dolly or Akismet have been activated, so we can just click on “delete”. Like this:
And you should then see this:
You’ve just found out how easy it is to uninstall plugins. Installing plugins in WordPress is also quite straightforward.
Install an updates Manager plugin.
Now let’s install that Easy Updates Manager plugin.
Still on the same page (plugins), click on the “Add New” button at the top:
You’ll then be presented with a page full of plugins, which is basically the advertising of some popular plugins.
As we want to install the Easy Updates Manager plugin, just type:
easy updates manger
In the “search plugins’ box, then wait.
And you’ll then see this:
Now click on “Install now” in the easy updates manager section, like this:
Then wait a few moments, and the”install now” button will turn in to an “Activate” button, click this:
You’ve now installed and activate the Easy Updates Manager plugin. Now we need to configure it.
Hover over “Dashboard” at the top of the menu on the left, then click on “Updates Options”, like this:
You’ll now be presented with the options available to configure Easy Updates Manager, which looks like this:
Our objective here is to apply any and all available updates as and when they become available. This is quite straightforward to acheive, you just click on “Enable all updates”, then wait a few moments, then click on “Auto update everything”. Like this:
Well done, your WordPress installation is now going to update itself (even when you’re on holiday).
The next step is quite vital to securing your wordpress.
Install and configure a security plugin.
Yes, that’s right, you need to install and configure a security plugin.
There are a lot of security plugins available. Maybe around 1000.
The one we’re going to use is called “iThemes Security“. The reason we’re using this plugin is because I’ve had good experience with is as have some of my customers. They also send a monthly email with recent plugin, theme and wordpress core vulnerabilities listed in it, which is a handy resource.
IThemes Security is quite lightweight and doesn’t have a negative impact on things like page load times and site performance where as other security plugins can, with their base config in effect, do things like log all site requests in your site’s database, so you end up with more processing when a visitor accesses a page, and a massive database.
You can used a different security plugin if you like, but if you do, make sure that you:
- Have brute force protection in place and block accordingly
- Restrict access the XMLRPC
- Restrict access to the REST API
- Are able to monitor for unexpected file changes
What you’re doing with the above is respectively:
- Preventing repeated password guessing (given enough guesses, a computer can work out a username and password).
- Disabling a login mechanism (XMLRPC) that’s often not taken in to account.
- Restricting access to a programming interface that provides a way to retrieve, create, update, and delete data from a WordPress website remotely.
- Let you know if files get changed (as in, you could have been hacked).
OK, so let’s install and activate iThemes security. The installation process is the same as you carried out for easy updates manager. Firstly, click on “Plugins” in the menu on the left hand side:
Then click on “Add New” at the top of the page:
Then, in the “search plugins” box toward the top right type:
Then waits a few moments:
And you’ll see iThemes Security in the search results.
Now click on “install now” in the iThemes Security section, then wait a few moments:
Now click on “Activate” in the iThemes Security section, then wait a few moments:
After activating iThemes security, you’ll see the word “Security” appear in the menu on the left hand side. Click on this to start configuring iThemes security:
You’ll then be presented with a page full of options. It’s not as intense as it looks, this is the beginning of the iThemes security wizard that will walk you through the basic security configuration:
What iThemes is doing here is presenting you with an easy way of configuring it’s security options based on the type of site you’re going to make.
We’re focussing on making a site for your business, so we’re going to select the “Brochure” option, although if you intend to run a blog or a shop you’d want to click on the respective option. Let’s go with the brochure for now:
You’re then presented with this:
Whether you enable iThemes security check pro is up to you. Whilst this is maybe more secure and does carry out a “is this is nasty IP requesting my site” type check, that does turn this:
Hey server can I have this site? Sure here it is.
Hey server, can I have this site? Let me check with iThemes… iThemes can this IP have this site? Let me check, OK, that’s a good IP you can give it the site. Thanks, I’ll give them the site. Hey, that site you wanted here it is.
What I’m saying here is that activating this option adds additional transactions in to a a page request, involving an external source, which might have a load time overhead.
I tend to leave this option disabled, due to the above, but feel free to tun it on if you want, then click the “Next” button:
On the following page, click “Self” as you’re making your own site:
On the next page, you’re asked if you want to enforce a password policy. This is a good idea to do, as it makes users select strong password and also stops them from being able to set passwords that have previously been leaked or obtained by malicious parties (this helps prevent password stuffing):
You’re then presented with further options, one of which I’ve covered above. The ones you MUST turn on are “local brute force” and “network brute force”. These protect against brute force attacks. Assume your site is going to be attacked in this manner, as it will be. Everyone’s does at some point.
You can also enable 2 factor authentication if you want (as it says: Two-Factor Authentication greatly increases the security of your WordPress user account by requiring additional information beyond your username and password in order to log in.) Now I have see this go wrong and people then be unable to log in to their WordPress, and then you need to know how to fix it before you can then log in. It does add security, but it cal also add problems.
For now, just make sure you have “local brute force” and “network brute force” enabled, then click next:
You’ll then get asked the same thigns again! Next through these until you see the page below, then click “default”:
You’ll then be presented with options covering how different types of users can administer iThemes security. If it’s just you that’s making your site, you can skip this step (click the “Skip user groups” button), but if you intend to allow other people to create content for your site work through this specifying what each user type can and can’t do.
Then click “configure site”:
Set the proxy detection to “disabled”, then click “Next” (your IP address will change unless you’re paying for a dedicated IP address or using a VPN that provides one):
On the following page, you need to specify a “from” address that iThemes will send notifications from you can make this up apart from the bit after the @sign which needs to be your site’s address (I know this sounds ridiculous, but I’ll cover this in a later post). The main thing is that you’ll need to get notifications from iThemes, these will be sent to the email address you used when installing WordPress. Once you’ve entered an email address, click “Continue”:
On the next page click “Secure site” and iThemes will work it’s magic (which will take a few minutes):
You’ll ultimately be presented with a “finish” button, so click that.
Finally, there’s a couple more things we need to configure in iThemes, again these are turning off things, which are xmlrpc (which is a login function that’s often targeted and the REST API which is a programming interface in your WordPress. It’s possible you MIGHT need to enable the latter in the future, but unless you experience any issues relating to the REST API, make sure it’s restricted.
You’ll do this by clicking on the settings button:
Then click the little “Advanced” button:
Then click “WordPress Tweaks”:
Set “XML-RPC” to disable:
Then scroll down, and in the REST API section select “Restricted Access” then click “Save”:
Great, that’s it (so far, there’s more to come), you now have a decent basic level of security in place.
What you’ve done so far covers most of the common attack vectors malicious parties will use to try and attack your site.
With regard to the more to come I’ll be covering other aspects in future posts, but you’ve done enough for now… unless you used the word password as your actual password (joke!).