WordPress continues to be one of the most popular blogging and web hosting platforms. You can see why: it is easy to set up, it has a wide range of design templates and supports a huge universe of more than 55,000 different plug-ins that can extend its functionality in numerous directions. While you can freely host your own WordPress blog on their site, you don’t have access to this rich collection of extensions.
But like so much in the tech world, with this additional functionality comes the added responsibility about securing your servers and protecting your content. And given that it has been around since 2003, it has undergone some big changes as it has evolved. One thing that hasn’t changed is its basic structure: it runs a web server with a bunch of PHP scripts that access a SQL database. That simplicity is also what makes it a tempting hacking target.
Here are the top 10 strategies for hardening your installation. Many of these items are free, outside of the time it will take to implement them.
1. Use a managed WP provider who can keep your site software current. WordPress frequently updates its core software to fix bugs and close vulnerability loopholes. You should stay current with these updates: those that fall behind provide hackers with the opportunity to breach your site. This also means keeping your plug-ins and themes updated too. Network Solutions, as part of its various managed WP plans, will keep track of your installation and notify you of any updates.
2. Keep WP servers off your internal network. This is a second reason for using a managed hosting provider. Running your own WP server internally will just expose your corporate network to additional threats or where it could be used as a starting point for a privilege escalation attack. Better to have your WP reside on a hosting provider’s network where it can be isolated and protected.
3. Remove the default admin user. Hackers love to try to log in with “admin” most often. Pick a name that is less obvious, and indeed a more complex and preferably unique administrative username. If you have guest authors, create complex user names for them as well.
4. Use a blank index.php file in your plugin directory. This will prevent hackers from figuring out which plugins you have installed.
5. Use strong passwords, or better yet, install one of the multi-factor authentication (MFA) tools such as Mini-Orange or Google Apps Login. These will make it very difficult for unauthorized users to gain control over your site.
6. Install a WP firewall, such as Wordfence or IThemes Security. All offer free versions. Wordfence, which comes with managed WordPress from Network Solutions, covers login security, IP blocking and security scans, and comes with its own WP firewall. IThemes has password generators and user activity logging. All three are used by hundreds of thousands of WP site operators. All will also send you regular email reports about the status of your WP security and have comprehensive dashboards within your main dashboard that can offer a rich perspective of your WP installation. If you want additional security, there are paid versions of each that range from $50 to $200 per year per server.
7. Reduce the number of plug-ins and themes. While it is easy to add all sorts of both kinds of extensions, the fewer their number the more secure your server will be.
8. Be on the lookout for compromised plug-ins. A number of them have been exploited, such as Brizy, Form Lightbox, Appointments, RegistrationMagic-Custom Registration Forms, MailChimp for WooCommerce, WP No External Links and Flickr Gallery. Depressingly, those are just a few of the more notorious compromised plug-ins. The exploits range from hidden backdoors to remote file execution to privilege escalation, so pretty much all over the security map. Some plug-ins have thousands of users and active installations. Regularly screen what plug-ins you need and ensure that they haven’t been tampered with. Network Solutions offers malware scanning, removal and protection products powered by SiteLock that can identify outdated and exploited plugins daily.
9. Stay vigilant. Regularly scan various blogs, such as Plugin Vulnerabilities and Wordfence’s own blog. Both post frequently about exploits and zero-day attacks that their own instrumentation networks have uncovered. One example is a plug-in that masqueraded as a compliance tool for enforcing GDPR which instead contained malware that granted admin access to the entire WP site.
10. Finally, if all this seems overwhelming, start with this beginner’s guide which will walk through the necessary steps and make other specific suggestions.
If you have any additional questions about WordPress, please reach out to the team at Network Solutions.