Top tools and best practices for WordPress security

Poorly secured WordPress websites are a favorite hacker target. Use these tools and advice to keep them out.

If you run a WordPress blog, you need to get serious about keeping it as secure as possible. WordPress is a very attractive target for hackers for several reasons that I’ll get to in a moment. To help you, I have put together my recommendations for the best ways to secure your site, and many of them won’t cost you much beyond your time to configure them properly. My concern for WordPress security isn’t general paranoia; my own website has been attacked on numerous occasions, including a series of DDoS attacks on Christmas day. 

WordPress is a rich target

 It is hard to keep up with the latest WordPress attacks. Last year, a brute force attack was composed of a botnet of infected WordPress servers leveraging the XML-RPC interface. Why is WordPress such a target? 

WordPress runs PHP scripts, which have had their own problems over the years. IT managers should nip this issue in the bud by making sure their version of PHP is current. WordPress itself has provided this handy list of suggestions on how to check your version and how to upgrade it safely. 

WordPress has a lot of moving parts. In addition to the underlying PHP engine, most WordPress sites run a variety of plug-in tools and use themes to enhance their appearance and add functionality. Ensuring that these plug-ins are free of infections or, worse yet, are stalking horses for malware, isn’t an easy task. A number of them have been exploited recently, such as Form Lightbox, Appointments, RegistrationMagic-Custom Registration Forms, WooCommerce, WP No External Links and Flickr Gallery.

An extreme example of this is a plug-in that had good intentions to help with enforcing GDPR compliance. However, it contained two privilege escalation bugs that granted admin access to the entire WordPress site. The problems were eventually found and fixed in v.1.4.3 of the plug-in. This brings up an important point. Not every plug-in or theme developer is going to pay attention to code security, as this 2013 article pointed out. This means that these add-ons can greatly increase your attack surface area. 

Many WordPress installations aren’t keeping up with the latest version of their software. Some are even behind by several major releases. This makes it easier for hackers to locate the most vulnerable sites and launch attacks on them. It is a challenge, because the software is updated frequently. My ISP actually sends me notices when my version needs an update, a feature that initially I was annoyed about. I now realize they are looking out for my best interests.

Updating a site with numerous plug-ins can be a challenge, because many plug-ins and themes can break with the new software. (This was an issue for the latest major update to v5, for example.) So you have to balance the update with what else your site is running when you consider when to do your update. This also means you need to keep all your add-on software updated, too.

WordPress administrators are novices when it comes to IT operations in general and security specifically. This could be attributed to the fact that it is easy to set up an insecure WordPress site. I’ll get to some of the best practices in a moment, but consider this phishing campaign seen last fall that targeted WordPress admins. The message stated that the “WordPress DataBase Upgrade” (sic.) was required, and many people fell for the lure. And at last summer’s DefCon conference, hackers were able to locate a fresh new WP site within 30 minutes of going online. The exploit made use of how new orders for SSL certificates happen, in an attack called WPsetup.

Choosing a WordPress security software vendor

There are several vendors that specialize in securing WordPress sites. While you don’t strictly need any of these tools to make your site more secure, I strongly suggest you use one of them.

  • Wordfence, the one that I use, comes in both free and paid ($100 per year) versions, and at two million sites supported is the most popular tool. The free version is fine for most small businesses and is what I use. It comes with its own WordPress firewall that covers login security, IP blocking and security scans for malware. The premium version offers real-time updates for IP blacklists, malware signatures, and firewall rules, as well as two-factor authentication (2FA) and country blocking.
  • IThemes Security, which has close to a million sites under its protection. It used to be called Better WP Security and also includes 2FA and support for v5 of WordPress. It comes in free and paid versions (starting at $50 per year for a single site). Premium features include password generation and policy settings, online file comparison, user action logging, and malware scan scheduling.
  • Arsenal21’s All-in-One WP Security, which protects 700,000 sites and is also tested to v5. One notable aspect is how it automatically changes the admin account to some other name. It is free and open source. Key features includes vulnerability scanning, implementation and enforcement of WordPress security practices, and a security scorecard for your WordPress site.
  • Sucuri’s Scanner, which also comes in both free and paid versions. It has malware scanning, blacklist monitoring and (for a fee) its own WordPress firewall. Securi is used by 400,000 sites, and plans start at $200 per year for each site.

One tool to steer clear of is Comodo’s free scan of your WordPress site. It is really a lure to obtain your email address and then sell you consulting services.

Before you choose one of these tools, consider the following:

  • What kind of reports does it produce? Most of the major WordPress add-on security tools will send you regular email reports about the status of your WordPress security, when the volume of attacks increase from a single IP source, and other potential issues. Make sure you understand the implications of these reports before you settle on a particular tool.
  • How is the tool configured and managed? Most tools have a separate entry in the main WordPress dashboard page where you can control their behavior and show you a summary of your site security status (such as Wordfence’s dashboard shown here).
strom wordpress 1 WordFence

A typical dashboard from Wordfence

  • Does it support v5 of WordPress? When I looked at the various plug-in pages on the WordPress directory, many of the security tools still hadn’t certified this version.

WordPress security best practices

Before we talk about best practices, let’s mention one of the worst. This is how WordPress administrators choose their admin authentication details. As I hinted at above, one of the best things you can do is to change your account name from “admin” to something else, such as a random string of letters. Many WordPress brute-force attacks begin by trying this account name and guessing your password.

This beginner’s guide covers other basic security steps, such as limiting login attempts, making certain directories read-only, and disabling directory browsing. Another suggestion: limit access to your WordPress site to just your own IP address in your .htaccess file while you are setting up your server for the first time.

Another suggestion is to harden your logins with 2FA. A number of the plug-in vendors offer this as a feature, such as the free version of Defender and the paid version of iThemes.  I use miniOrange, which supports a wide array of authentication apps and methods -- even the free version is quite adequate for smaller installations. 

Reduce the number of plug-ins. When I first put up my WordPress server, I went plug-in crazy, installing more than a dozen of them to do various things. Now I realize the error of my ways, and the most secure server is one that has the minimum number of plug-ins. Resist the temptation to add all sorts of plug-ins that will just compromise your security. Also, while you are picking a theme for your site, make sure you only download those themes and plug-ins from trusted sources. 

Stay current with WordPress-security specific sources such as Plugin Vulnerabilities and Wordfence’s own blog. Both post frequently about exploits and zero-day attacks that their own instrumentation networks have uncovered.

One final recommendation. If you are overwhelmed with keeping up with your security, or if you are planning on launching many blog sites, you might want to consider using a managed WordPress hosting provider such as WPBeginner. They also have a quiz you can take for a self-assessment. Numerous vendors offer this service, including IThemes which will host your site using its security tool starting at $15 per month for each site.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!