What's the best way to secure a WordPress website? The answer varies depending on whether you're talking about sites hosted on WordPress.com (the hosting provider) or those running on the WordPress content management system (CMS), hosted on a different server. Either way, it's a question that matters greatly given the huge presence WordPress has on the Web.
According to survey site W3Techs, WordPress powers more than 38% of the top 10 million sites on the Web. When any single product is used by more than one-third of the Web, its security is important. And given WordPress's structure, in which so much functionality comes through plug-in and add-on software, the details of that security are likely to be found in best practices rather than hard prescriptions.
In looking at the question of WordPress security, we chose to look at the broad WordPress installed base rather than those hosted on WordPress.com.
WordPress security begins with a secure hosting provider. Each hosting provider will deliver its own set of features and add-in services, and WordPress administrators should understand what can be provided and how those hosting-provided services support or collide with separate, customer-added, security features. As an example, Cloudflare presents a number of content delivery network (CDN), DNS, and anti-DDoS services to its customers in both free and paid versions, but it does so through a proxy mechanism, which means hosting-provided DNS and DDoS services are not compatible.
"Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10," says Timothy Chiu, vice president of marketing at K2 Cyber Security.
WordPress itself calls attention to the OWASP Top 10 and its response to those vulnerabilities in its white paper on WordPress security.
"It's critical to keep up with patches. Even if a WordPress is up-to-date, some of the common plug-ins may be vulnerable and will require immediate patching as [their revised code becomes] available," says Ryan Smith vice president of marketing at SaltStack. "Some plug-ins don't automatically update with plug-in managers and still need to be manually updated."
In addition to the version of any updates, their provenance is something WordPress developers and enterprise security teams should keep in mind, says Ameet Naik, security evangelist at PerimeterX.
"Though updating the plug-in with the latest version is important, it does not guarantee the integrity of the third-party code," he says.
Adds Leo Pate, application security consultant at nVisium: "Any plug-ins or templates used within Wordpress should be from reputable sources and be kept up to date."
What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.
It's critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.
In addition to keeping software up to date, "don't run the WordPress server's services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3," he advises. "The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency."
WordPress administrators in online forums write of the importance of choosing security-focused plug-ins to help defend a WordPress installation. Common choices for plug-ins include Securi and Wordfence. Securi, available in both free and paid versions, provides malware scanning, configuration file hardening, and core integrity checks in the free version, and integrates with DNS-level firewall and DDoS protection services in paid versions. Wordfence, also in free and paid versions, provides malware scanning, login attempt limiting, and a web-application firewall (WAF) to WordPress installations.
Many other security plug-ins are available, many of which focus on a single issue, such as protecting authentication certificates, thwarting brute-force attacks by limiting the number of login attempts, or continuously checking the version and status of other plug-ins. Unfortunately, this breadth means installing and deploying security plug-ins can be as complex in concept and practice as deploying any other WordPress plug-in.
Chiu stresses that basic security processes are as critical for WordPress installations as for any other piece of enterprise software.
"The simplest thing any organization can do to help reduce vulnerabilities is to keep their code up-to-date and patched," he says. "It's important to ensure you're only enabling and using the plug-ins you really need for your site, while ensuring you have full security for your site, including edge security, runtime application security, and server security."