28th May 2021
Keeping WordPress websites secure.
WordPress has historically had a somewhat bad reputation for security. However, a little context is needed to help frame the picture accurately. WordPress currently sits comfortably at the top of the CMS landscape with a market share of 64.7% during April 2021. The number two spot currently goes to Shopify with 5.4%. In fact, WordPress has almost double the market share of the 90 next popular platforms combined. There’s a lot of WordPress sites out there and this ultimately means there’s a lot of WordPress websites that “bad actors” (the cybersecurity type, not the Hollywood type) are interested in.
There’s also a large volume of WordPress sites out in the wild that rely on off-the-shelf themes or plugins to power key parts, or all of, the website. Often, this is where a problematic situation can arise. By compromising a widely-used theme or plugin, an attacker can potentially get the keys to a number of sites, which is why these themes and plugins can be an attractive target.
The other side to this story is that there is a huge number of developers in the WordPress community and with WordPress being open source software, security patches are rolled out extremely quickly on discovery of any vulnerabilities. The latest WordPress release at the time of writing had a staggering 481 individual contributors to this release alone.
The main takeaway from this, if you’re building a WordPress-based website using a bespoke front-end and keeping WordPress itself and any plugins up-to-date, you’re in safe hands. However, there are some other things to keep an eye on and so here is a list of top-tips for keeping a WordPress website secure:
1. Use a Web Application Firewall (WAF).
Just as you might have antivirus software on your computer, it’s a good idea to have some kind of firewall on your server. Most managed hosts, such as WP Engine or Kinsta have some kind of WAF offering. If you’re managing your own server(s), you can use something like Cloudflare or Sucuri to manage your firewall before requests hit your server (they both have a WordPress-specific offering) or if changing your DNS settings to run through either of these services is an issue, a server-side alternative such as WordFence can still be effective.
2. Changing default paths.
Although the general concept of security through obscurity will not make your software itself any safer, it can help to protect against automated attacks. Although we think of website hacking as someone at a computer picking out a particular website and then getting to work on compromising it, the truth is that the vast majority of attacks are automated. Tools and bots scan the internet looking for websites running software with known vulnerabilities and then once these sites are identified, automated tools can be run to compromise them.
Simple changes such as changing the default login URL, installing WordPress in a subdirectory so that the backend paths are one level deeper than a standard install or moving the main WordPress configuration file can often mean that automated tools simply either do not identify the site as running WordPress or fail to run scanning tools as they are expecting different paths.
3. Running up-to-date versions of PHP.
PHP historically had a slow release schedule. Things have changed in the last few years and now PHP releases are coming thick and fast, bring speed, stability and importantly, security improvements along the way. It’s usually a pretty simple task to make sure you’re running a recent version of PHP and it’s well worth the time investment for peace of mind.
4. Implement Two Factor Authentication (2FA).
2FA is the process of confirming a login attempt by sending a code (typically to either an email address or mobile device) or generating a code via an authentication app such as Google Authenticator when a login attempt is made. This is an additional layer of security to a username and password and ensures that even if a username and password are stolen or compromised somewhere else, an attacker will additionally need access to your email address or mobile device.
There are a number of 2FA solutions available for WordPress depending on specific requirements.
5. Limit login attempts.
By limiting the number of times a user can attempt to log in you can greatly slow down the efforts of an attacker. Limiting the number of login attempts to around 3-5 an hour is usually a good balance of security and accounting for human error.
6. Use HTTPS and enforce its use everywhere.
By having a valid SSL certificate installed on your site’s server, you can serve your site securely over an HTTPS connection. This ensures that any data sent between the website and the user is encrypted, protecting against man-in-the-middle attacks which can lead to stolen password or form data.
An added benefit of an HTTPS connection is that you can also serve the website and its assets over an HTTP/2 connection, delivering assets more quickly and efficiently to the user’s browser and in turn, improving the speed of the website.
HTTPS is also a confirmed ranking factor in Google’s page score algorithm.
It is important to make sure that an HTTPS connection is being forced across the website once you have an SSL certificate in place. This is typically configured via your web server (NGINX or Apache typically).
7. Disable the built-in File Editor available to logged-in admins.
WordPress comes with a built-in editor that lets admins edit theme files. By allowing the use of this editor, if someone gains access to an admin account, they can add their own code to the site within the WordPress admin dashboard without ever having to get access to the server itself. This should always be disabled.
Additionally, most websites should be using some kind of version control, such as Git. Allowing the editing of files directly on the web server would conflict with the version-controlled site, causing issues when deploying new versions of the site.
8. Keep WordPress and any plugins up-to-date.
It can’t be understated how important it is to keep any software running on your website up-to-date. Once a vulnerability is out in the wild it is important to ensure that you are protected. Luckily, WordPress and most reputable plugins are well maintained and patched and as long as you have a good update schedule in place, such as every two weeks, you can greatly cut the risk of being compromised.
A word on security and its impact on SEO.
A knock-on effect of a compromised site can be a big hit in search engine rankings. This can happen for a few reasons:
- A compromised server is being used to send spam emails resulting in the web server’s IP being blacklisted
- Hidden software, such as cryptocurrency miners, are running in the background, slowing down the website
- Additional scripts are being included when the website loads, affecting the website’s Core Web Vitals score
- The website is defaced or otherwise taken down leading to Google indexing incorrect content or stopping indexing the site at all
- Google’s malware detection is triggered which in turn marks the site as infected, preventing users from accessing the site. This can be a difficult and lengthy process to rectify
By taking a handful of measures, WordPress can be a very secure and reliable content management system. We’ve got a whole lot of WordPress sites under our belt and we feel extremely confident in our platform and WordPress in general.
If you’re managing a website and feel that security could be an issue, we would suggest working with an agency who can do this work on your behalf. As experts in WordPress development, we’re well-positioned to make recommendations for the most suitable environment for your project.