Languages: Deutsch • English • 日本語 • Italiano • 한국어 • Português do Brasil • (Add your language)
Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren't taken. This article will introduce you to basic security concepts and serve as an introductory guide to making your WordPress website more secure.
This article is not the ultimate quick fix to your security concerns.
Security is not an absolute, it's a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It's about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.
Security also transcends the WordPress application. It's as much about securing and hardening your local environment, online behaviors and internal processes, as it is physically tuning and configuring your installation. Security is comprised of three domains: People, Process, and Technology. Each work in a synchronous harmony with each other, without the people, and their processes, the technology itself would be useless. Keep this in mind as you work through this guide, the threat landscape is constantly evolving and as such so should your security posture.
If you have downloaded WordPress from WordPress.org you will need to self-host, and you will have a wide range of options. You will need to choose from shared-hosts, managed-hosts and a number of other variations. Each host will handle security differently, but each will be consistent in that the ultimate responsibility for your installations security will fall on the website owner (not the host).
We will not dive into the hardening of your host, as it is beyond the intent of this guide - which will focus on your WordPress installation. For more information though, we encourage you to jump over to the Hosting WordPress codex page.
How you decide to host your website is important, and should be done with care; the decision you make will dictate the specific security controls you will want to leverage. This means that you, the website owner, will be responsible for hardening your installation and why this guide is so important.
There are basic concepts Information Security (InfoSec) concepts that you should be aware of as you embark on your journey of securing WordPress. These concepts are critical to helping you understand and implement the recommendations presented in this guide.
When configuring web applications and WordPress, each application or user should only be able to access the resources that are necessary for it's legitimate purpose and nothing more. In other words, don't give applications or users access beyond what they need. You can learn more about this principle on Wikipedia.
The least privilege principle builds on this idea, it is about giving people the access they require, for as long as they require to do their job, no more and no less. When they are done with their work, reset their access to the most appropriate level. This is most applicable when thinking about users and their appropriate roles. WordPress provides a number of different roles out-of-the-box, each designed with different permissions.
The idea of Defense of Depth subscribes to the concept that there is no single solution capable of addressing all your security concerns. Instead, it promotes the use of a layered approach to complementary security solutions each designed to address each others shortfalls. With multiple layers of security, if one fails you may still stop the attack, or at the very least be able to detect it early and recover quickly.
Employing a defense in depth approach might look like this: employing a firewall to help mitigate external attacks, employing a security scanner in the event something is successful, leveraging multiple authentication controls, or even integration of a key manager. Each are security controls designed to directly address a threat.
Moving beyond the theoretical, we take the concepts presented above and provide a list of actions you can take as a website administer to harden and improve your security posture:
Make sure your local computer, browser and routers are up-to-date, free of spyware, malware, and virus infections. Consider using tools like no-script (or disabling javascript/flash/java) in your browser and VPN's to encrypt your online communication when moving between locations and using different public WiFi hotspots.
You should also secure your mobile devices. Install any updates as soon as they are available.
WordPress is updated regularly, these updates account for bug and security fixes alike. When working with point releases (e.g., 4.7.1) you should consider applying as soon as it is released. Major releases (e.g., 4.7) should be applied as soon as possible, but be sure to follow a good upgrade process to avoid any potential conflicts.
The vulnerability most affecting WordPress website owners stem from the platforms extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber criminals to hack and otherwise misuse WordPress sites.
These vulnerabilities are not introduced intentionally, they are a normal part of software development. Developers address this by releasing updates. It's important you take an inventory of all the plugins the website uses and subscribe to the developers mailing list to ensure you stay current with the latest updates.
Main article: Updating WordPress.
The latest version of WordPress is always available from the main WordPress website at https://wordpress.org. Official releases are not available from other sites -- never download or install WordPress from any website other than https://wordpress.org.
Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates.
You can find the official WordPress.org blog on this page where security updates are announced.
If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues.See Submitting Bugs for how to do this.
The web server running WordPress, and the software on it, can have vulnerabilities. If you are managing your own server, make sure that you install security updates for your operating system, web server, PHP and any applications. If you are using managed hosting, your hosting provider will usually take care of these security updates for you.
If you're on a shared host (one that hosts other websites besides your own) and a website on the same server is compromised, you can experience cross-site contamination. Talk with your hosting provider to better understand how they handle security on shared servers.
If you are on shared hosting and one or more sites on that shared host have been hacked, you may find that your website IP address is black-listed by spam lists. If you find you are having email deliverability problems, you can use a blacklist lookup tool like mxtoolbox.com to see what is going on.
When connecting to your server you should use an SFTP connection. This ensure the communication between your machine and the server is protected. Most hosts offer SFTP, if you're not sure, ask them. Read more on the difference with this Explanation of the FTP and SFTP protocols.
If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one WordPress installation, this makes it that much harder to alter your other blogs.If you administer MySQL yourself, see Secure MySQL Database Design for more information.
Below we propose structural changes that provide additional security hardening for your WordPress installation. Each option comes with some disadvantages and problems which you need to be aware of.
Back up your data regularly, including your MySQL databases. See the main article: WordPress_Backups.
A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location.
One of the top two attack vectors used by cyber criminals is software vulnerabilities and access control. To combat this you must secure any point of entry into your host, WordPress installation or server. This includes employing strong passwords and enabling some form of Multi Factor authentication.
When working with any online site, consider enabling 2FA by default. Refer to Two Step Authentication for more information.
Some WordPress plugins designed to help include:
The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. A key to this is making it Complex, Long, and Unique. It is recommended to use a password generator for all passwords.
WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.
Services like 1Password and LastPass can help you manage and create random passwords.
The default permission scheme should be:
There a number of ways to accomplish this change. There are also a number of variations to these permissions that include changing them to be more restrictive. These however are the default recommendations. Check with your host before making permissions changes as they can have adverse affects on the performance and availability of your site.
Avoid having any file or directory set to 777.
You can read more about WordPress updates and file ownership on the Updating WordPress codex page.
Changing file permissions
Via command line you can run the following commands to change permissions recursively:
For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
You can also do this via your favorite FTP/SFTP client.
Adding server-side password protection (such as BasicAuth) to /wp-admin/
adds a second layer of protection around your blog's admin area, the login screen, and your files.
Note: This prevents normal site visitors from accessing /wp-admin/admin-ajax.php
.
See the Resources section for more documentation on how to password protect your wp-admin/
directory properly.
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
Note: This won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work.
The uploads directory is the one directory that will almost need to be writable by the web server. It's where all files are uploaded remotely. You want to prevent PHP execution in this directory, you can do this by placing an .htaccess at the root of /UPLOADS using:
# Kill PHP Execution <Files *.php> deny from all </Files>
Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php> order allow,deny deny from all </files>
It is recommended to disable file editing within the WordPress dashboard. WordPress has a constant that disabled this editing via the wp-config.php file. Append the following two lines to the end of your wp-config file:
## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
There are many security plugins available for WordPress that provide a wide range of security and hardening features. There are four types of security plugins, it's important to diferentiate between them because each are designed to solve different problems.
As you think through your security posture, and look to integrate a security plugin, consider what you are trying to achieve and how that plugin helps you achieve that goal.
Website Firewalls allow you to proactively mitigate external attacks like exploitation attempts that try to abuse software vulnerabilities, brute force attacks that try to break into your admin panel, or denial of service attacks that try to kill the availability of your website. All real security threats.
There are two types of Firewalls to be mindful of. You have End-point and Cloud-based Firewalls.
are installed on the website itself. They may be installed as part of WordPress or as an Apache module. When an endpoint firewall is installed on the web server, this will often be handled by your host unless you are managing your own Dedicated or Virtual server. Within WordPress there are a number of security plugins that provide an endpoint firewall.
Deploying a Website Firewall is quickly becoming the best way to stay ahead of today's emerging threats. It's not however a substitute for a bad security, it's one piece of a larger framework that should be considered.
Deploy tools that allow you to maintain visibility into the overall security state of your site. There are a number of tools designed to help with this.
Remote scanners look at a website as a user or search engine would.
Examples:
These can be automated by using plugins as well, examples:
Application scanners look at the files locally on the server. For WordPress, this is achieved by security plugins.
Examples:
If you're running a server, you might consider:
Reputation monitors are services provided by established brands like Google, Bing, etc... that have a vested interest in your website displaying unaltered data.
These tools is that they are free, they have a vested interest in your site being clean, and will notify you 24 - 48 hours in advance before blocking your site.
Services like UptimeRobot and Pingdom monitor website availability. They send you an alert via email, SMS or mobile application if your website goes down. You can monitor your site from multiple locations.
One of the features of some of these services offer is the ability to monitor web page changes. Websitepulse in particular can tell you if a page has changed by a certain percentage. Using availability monitoring along with monitoring of page changes can give you an early warning if your website has been hacked. Often a hacker will change or deface your website and catching changes early can alert you within minutes of a hack.
Monitoring filesystem changes can give you early warning of an intrusion. There are a number of WordPress plugins that will look at the application and help you identify if the integrity of files have changed.
Example:
When you install a WordPress plugin, it has access to your WordPress files, directories and database. The level of access that the plugin has is the same access level as WordPress core. There is no separation of permissions between WordPress plugins. There is also no way to limit the amount of access a plugin has.
It is important for you to understand what a plugin does and what it will be accessing. You should read the plugin documentation, check it's reputation by reading reviews and check the plugin support forums for any known problems before granting a plugin access to your system by installing it.
Security through obscurity is a complementary layer to a Defense in Depth approach to security, it should not be the strategy.
There are areas in WordPress where obscuring information might help with security.
Your hosting provider will usually provide web server logging for 24 hours. Not all hosts enable by default, please consider logging for a minimum of 7 days. You may need to enable this feature or request that they enable logging for you.
There are plugins that can help you with this logging even if your host cannot. Examples:
Logs provide an audit trail of requests that occurred on your website. If your website is hacked, it allows you or a forensic analyst to determine how your website was compromised.
These recommendations are for the more advanced users that manage their own Dedicated and Virtual Private servers.
If you have SSH access to your web server, you can access a command line shell on your server and view your logs as they update in real-time with the following command: tail -f /location/to/log/file
. This gives you the ability to monitor your raw traffic in real-time at no additional cost.
If you would like to learn how to perform log file analysis to identify attacks, you can start by reading the Log Analysis for Web Attacks: A Beginner’s Guide.
You can also monitor your website traffic in real-time using the real-time view from Google Analytics or Piwik.
Similar to the File integrity monitoring recommendation above, it's recommended you consider a similar approach for your web server.
A couple of system that helps streamline this process includes:
A few tools that help include:
Most WordPress security plugins and security products provide a wide array of monitoring and alerting options. These include alerts on:
When configuring alerting it is important to have a high signal-to-noise ratio. In other words, you should only get alerts that are important to you and that you will do something about.