WordPress is the most widely used CMS of all. But after the setting it up, most do not think further about security. Therefore, vulnerabilities in WordPress are particularly lucrative. Outdated versions, for which public vulnerabilities are known, are detected and attacked by so-called crawlers and bots. This usually happens fully automatically. Often the goal of these automated attacks is to abuse your WordPress blog to host phishing pages, redirect to advertisement pages and send spam mails. Without proper monitoring you don’t notice that you are being attacked.
However, it does not have to get that far. WordPress themselves recommends that a standard installation is not enough to effectively protect against attacks. Therefore, there is the so-called official “WordPress Hardening Guide“. This includes measures that the WordPress team recommends to secure. Unfortunately, exactly this important recommendation is often omitted during installation.
In organizations there are often multiple WordPress instances running somewhere, often created by marketing or external WordPress agencies. Experience has shown that even agencies specializing in WordPress have not implemented the security requirements by WordPress. The aim of this guide is therefore to ensure that externally operated WordPress installations can also be secured.
Without security monitoring, you don’t even notice these automated attacks. But with just a few plugins and steps you can improve the protection immensely and reduce the risk of compromise. The goal of this article is to give you a short checklist to improve the security of your WordPress blog.
That all these additional measures (also these from the “Hardening Guide“) are very important is also shown by this critical vulnerability, which was published in June 2020. It had taken over a year until the WordPress team finally closed it. After that, the security researcher was allowed to publish details about the vulnerability. Often not WordPress Core but some Plugins are targeted by the attackers. By finding a security vulnerability in a widely used Plugins attacker can compromise thousand of WordPress instances at the same time, as recently shown in this attack in November 2021. This shows the importance of applying security practices to your WordPress instance.
Two key takeaways are:
- You need to be aware that just because you run a WordPress blog you are already permanently exposed to automated attacks, such as brute force attacks. This happens from automated bots that scan the Internet for WordPress installations.
- If you run a WordPress blog it’s not a question of if you will be breached, rather when. To contain an attack, the following steps are necessary. You cannot 100% prevent an attack but you can make it ineffective by applying the security practices and keeping your wordpress instance up-to-date.
Below, I have provided a prioritized checklist that helps securing your WordPress.
Checklist
| Practice | Action |
|---|---|
| Is a secure hosting environment is used? | It is important that you choose a secure hosting provider for your wordpress. There should be backups so that you can restore to the last secure state in case of compromise. Especially for WordPress, there are numerous hosters that specialize only in wordpress and thus offer optimized backup and update features for their customers. Is a managed WordPress hosting provider used which allows to maintain and schedule backups and auto-updates? Is the security status is constantly checked by a tool such as Plesk WordPress Toolkit? No backups are stored on your webserver within the wordpress file tree? |
| Is your wordpress database (MariaDB/MySql) restricted to allow connections only from localhost? | |
| WordPress Core, Themes and Plugins are kept up-to-date? | Automatic scanners (like WPScan), which are used by attackers, look for vulnerable plugins. Outdated plugins may contain known vulnerabilities.The auto-update feature (available since WordPress version 5.5) is enabled for all Plugins and Themes? A WordPress management is used such as “Plesk WP Toolkit” or “WP Engine” which enforces automated security updates? |
| XML-RPC Gateway is disabled? | A Plugin such as https://wordpress.org/plugins/disable-xml-rpc/ is installed to disable the XML-RPC-Gateway? |
| Unused Plugin and Themes are disabled and removed? | Unnecessary plugins should be uninstalled. Each installed plugin increases the potential attack surface, should a vulnerability become known for this plugin. |
| Is a protection against brute force and credential stuffing attacks applied? | A plugin such as https://wordpress.org/plugins/advanced-nocaptcha-recaptcha/ is installed to enable captcha protection for all important functions (login, register, comments)? A plugin such as https://wordpress.org/plugins/google-authenticator/ is installed to enable MFA? A plugin such as https://wordpress.org/plugins/limit-login-attempts-reloaded/ is installed to enable rate limiting? |
| Is a Web-Application-Firewall (WAF) enabled? | In the past, it has already happened that so-called zero-day vulnerabilities were available, through which all installations of a certain CMS suddenly become vulnerable to an attack. Therefore, it is recommended to install a WAF, such as Cloudflare. Should such a scenario occur, i.e. that no update is yet available to protect against a new type of attack, then with the help of Cloudflare managed ruleset they might be able to protect against these attacks.A WAF such as Cloudflare or OWASP ModSecurity is enabled? Is the managed ruleset for WordPress enabled? |
| Do you have an Audit trail? | Is a Plugin such as https://wordpress.org/plugins/audit-trail/ or https://de.wordpress.org/plugins/simple-history/ used? |
| Are secure practices for user accounts followed? | The default “admin” account is renamed? Do you only have one admin account? Are wordpress account roles and permissions properly set to the “least privilege principle” and no user accounts with rights they don’t need? Are permissions of inactive accounts set to the least privileged role? Are only secure passwords used? Your user account FTP accounts The WordPress database Your hosting account Email address |
| Is the access to the admin portal access controlled? | By adding IP allowlisting you can strict the WordPress login form to be only accessed within an corporate IP-range. Is Cloudflare Zone Lockdown (Firewall->Tools) enabled for /wp-login.php and /wp-admin? If IP allowlisting is not an option you can try: https://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/ |