WordPress Security Tips
I know quite many people who love WordPress. I'm talking the self-hosted WordPress.org website builder you have to install on a web hosting server, not WordPress.com. But I don't hear them talk much about WordPress security.
I've mentioned some of the stuff below in other blogs about my favorite WordPress plugins and unnecessary plugins. And I don't want this to be verbose. So I'll try to keep everything straight-forward for newbies.
Improve Server Security
As of 2021 you can simply subscribe to WordPress Hosting plans where you only manage the WordPress website. Those users can skip over to the next section since your hosting provider is maintaining these for you. For those with cPanel or cloud server hosting with WordPress installed, you need to make sure the server software is up-to-date too.
If you don't know how to do something mentioned below, contact your web hosting provider. Don't be ashamed to ask for help. It's better than asking for help recovering from a cyber attack.
PHP
PHP is the big one. At the time of writing, PHP 8.1 is the latest version. There's a new PHP version at least annually. And there are code PHP directives that need to be restricted, or hardened, to help mitigate performance issues. Do the internal WordPress site check and fix any security issues that show up.
Restrict Server Access
Have strong passwords for your web hosting account, email account, cPanel user, FTP, and any other users with access to the web server. Use two-factor / multi-factor authentication (TFA/MFA) wherever possible.
Server Scanning
Scheduled server security scans (with good reporting) check all files on your web server, not just WordPress. Emails and private folders are targeted with malware all the time. If you're unsure, ask your hosting provider if there's any server scanning feature in your plan.
Akismet
Akismet isn't bloatware. "Hello Dolly" is, though. Delete that one. Akismet removes spam comments. If you disabled comments, you can remove it but remember it in case you enable it again.
Security Suite Plugin
I like Wordfence and Cerber Security for their various features:
- Scan your files and database
- Change your default login page from /wp-admin or /wp-login
- Block malicious IP addresses (bots and users) and strengthen your robots.txt file
- Fight brute-force login attacks
- Enforce a strong password policy
- TFA / MFA
If you don't install a versatile WordPress security plugin like the three above, you'll need separate plugins that do everything in the above list. I say download one of the three and follow their guide on hardening WordPress.
WPScan
WPScan is a free command-line app that scans for vulnerabilities reported to the Common Vulnerabilities and Exposures (CVE) database. There's also a WordPress security plugin of the same name which does this in your dashboard. The plugin is easier for most. Python package manager (PIP) users might like droopescan if managing a Drupal site at the same time.
BBQ Firewall (Block Bad Queries)
BBQ Firewall blocks malicious URI requests that try to exploit PHP vulnerabilities. I don't know if it is necessary while using one of the security suites above, but it is small and works well alongside them.
HTTP Headers
HTTP Headers has a lot of rarely discussed headers. I recommend it for how easy it is to configure security HTTP headers:
- HTTP Strict Transport Security (HSTS)
- Content Security Policy (CSP)
- X-Content-Type-Options
- Permissions Policy
- Referrer-Policy
When I was learning how to configure them for Apache web server, I'd use the plugin to create them. Then, I'd copy the raw code in the .htaccess file from the WordPress-managed section into the bottom of the file. Then I could remove the HTTP Headers plugin and still have the HTTP header code. If that made no sense to you, just keep the plugin installed.
I like Observatory.Mozilla.org and SecurityHeaders.com for testing web app security.
Subresource Integrity (SRI) Manager
Subresource Integrity (SRI) Manager adds a sha256 hash for any third party scripts in your WordPress site for integrity. Therefore, if the browser doesn't get the same hash as what's in your code when someone visits your website, the script won't load at all.
Many WordPress sites don't need this plugin. You might need to install it and have search for scripts to find out.
Contact Form 7
I mentioned Contact Form 7 in my favorite plugins blog. It isn't pretty with a bunch of buttons like many other popular form builders. But it is flexible and secure with plenty of data validation options. Need a contact form that allows PDF uploads? Contact form 7 can ensure it is an actual PDF and within a reasonable file size. Need to stop spam and advertising requests? Block text fields from including ".com" and other top-level domains.
Backups
You need a backup or disaster recovery solution. This doesn't have to be a WordPress backup plugin. It can be from a server application (e.g. cPanel Backup Wizard), web hosting snapshots, or a cron job for scheduled zip or tar.gz archives. The best option depends on your web hosting subscription and technical expertise. Updraft is one of the best ones I can recommend.
Web Analytics
Matomo Analytics (formerly Piwik) is my favorite standalone web analytics solution. It's free open source software (FOSS), fully-featured, and easy to learn. A little over a year ago, the team created a Matomo Analytics WordPress plugin. And it is amazing seeing the analytics suite that taught me so much about web traffic converted to something that fits in the WordPress dashboard.
Analytics helps you see the results of your security settings. It shows what bots are constantly crawling your site, what black hat search engine optimization (SEO) techniques might be hurting your brand, and if you're suffering from denial of service (DOS) attacks. There are specialized Security Information and Event Management (SIEM) applications like Splunk and ELK Stack for this, but they're excessive for general users.
I recommend checking out Clicky and Google Analytics first to learn about the different options. But if you want something that is free, feature-packed, and not Google, Matomo Analytics is my suggestion.
You can hear me talk more about web application security in the two YouTube videos embedded below. To learn more about the cybersecurity industry, check out Cyber Warrior Studios.