What is WordPress security?
WordPress security is a set of measures and solutions implemented to protect a WP website from unauthorized access, use, modification, destruction, or disruption.
The procedures and protocols that will save your website from cyber criminals go beyond just your website, it extends to your web hosting services.
Some solutions are standard (must-use), and others are more advanced. Some “advanced” solutions are a must-use when it comes to websites making use of sensitive data or those necessary to comply with different standards (e.g. in banking).
All the solutions are becoming more and more important as the security bar rises more and more. What was allowed a decade ago, may be considered a bad practice or totally unacceptable now.
Major risk mitigations
Risk Mitigation is the identification, evaluation, and prioritization of risks in addition to taking action to reduce said risks.
Around 41% of WordPress attacks are caused by vulnerabilities in the WordPress hosting platform, 52% of attacks happen because of plugins. 61% of all infected WordPress websites feature out-of-date versions of WP core. This is only the tip of the iceberg.
Although WordPress hosting companies are informed about serious security risks, it is still challenging for them to protect their clients’ websites in case the clients themselves are still running outdated, hence vulnerable versions of WordPress core and particularly plugins and themes.
Potential risks can be handled altogether or at least partially mitigated with the following strategies:
- Using secure WP hosting
- Using the latest released PHP version and MySQL versions
- Enabling SSL/HTTPS
- Using the latest WP core version
- Using updated, secure plugins and themes from trusted sources
- Conducting regular WordPress security scans
- Using strong logins and passwords for all accounts
- Installing a WP-specific firewall
- Logging user activity
- Backing up your WP website
WordPress security checklist
Specific measures should be taken for implementing above mentioned strategies and taking further action to better your security.
Here’s your WordPress security checklist (it covers major issues but is not complete), note everything on the list should be accessible to you to get notified in case of potential risks.
Are you using the latest PHP version?
Using the latest PHP version for your WordPress website is not only the backbone of your website security but of its speed, performance, and functionality. Updated versions of PHP patch-up security risks and decrease the likelihood of your website getting hacked.
Are there specific activities that should be logged?
You should have access to the complete list of people (including developers, customers, website users, and devops engineers), apps, third-party services, and software that has access to the website and hosting dashboard. Implement a logging system that tracks the activities on the website, in order to have information on who logged into the website, from where, and at what time. Access and error logs are also useful for monitoring and mitigating security risks.
Is there a way to ensure WP plugin and theme safety?
Always have information on the specific functionalities plugins and themes are using, keep them updated. Confirm that the plugins and themes are published by trusted companies and are maintained, up to date, and secure. Use third-party solutions that will report to you in case of a running insecure plugin (with discovered vulnerability) on your site.
Is there an unused functionality that is active?
All active functionalities that are unused should be disabled. The less active but unused functionality there is installed on the website, the less risk of the website being hacked.
Does your staff have analytical security practices?
Even with the recent technical solutions that automate all manual security tasks and monitoring organizations always have people behind every aspect from conducting business to interacting with customers. Precisely why people are often the weakest links in any company’s security. By holding trainings to explain how an attacker could infiltrate your company, you will increase their awareness and thus minimize the chance of them falling for common traps. Some things to cover include phishing emails, and the dangers of USB drives and email attachments.
Do you perform security-oriented test sessions?
Once in a while, the technical team should sit together and target all parts of the website, looking for fray areas. These test sessions prove beneficial since your staff has the best understanding of your application, and likely knows the weak points. We advise inviting an external pentester to check your site security.
Are you making sure your staff are using separate accounts?
Sharing a user account makes it hard to understand who is using the service or to identify who has performed a given action. This makes it much harder to recognize when an outside party has taken over an account. It also makes it harder to remove access to an account when employees leave the company, opening that account up to potential abuse.
WordPress security scans
Before coming up with a strategy or solution to website security risks, the first and hardest step is locating every vulnerable aspect at hand.
Performing a WordPress security scan requires a set of standard procedures and processes.
Including:
Defining the scope of the scan
It is essential to identify all the assets that are part of your organization’s information system. You can do this with your asset registry with additional columns for threats and vulnerabilities to maintain a centralized repository of assets, vulnerabilities, risks, and remediation measures.
Forming standard procedure
Construct a clear and structured vulnerability scanning procedure with fixed policies, and implementation strategy. The standard procedure entails how often you should perform scans, the type of scans you need, the software solutions, and the steps after the scan is complete.
There are two types of scans that you can perform according to your WordPress Website needs.
Network vulnerability scans – scanning the hardware and software that are part of the network, its communication channels, or network equipment. These include hubs, switches, firewalls, routers, web servers, clusters, etc.
Application-based vulnerability scans – scanning WordPress sites for vulnerabilities in the system.
Starting the scan, analyzing results, and redeeming
After scanning your WP website, WordPress scanning tools will automatically generate a priority list, but checking for false positives or false negatives is essential before redemption.
After the analytical phase, your priority is redemption.
WordPress specific security aspects
When your website is your business, paying attention to WordPress security is your primary responsibility. WordPress is open source and is updated on a regular basis. Overlooking WordPress updates could be a leading cause of future security issues. This includes plugins, themes, and widgets that may need individual updates to keep them from becoming outdated.
Other specific security aspects include:
A Secure Software Layer (SSL), the certificate allows the use of HTTPS for encryptions and authentications. This proves crucial if your website entails for users to sign in. In that scenario, you’re dealing with personal data that must be protected. This is a must-use solution instilling trust in your website users.
As a security scanning tool, the leading candidates in the field are Wordfence and Sucuri.
These field leaders are WordPress security plugins that include security scanning as one of their techniques to keep your WordPress Website secure and diagnose vulnerabilities.
The features of either solution also allow a secure WordPress installation, backup creation, firewall management, export reports, etc.
Other WordPress security scanning tools include (in order) WebARX, WPScan Shield Security, Tinfoil Security, SQLmap, WPScan, Google Safe Browsing etc.
Though slightly different in their processes, the collective aim of every scanner is to diagnose vulnerabilities in your WordPress website.