WordPress Security

WordPress is the most popular blogging and content management tool in the world.  Unfortunately,  this makes it a common target for hackers working to exploit vulnerabilities and wreak havoc with websites.

There are several things that make WordPress especially vulnerable:

  • There is a relatively low barrier to entry, meaning that many sites may be set up by users with little experience in web hosting or security.
  • Many WordPress users pay a firm to design and build their site, but do not arrange for on-going maintenance and support. If end-users are hesitant to do the necessary updates themselves, sites can easily become outdated and vulnerable.
  • WordPress displays messages at the top of the backend admin pages to alert users of updates. However, some plugins and themes also include messages in this area, which can cause confusion and lead to a learned blindness of these alerts.
  • The WordPress comments system is very open by default and comment spam is common. It can also be used to facilitate DDoS attacks.

NC State’s WordPress Services

If you’re using NC State’s WordPress Blogs or Hosted WordPress services, your website is part of a larger environment managed by OIT staff. Updates, security plugins, and other important security measures are provided by OIT to protect your site and your users. This is NOT true for sites hosted in cPanel web hostingIf you don’t have the expertise or the staff availability to keep your WordPress site safe, your best option is to use one of these managed environments.

Even in a managed environment, you still need to take action to protect your WordPress site. Your site is only as safe as the weakest user password, so be careful to grant login credentials only to trusted users and limit the number of users who have administrative powers.

If you are hosting your WordPress site in cPanel hosting or elsewhere, you are responsible for ensuring that your site is secure. Below are some basic guidelines to help you get started with keeping your site secure.

WordPress Updates and Security Basics

WordPress Updates

The single most important thing you can do to keep your WordPress site secure is to ensure it is up-to-date. WordPress releases updates to its “core” routinely and these, as well as your theme and plugin updates, should be applied in a timely manner.

As of version 3.7, by default WordPress is set to automatically install its own updates anytime a new “minor” or “security” version is released. For example, an update from 3.7 to 3.7.1 should auto-update; an update from 3.7.1 to 3.8 will not auto-update. Any so-called “major” release will still require administrative intervention as these tend to be much more impactful updates.

Administrators can choose to add code to the ‘wp-config’ file for their WordPress site that will allow auto-updates for both major and minor updates. They can also allow WordPress to auto-update themes and plugins. However, this will only work for themes and plugins hosted in the central WordPress.org repository. In addition, this step is something to consider carefully as it may introduce conflicts between themes and plugins that the administrator is unaware of. While it is possible to disable the auto-update setting altogether, this should only be done in rare and exceptional cases.

More information on configuring automatic updates can be found in the WordPress Codex – Configuring Automatic Background Updates.

Best Practices

There are several simple things site administrators can do to avoid many of the areas targeted for attack in WordPress.

  • Do not use an “admin” login username. This is the default and extremely popular. If a hacker can correctly guess the username it’s that much easier for them to hack the account, especially as “admin” accounts tend to have very simple and generic passwords.
  • Make good password decisions. Whenever possible, authenticate with the Unity account on campus-  both for the required complexity of the password and to help users remember their password. There are plugins available to improve password requirements if you are using WordPress for user management.
  • Make sure the file system hosting your WordPress install is sufficiently locked down. WordPress administrators can choose various levels of access for some of the directories hosting plugin and theme files, but ideally these should be writable by only one administrative account.
  • Revoke database user privileges for DROP, ALTER and GRANT, which should never be needed for normal WordPress use and may minimize damage if your site is hacked.
  • Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default (which is how the NC State cPanel names the auto-installs of WordPress databases). Changing this prefix can block at least some SQL injection attacks.
  • The wp-config file for a WordPress install can be altered to disallow any PHP file edits via the WordPress backend administration, regardless of file permissions, by adding this line:
    define('DISALLOW_FILE_EDIT', true);
  • In the case of a known hack or concerns of a breach, the wp-config file can be edited with new security keys. This will immediately invalidate all existing cookies and all users will have to login again.

More information on WordPress security can be found in the WordPress Codex.

WordPress Security Plugins

Below are a few of the most popular, highly-rated, and well-maintained security plugins available for free to WordPress users. Many also have a paid version with additional features. Please note that these are “blanket” security plugins, built to address a wide array of potential issues. Most do not include any kind of “exploit scanner.” That functionality, and other services, may require separate plugins.

It’s important to remember that these plugins alone will not secure your site. Once these are installed they still need to be configured. Many of these tools have very strong safeguards which will secure your site. However, some settings may cause inadvertent problems and confusion if they interfere with the functionality of plugins and themes.

Finally, please understand that none of these are a guarantee of security. New vulnerabilities and attack strategies are identified everyday and it is still possible that your site may come under fire. That said, a site that is up-to-date, uses well-written and supported themes and plugins, and applies extra security tools like those below, should be able to withstand most attacks.

iThemes Security (formerly Better WP Security)
https://wordpress.org/plugins/better-wp-security/

Wordfence
https://wordpress.org/plugins/wordfence/

Bulletproof
https://wordpress.org/plugins/bulletproof-security/

All In One WP Security and Firewall
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Sucuri Security
https://wordpress.org/plugins/sucuri-scanner/