WordPress Security Tips

A checklist of basic WordPress Security Tips. Managing a secure WordPress site does not require secret wizardry. Understanding a few simple tips will go a long way to ensuring your site is secure and available.
1. Lack of updates will get sites compromised
By far the majority of successful attacks against WordPress installations is due to automated attacks (scripts) exploiting known security vulnerabilities in themes or plugins.

The key is ensuring that security fixes for the known vulnerabilities are applied. Recent versions of WordPress have a builtin capability to automatically update the WordPress Core. Plugins and Themes will usually alert the user in the WordPress admin dashboard when updates are available.

Recommended Actions
Use automated updates, or make a regular schedule to apply updates to all components, this includes WordPress Core, all plugins and your theme.

Delete unused plugins and themes from the WordPress installation. If code is left in the /wp-content/plugins/ or /wp-content/themes/ folders on the site it can still be attacked, even if not in use.
2. Passwords really do suck
During 2013 a botnet made up of over 90'000 web servers was built by automated scripts brute forcing WordPress weak admin passwords. The password list used consisted of 1000 common passwords. In testing WordPress password brute forcing against a small VPS I was able to attack 700'000 password combinations a day without taking down the VPS or the site.

In fact without security monitoring (see number 6), I may not have even noticed the password guessing attack. These two examples highlight the fact that weak passwords can easily be attacked both by automated attackers and more focused targeted attacks.

Recommended Actions
Make your password strong and don't reuse passwords:
jfe*3fF1@5hN <- Good (just don't use the example!)
P@ssw0rd1 <- Bad (common words with simple changes can be easily guessed)
3. Secure Your Server
It is important to understand that the security of your WP site is more than just locking down the WordPress application, you must also ensure the server that the site runs on is also secure, no point locking the window if the door is wide open.

From required services such as Nginx / Apache, PHP, Mysql, to remote access services (SSH / webmin / cpanel) and components such as web server caching components it only takes a configuration error, a poor password or software vulnerability to lose everything including root access. In the past even some of the most well known shared web hosting providers have had mass compromises of WordPress sites.

Recommended Actions
Whether your hosting is VPS / Dedicated / Shared Hosting / managed or unmanaged, ensure the administrators of the servers follow basic security processes and manage the system in a proactive manner.

This could mean using a dedicated WordPress hosting solution, or in many instances you may be the administrator; in that case at a minimum keep everything updated, use strong passwords and regularly check for vulnerabilities.
4. FTP is very much a protocol from the 90's
If you transfer files to your web server using FTP is simply a bad idea. The FTP protocol sends the username and password in the clear to the server.

There is no security around the authentication, meaning anyone sniffing the traffic can easily collect your web hosting password. Most web servers will have SSH and if they do you should be able to upload your files using SFTP or SCP. Using SFTP ensures the authentication and transfer of the all occurs within an encrypted tunnel using the SSH protocol.

A client such as WinSCP can make this process very similiar to FTP for those Windows users who think bash is something you do with a club.

Recommended Actions
Whatever method you use for uploading images and other files, ensure the protocol is using encryption. Examples include SFTP over SSH, HTTPS if using a web based upload method or even a virtual private network to your server (VPN).
5. Of course you have HTTPS
Similar to Tip number 4, accessing /wp-admin/ over HTTP means your password and WordPress authentication cookie can be scooped up by anyone with access to your traffic.

In a coffee shop / library / airport with Free WiFi this means anyone could get full admin access to your site without even sending a packet to you.

Recommended Actions
Enable HTTPS on /wp-admin/ and your login page at a minimum. SSL certificates are cheap at less than $10 for a year or even Free now thanks to the letsencrypt service.
6. Who is watching your site?
Security monitoring alerts you to events on your system that are a potential threat. Tuning (customisation) of the security monitoring application or script ensures that only events (log entries) that meet a threshold are alerted upon, other events are recorded and can be compiled into a regular security report.

Recommended Actions
For those who manage the server a security monitoring tool such as the Open Source OSSEC is an excellent option. It will detect a wide variety of events on a system, will alert on or block attacks; even provide immediate alerts in the event of a compromise.
7. Test for Weak Security
Find out if your security is rubbish, so you can start to mitigate any security issues. Understand the security of both your system and your WordPress site so you can effectively evaluate the risk and make informed decisions when securing your system.

Recommended Actions
Use security vulnerability scanners to discover your points of security weakness. Test your WordPress Application (WPScan), Web Server (Nikto), System (OpenVAS) and Firewall (Nmap) for any issues.