Securing Your WordPress Website – An Overview
by Ben Gabler on
WordPress is a website building tool, known as a Content Management System (CMS), that makes creating beautiful and powerful websites easy without needing to know anything about HTML, PHP or any web technologies. This flexibility and power have made WordPress insanely popular. It is now the number one CMS powering over 455,000,000 websites or 35% of the entire internet! If you want your website to look a stylish, have all the functionality you could ever need, and utilize the most potent SEO tools available then WordPress delivers.
The popularity of WordPress has created an incredibly rich ecosystem of themes, plugin, and tools that all extend and enhance every aspect of your WordPress site with ease. Unfortunately, this popularity also makes WordPress an attractive target for hackers. This happens for a couple of related reasons. Firstly, with 455 million sites running WordPress if a hacker can discover an exploit they can potentially break into nearly half a billion website and take what they want.
Secondly, among the huge number of addons and plugins, some are not very well written, poorly maintained, or even abandoned by their authors. This provides hackers with a far easier entry point to a WordPress website than the hardened WordPress core. The massive number of WordPress sites means that even a relatively unpopular plugin can still be used on many, many WordPress websites.
In this article, we will look at the basics of securing a WordPress website so you can enjoy the power of WordPress without suffering any of the downsides.
Keeping Up To Date
The world of technology advances incredibly rapidly and this includes WordPress and the technology that supports it. When you visit a WordPress site there is a vast number of pieces of software that are all working in concert to enable the website you are looking at. These software packages can be grouped roughly into the following layers:
- Operating system
- WordPress core
- WordPress Plugins and themes
Each of these layers depends on the lower numbered layer to function correctly and securely. No software is perfectly written which means that bugs are discovered in deployed packages all the time. Also, new and improved versions of software packages are created by their authors to add features and functionality.
All of this means that WordPress administrators must stay on top of every update that is available for their operating system and their WordPress installation. As you can imagine, this takes a great deal of time, and, unfortunately, sometimes highly technical knowledge when things go wrong. There are tools that make parts of this easier but not foolproof.
Take a look at our Stay Safe and Keep Your WordPress Up To Date article for lots of information on how to keep your WordPress website up to date.
Blocking hackers and bots
A website, almost by definition, has to “talk” to the internet. This means that, in an ideal world, anyone can make a polite and well-formed request for a web page and your WordPress website will answer by returning the page. You might have noticed that we don’t live in an ideal world and as a result, hackers, criminals, and script kiddies will try every technique they can think of to abuse your WordPress website to break in or deface it.
In the same that you have a strong, locked front door on your house to stop burglars breaking in, you can create a sturdy network barrier in front of your WordPress website that will stop hackers from wrecking your site.
The advantage that you have as the administrator is that the attackers you can control exactly what network traffic can access your WordPress site. You can deploy effective tools to screen the traffic that arrives at your server and filter out and discard any malicious traffic and so protecting your WordPress website.
The following three traffic filtering tools will monitor different properties of the network traffic arriving at your WordPress website:
- Packet Filter Firewall.
- Web Application Firewall.
- Bruteforce and bot monitoring.
The first tool, a packet filter, is what most people think of when they hear the word “firewall”. This security tool examines the properties of network traffic at a very basic level. These properties are things like the port the packet is destined for, where it originated from, the protocol of the packet, and many more. The firewall keeps a list of allowed and blocked properties and will discard any packets that break these rules. You can fine-tune these rules to meet any threats to secure your server.
The second tool, a Web Application Firewall (WAF) works by examining the incoming web requests and ensuring that no maliciously malformed requests are allowed to be processed by WordPress. Many attacks rely on creating deliberately non-standard requests, or requests for sensitive WordPress files. A WAF will discard those requests and only allow through genuine and correctly formatted requests.
The final tools, a bruteforce and bot detector, will stop bruteforce attacks against your WordPress site. A bruteforce attack is when an attacker tries to log into your WordPress website by submitting thousands of usernames and passwords combinations in the hopes of guessing a working pair. Bruteforce protection will notice those many failed login attempts and automatically ban the person or bot making more attempts.
If you have a WordPress website you absolutely must install configure and maintain all three of these network security tools. Getting the most out of these tools and achieving the highest level of security for your site is challenging.
If you want to know more about network filtering and how it protects WordPress take a look at the Protect Your WordPress Site With Effective Network Filtering article for a deep-dive on the subject.
Malware is a catchall name for any software that has malicious or criminal intent. Malware comes in many shapes and sizes and can easily end up on your WordPress website. The complexity of WordPress means that there are a variety of ways that you can end up with malware on your site. However, the most popular among hackers is through a plugin or theme. This can be by the deliberate inclusion of malicious code by a hacker but is more likely to simply be a coding error. A small, hard to find, coding errors can allow attackers to exploit a PHP script to place malicious code on your site.
Obviously, keeping all of your WordPress website’s code up to date is essential in blocking off these attacks as bugs will get fixed and malicious code removed if it is found. However, updates can only help with problems that have been identified. That still leaves many issues that are being actively exploited by criminals that have not been fixed yet or you have not yet applied the update.
This is why effective malware scanning is essential. A good malware scan will work just like an anti-virus scanner on your laptop. It must continuously scan your WordPress website and examine every file it finds against an up-to-date malware list and quarantine any malware it finds.
Installing, configuring, and maintaining an effective malware scanner is not trivial. It is only effective if it is kept current and run frequently. If it is allowed to get out of date your WordPress website is liable to get compromised.
Take a look at our malware scanning article Malware and WordPress – Keeping It Clean for a comprehensive look at how malware infects WordPress and what you can do about it.
How Am I Supposed To Do All Of This?
If you’re running your WordPress website as a hobby then installing, configuring, maintaining and fixing the tools that address these security issues can be an excellent learning experience. After all, you don’t really have much to lose if mess up.
However, if your WordPress website is mission-critical and you don’t have the experience and domain-specific knowledge to keep everything secure then you should look for an expert, managed WordPress Hosting solution like Rocket. Rocket automatically and continuously deploy industry leading security tools and take over the security of your WordPress site for you for every tier of their WordPress instances.
Just sign up, spin up a WordPress website and dive right into creating a beautiful WordPress site.