WordPress.org

Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

Hardening WordPress

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren't taken. This article will introduce you to basic security concepts and serve as an introductory guide to making your WordPress website more secure.

This article is not the ultimate quick fix to your security concerns.

What is Security?

Security is not an absolute, it's a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It's about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.

Security also transcends the WordPress application. It's as much about securing and hardening your local environment, online behaviors and internal processes, as it is physically tuning and configuring your installation. Security is comprised of three domains: People, Process, and Technology. Each work in a synchronous harmony with each other, without the people, and their processes, the technology itself would be useless. Keep this in mind as you work through this guide, the threat landscape is constantly evolving and as such so should your security posture.

Website Hosts

If you have downloaded WordPress from WordPress.org you will need to self-host, and you will have a wide range of options. You will need to choose from shared-hosts, managed-hosts and a number of other variations. Each host will handle security differently, but each will be consistent in that the ultimate responsibility for your installation's security will fall on the website owner (not the host).

We will not dive into the hardening of your host, as it is beyond the intent of this guide - which will focus on your WordPress installation. For more information though, we encourage you to jump over to the Hosting WordPress codex page.

How you decide to host your website is important, and should be done with care; the decision you make will dictate the specific security controls you will want to leverage. This means that you, the website owner, will be responsible for hardening your installation and why this guide is so important.

Security Concepts

There are basic Information Security (InfoSec) concepts that you should be aware of as you embark on your journey of securing WordPress. These concepts are critical to helping you understand and implement the recommendations presented in this guide.

Least Privilege Principle

When configuring web applications and WordPress, each application or user should only be able to access the resources that are necessary for its legitimate purpose and nothing more. In other words, don't give applications or users access beyond what they need. You can learn more about this principle on Wikipedia.

The least privilege principle builds on this idea, it is about giving people the access they require, for as long as they require to do their job, no more and no less. When they are done with their work, reset their access to the most appropriate level. This is most applicable when thinking about users and their appropriate roles. WordPress provides a number of different roles out-of-the-box, each designed with different permissions.

Defense in Depth

The idea of Defense of Depth subscribes to the concept that there is no single solution capable of addressing all your security concerns. Instead, it promotes the use of a layered approach to complementary security solutions each designed to address each others shortfalls. With multiple layers of security, if one fails you may still stop the attack, or at the very least be able to detect it early and recover quickly.

Employing a defense in depth approach might look like this: employing a firewall to help mitigate external attacks, employing a security scanner in the event something is successful, leveraging multiple authentication controls, or even integration of a key manager. Each are security controls designed to directly address a threat.

Security Controls

Moving beyond the theoretical, we take the concepts presented above and provide a list of actions you can take as a website administer to harden and improve your security posture:

  • Limit access: Reduce the number of people who have administrative access to your WordPress site to a minimum. You should also reduce the number of possible entry points to a minimum. You can do this by only installing web applications that you need and use. Remove any unused plugins and themes. This follows the principle of least privilege and provides administrative and logical controls to help preserve confidentiality, availability and integrity.
  • Functional Isolation: Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised. Where possible, avoid having a large number of diverse web applications on a single hosting account. Logical separation of applications into separate accounts with their own access will confine a compromise to that one account and reduce damage.
  • Backups: Maintain reliable backups. You should occasionally verify the integrity of backups to make sure that you can restore your website if it is damaged. Have a plan to recover your website if it is compromised and document this plan. A good guide can be found WordPress Backups
  • Stay Up-to-Date: Do your best to stay up-to-date with your WordPress installation, including plugins and themes. You should put an administrative control in place that requires a check, with some frequency, that status of your site and it's extensible components.
  • Trusted Sources: Do not get plugins/themes from sources that are not trusted. (Trusted sources include the WordPress.org plugin directory.) Googling for a free version of a premium plugin is a recipe for disaster. Malicious people and organizations distribute what is known as 'nulled' plugins and themes which contain malicious code that will extend the premium plugin, but bundle it with malware that will allow them to hack your site. Do not use nulled plugins on your site.
  • Security Updates and News: Security vulnerabilities is something that affects all software, WordPress is no different. To stay current, we recommend subscribing to the vulnerability database maintained by WPVulnDB.com. You can also stay ahead of the latest trends following WordPress's own Security tag.

Secure your Working Environment

Make sure your local computer, browser and routers are up-to-date, free of spyware, malware, and virus infections. Consider using tools like no-script (or disabling javascript/flash/java) in your browser and VPN's to encrypt your online communication when moving between locations and using different public WiFi hotspots.

You should also secure your mobile devices. Install any updates as soon as they are available.

Vulnerabilities in WordPress

WordPress is updated regularly, these updates account for bug and security fixes alike. When working with point releases (e.g., 4.7.1) you should consider applying as soon as it is released. Major releases (e.g., 4.7) should be applied as soon as possible, but be sure to follow a good upgrade process to avoid any potential conflicts.

Themes / Plugins

The vulnerabilities most affecting WordPress website owners stem from the platform's extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber criminals to hack and otherwise misuse WordPress sites.

These vulnerabilities are usually not introduced intentionally, they are a result of mistakes and oversights during development. Many plugin and theme developers are not highly versed in security, and so they are prone to inadvertently write vulnerable code. As vulnerabilities are discovered, developers usually address them by releasing updates. If a plugin is no longer being actively maintained however, it may remain vulnerable, and should no longer be used. It's important that you take an inventory of all the plugins the website uses and subscribe to the developer's mailing list to ensure you stay current with the latest updates. Avoid plugins that are not being actively maintained.

Updating WordPress

Main article: Updating WordPress.

The latest version of WordPress is always available from the main WordPress website at https://wordpress.org. Official releases are not available from other sites -- never download or install WordPress from any website other than https://wordpress.org.

Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates.

You can find the official WordPress.org blog on this page where security updates are announced.

Reporting Security Issues

If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues.See Submitting Bugs for how to do this.

Web Server Security

The web server running WordPress, and the software on it, can have vulnerabilities. If you are managing your own server, make sure that you install security updates for your operating system, web server, PHP and any applications. If you are using managed hosting, your hosting provider will usually take care of these security updates for you.

If you're on a shared host (one that hosts other websites besides your own) and a website on the same server is compromised, you can experience cross-site contamination. Talk with your hosting provider to better understand how they handle security on shared servers.

If you are on shared hosting and one or more sites on that shared host have been hacked, you may find that your website IP address is black-listed by spam lists. If you find you are having email deliverability problems, you can use a blacklist lookup tool like mxtoolbox.com to see what is going on.

FTP / SFTP

When connecting to your server you should use an SFTP connection. This ensure the communication between your machine and the server is protected. Most hosts offer SFTP, if you're not sure, ask them. Read more on the difference with this Explanation of the FTP and SFTP protocols.

Database Security

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one WordPress installation, this makes it that much harder to alter your other blogs. If you administer MySQL yourself, see Secure MySQL Database Design for more information.

Hardening Recommendations

Below we propose structural changes that provide additional security hardening for your WordPress installation. Each option comes with some disadvantages and problems which you need to be aware of.

Data Backups

Back up your data regularly, including your MySQL databases. See the main article: WordPress_Backups.

A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location.

Access Control

One of the top two attack vectors used by cyber criminals is software vulnerabilities and access control. To combat this you must secure any point of entry into your host, WordPress installation or server. This includes employing strong passwords and enabling some form of Multi Factor authentication.

2FA Authentication

When working with any online site, consider enabling 2FA by default. Refer to Two Step Authentication for more information.

Some WordPress plugins designed to help include:

Passwords

The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. A key to this is making it Complex, Long, and Unique. It is recommended to use a password generator for all passwords.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

Services like 1Password and LastPass can help you manage and create random passwords.

Core Directories / Files

File Permissions

The default permission scheme should be:

  • Folders - 750
  • Files - 640

There a number of ways to accomplish this change. There are also a number of variations to these permissions that include changing them to be more restrictive. These however are the default recommendations. Check with your host before making permissions changes as they can have adverse affects on the performance and availability of your site.

Avoid having any file or directory set to 777.

You can read more about WordPress updates and file ownership on the Updating WordPress codex page.

Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;

You can also do this via your favorite FTP/SFTP client.

For a detailed explanation of unix file permissions, see File system permissions - Wikipedia

WP-Admin

Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog's admin area, the login screen, and your files.

Note: This prevents normal site visitors from accessing /wp-admin/admin-ajax.php.

See the Resources section for more documentation on how to password protect your wp-admin/ directory properly.

WP-Includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress

Note: This won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work.

WP-Content/Uploads

The uploads directory is the one directory that will almost need to be writable by the web server. It's where all files are uploaded remotely. You want to prevent PHP execution in this directory, you can do this by placing an .htaccess at the root of /UPLOADS using:

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all
</Files>

Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.

WP-Config.php

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>
order allow,deny
deny from all
</files>

Disable File Editing

It is recommended to disable file editing within the WordPress dashboard. WordPress has a constant that disables this editing via the wp-config.php file. Append the following two lines to the middle of your wp-config file, with all the other defines. The require_once line should always remain last in the file:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Security Plugins

There are many security plugins available for WordPress that provide a wide range of security and hardening features. There are four types of security plugins, it's important to differentiate between them because each are designed to solve different problems.

  • Prevention: Help protect you from hacks. They often include some form of Firewall solution.
  • Detection: Identify and notify if something is off and requires further inspection. This can come in the form of scanners and integrity checkers.
  • Auditing: Track and maintain an active log of all the activity on the site (i.e., track log ins, changes to themes and plugins, updates, etc..).
  • Utilities: Provide a suite of options designed to empower the user to make security-focused changes to their installation

As you think through your security posture, and look to integrate a security plugin, consider what you are trying to achieve and how that plugin helps you achieve that goal.

Website Firewalls

Website Firewalls allow you to proactively mitigate external attacks like exploitation attempts that try to abuse software vulnerabilities, brute force attacks that try to break into your admin panel, or denial of service attacks that try to kill the availability of your website. All real security threats.

There are two types of Firewalls to be mindful of. You have End-point and Cloud-based Firewalls.

  • End-point Firewalls are applied at the web server itself, and often managed by the host (unless you manage your own Dedicated / Virtual Server, in which case you will be responsible for your own). There are also application end-point firewalls, these are found in WordPress plugins (each using their own approach for integration).
  • Cloud-Based Firewalls reside off your web server and application. They introduce an intermediary layer off the local origin environment. Most notable cloud-based Firewalls function as a CDN and offer a globally distributed network.

Deploying a Website Firewall is quickly becoming the best way to stay ahead of today's emerging threats. It's not however a substitute for a bad security, it's one piece of a larger framework that should be considered.

Continuous Monitoring

Deploy tools that allow you to maintain visibility into the overall security state of your site. There are a number of tools designed to help with this.

Free Online Scanners

Remote scanners look at a website as a user or search engine would.

Examples:

These can be automated by using plugins as well, examples:

Application Scanners

Application scanners look at the files locally on the server. For WordPress, this is achieved by security plugins.

Examples:


If you're running a server, you might consider:

Reputation Monitors

Reputation monitors are services provided by established brands like Google, Bing, etc... that have a vested interest in your website displaying unaltered data.

These tools is that they are free, they have a vested interest in your site being clean, and will notify you 24 - 48 hours in advance before blocking your site.

Uptime / Availability Monitoring

Services like UptimeRobot and Pingdom monitor website availability. They send you an alert via email, SMS or mobile application if your website goes down. You can monitor your site from multiple locations.

One of the features of some of these services offer is the ability to monitor web page changes. Using availability monitoring along with monitoring of page changes can give you an early warning if your website has been hacked. Often a hacker will change or deface your website and catching changes early can alert you within minutes of a hack.

File Integrity Monitoring

Monitoring filesystem changes can give you early warning of an intrusion. There are a number of WordPress plugins that will look at the application and help you identify if the integrity of files have changed.

Example:

Security Considerations

What Plugins Access

When you install a WordPress plugin, it has access to your WordPress files, directories and database. The level of access that the plugin has is the same access level as WordPress core. There is no separation of permissions between WordPress plugins. There is also no way to limit the amount of access a plugin has.

It is important for you to understand what a plugin does and what it will be accessing. You should read the plugin documentation, check it's reputation by reading reviews and check the plugin support forums for any known problems before granting a plugin access to your system by installing it.

Security through Obscurity

Security through obscurity can be a valuable layer in a multi-layered Defense in Depth security strategy, but it should not be the only strategy you use to protect your site.

There are areas in WordPress where obscuring information might help with security.

Logging

Your hosting provider will usually provide web server logging for 24 hours. Not all hosts enable by default, please consider logging for a minimum of 7 days. You may need to enable this feature or request that they enable logging for you.

There are plugins that can help you with this logging even if your host cannot. Examples:

Logs provide an audit trail of requests that occurred on your website. If your website is hacked, it allows you or a forensic analyst to determine how your website was compromised.

Advanced Considerations

These recommendations are for the more advanced users that manage their own Dedicated and Virtual Private servers.

Monitoring Traffic

If you have SSH access to your web server, you can access a command line shell on your server and view your logs as they update in real-time with the following command: tail -f /location/to/log/file. This gives you the ability to monitor your raw traffic in real-time at no additional cost.

If you would like to learn how to perform log file analysis to identify attacks, you can start by reading the Log Analysis for Web Attacks: A Beginner’s Guide.

You can also monitor your website traffic in real-time using the real-time view from Google Analytics or Piwik.

Server Integrity Monitoring

Similar to the File integrity monitoring recommendation above, it's recommended you consider a similar approach for your web server.

A couple of system that helps streamline this process includes:

A few tools that help include:

Monitoring Malicious Activity

Most WordPress security plugins and security products provide a wide array of monitoring and alerting options. These include alerts on:

  • Brute force login attacks and login attempts
  • Login attempts and successful login
  • IP blocking

When configuring alerting it is important to have a high signal-to-noise ratio. In other words, you should only get alerts that are important to you and that you will do something about.

Further Reading

Codex Resources