Securing a WordPress  Website

Businesses with demanding security requirements are often worried about the use of WordPress. IT teams commonly hear about “WordPress being hacked”, and it’s understandable because it does happen. Most often the sites that are compromised aren’t a result of the use of WordPress, it’s really a result of poor practices or a lack of knowledge to properly secure that website.

It’s also worth noting that WordPress is by far the most used content management system on the web, so by design you will always hear more about it “getting hacked” than any other system. 10 out of 1 million is not worse than 1 in 10,000 so-to-speak.

So, how can you make sure your WordPress website is extremely secure? It involves utilizing a mixture of many things, and is highly situational, but I’ll touch on some constructive recommendations that should definitely help you improve your site’s security. Over the years I’ve worked on securing and hardening WordPress powered websites for companies that have strict security requirements including banks, insurers, and even ITAR compliant organizations.

Domain Registrar

The first step in security is making sure you have a registrar that provides solid features to protect your domain from various types of attacks that can occur at the DNS and registration level:

ICANN recommends security processes for registrars to take that will help prevent domain hijacking:

• Strongly encrypted AuthInfo codes — these are the randomly generated codes that play a role in the domain transfer process
• Domain locking — systems to keep your domain from being transferred by an unauthorized party
• Advanced identity verification for all registration processes
• Improved record keeping for domain changes to assist in the event of a breach or takeover investigation

DNS Level Firewall

The next level down from the domain registrar is your DNS management. This can be handled by your web hosting provider, but for high security requirements it’s best to use a DNS level security platform. These systems analyze and halt malicious traffic before it reaches your web server. Most of them also provide many performance benefits as well. Using a DNS level security tool will provide you with security layers before requests even hit your web server. This is a great way to proactively monitor and protect your site from malware and other malicious bad actors in real-time.

Solid Providers to Explore

The following provides are all great options worth exploring:

• zScaler
• CloudFlare
• Sucuri
• Imperva

Specific Configurations for Security

Each platform is different, and comes with its own unique strengths and specialties, but generally each one provides the following set of features to secure your website:

• Firewall (WAF) – Detects and mitigates malicious requests across all traffic under your domain
• Malware scanning – Scan for any active, in-use malware on your site
• Bot protection – Identify and mitigate automated traffic to protect your domain from bad bots
• Encryption monitoring and enforcement of minimum requirements, like only allowing TLS 1.2+ traffic
• DDoS protection – This constantly analyzes traffic and generates real-time signatures to mitigate attacks across the network and application layers
• HTTP Strict Transport Security (HSTS) policy to protect against man-in-the-middle (MITM) attacks and SSL-stripping attacks
• Analytics/UI for reviewing traffic
• Authenticated origin pulls to verify a TLS client certificate is presented for authentication between the server and client
• Browser Integrity Checks – These evaluate HTTP headers from your visitors to verify they’re legitimate

Web Hosting

Choose a secure, reliable hosting partner that truly specializes in WordPress hosting. To name a few I’ve worked with, trust and would recommend:

Security Features

Certain companies truly provide specialized WordPress hosting, providing specific features that harden and protect against the most prevalent vulnerabilities.

This features often include:

• Disk write protection and limitations
• File permissions management
• Disallowed plugins
• Host-level firewall
• User enumeration protection
• Proactive monitoring for known or reported vulnerabilities
• Plans that provide a dedicated VPC
• Brute force protection for the login screen
• Bot protection

Recommended WordPress Hosts

• Kinsta
• WPEngine
• Pantheon
• Cloudways

Code-level WordPress Installation

Securing your WordPress website at the code level is next on the list. The following practices are general things that can be done to any installation to increase its security.

• Always keep plugins, themes, and the core up to date
• Use a secure database prefix
• Add unique WordPress salts to your wp-config.php file: WordPress Salt Generator
• Restrict login and admin area by IP address or VPN
• Add approval steps for administrator user creation
• Rotate passwords at set intervals (for example: every 2 months)
• Force the use of strong passwords
• Make your production environment read-only
• Add multifactor / two-factor authentication (2FA) with Google Authenticator
• Use the SHA256 algorithm for password hashing instead of the built-in MD5 algorithm
• Use a third-party SSO provider for access control, like Okta or Auth0
• Disable XML-RPC to avoid DDoS and brute force attacks
• Configure a code scanning firewall plugin like Wordfence
• Install an SSL certificate and force all traffic to use HTTPS to encrypt data in transit
• Routinely find and replace all non-https outbound links in your site to make them use https://
• Add noreferrer attributes to all outgoing links, which hides your referrer header from external sniffing
• Add noopener attributes to all outgoing links, which instructs the browser to navigate to the target resource without granting the new browsing context access to the document that opened it
• Reset and monitor all file permissions to make sure the correct file and folder permissions are always in place. This prevents unauthorized access from plugins or malicious injected code
• For serious security concerns, configure the site to require a VPN connection for all traffic to the /wp-admin/* directory
• Backup your database regularly and encrypt all sensitive data
• Monitor your site regularly for signs of compromise, using tools like Google Search Console for notifications on potential security issues
• Enable logging and auditing to track user activities and detect anomalies
• Add a content security policy (CSP) to prevent cross-site scripting (XSS) and data injection attacks
• Configure security headers to protect against various types of attacks. More information can be found here.
  • X-XSS-Protection
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Access-Control-Allow-Origin
  • Cross-Origin-Opener-Policy (COOP)
  • Cross-Origin-Embedder-Policy (COEP)
  • Cross-Origin-Resource-Policy (CORP)

Summary

This is meant to be a reference of tactical tasks you can take to secure your WordPress website. There are so many articles out there with the same general information, but rarely do they go into the specifics of what you should do. Keep in mind that depending on your requirements, many of these may not be needed, and may be overkill. I’ve included many of the approaches I’ve used to help secure banking and financial websites, but these wouldn’t be needed for a regular business website. Use your own judgement, I provide these as methods with no guarantee that they’ll secure your website. Securing your WordPress site is ultimately up to you.