I’ve written in the past about why you want your WordPress site to be secure. Today I want to share with you some security principles that will help you put that security into practice on your WordPress website.
In the Information Security (InfoSec) realm, there are several principles that, when followed, increase security. The more of these principles you can apply to your WordPress site, the more secure it will be.
In this post, I’ll use the word “hacker” to refer to any person or system that could maliciously damage your website.
Confidentiality means that you “only allow access to data for which the user is permitted,” according to The Open Web Application Security Project (OWASP).
This means you need to make sure legitimate users can only access as much as they need to, and illegitimate users can’t access anything.
Make sure all users use strong passwords. The Force Strong Passwords plugin will let you enforce this.
You should also use two-factor authentication. This requires that you enter a code in addition to your username and password to log into your site. It’s the same idea behind ATM security: you need something you have (a card) and something you know (the PIN).
I recommend the Google Authenticator plugin. It works with the Google Authenticator app on your phone to add a code that must be entered in addition to your username and password. There are other two-factor authentication plugins, so check them out to see which will work best for your situation.
Cryptography is a tool to protect confidentiality. You encrypt data, and only authorized users can decrypt it.
When you add SSL/TLS to your website, that encrypts data flowing between the user’s browser and the web server. I recommend that you use SSL/TLS on your WordPress website, even if the data you transmit isn’t especially sensitive.
If you use FTP with your website, use SFTP (or FTPS) instead. Plain FTP sends your username and password in plain text (unencrypted) over the Internet, available to any eavesdropper.
Don’t save your WordPress password in an unencrypted file on your computer, where someone could find it. I recommend using a password manager such as LastPass, which will encrypt your passwords.
Access control is another way to protect confidentiality. You control the level of access each user has.
Each person who needs access to your site should have a separate WordPress account. That way, you can set granular (specific) permissions. When you share accounts, it’s harder to do that. See 3 Reasons to Never Share Your WordPress Login and What to do Instead.
Giving a person a user account on your WordPress website gives them a level of access they didn’t have when they didn’t have an account. Beyond that, you can set the user role of the account, to set the level of access the account has. It’s best to follow the principle of least privilege when you do that; we’ll cover that next.
The least privilege principle says that people should have only the level of access and capability that they truly need. When people can access more info than they need, or have abilities that they don’t need, there’s a greater potential that they’ll cause damage (accidentally or deliberately). Also, never underestimate the risk of someone’s account being hacked. If someone nefarious gets access to an account, you don’t want that account to have any more permissions than it should!
When you create an account, use the lowest possible user role. Don’t make someone an Administrator if they only need to be an Editor. For more granular control, use the User Role Editor plugin, or try the Webmaster User Role plugin.
The same principle applies to other online accounts. If you must give someone FTP access, create a new user with access restricted to the folder and permissions they truly need. Same with giving access to your host control panel (such as cPanel), if your host allows you to create separate accounts.
Integrity means that you “ensure data is not tampered or altered by unauthorized users,” according to OWASP.
Your host has some responsibility here, since the files and database are on their servers. Make sure you use quality, trustworthy hosting. Here’s How to Choose a WordPress Host and Plan.
Make sure you get all WordPress plugins and themes from trusted sources. The official WordPress Plugin Directory and WordPress Theme Directory are good sources. You can also look in the Commercial Theme Directory. StudioPress is our favorite theme shop; they’ve had their Genesis theme framework reviewed by security expert and core WordPress developer Mark Jaquith.
Backing up your site is one way to ensure its integrity, because if the site has a problem, you have a good copy backed up. Schofield’s Second Law of Computing states that data doesn’t exist unless there are at least two copies of it. That’s because you’re taking such a risk by having a single copy of your data that you may as well consider it nonexistent.
I highly recommend having an offsite backup (a backup in a place separate from the live website). If your web server or host has a problem that affects the live site, it could affect the backup too.
Availability means that you “ensure systems and data are available to authorized users when they need it,” according to OWASP.
One of the best ways to ensure your WordPress site is available is to use solid hosting with good uptime. We talked about hosting earlier (see above).
You also want to think about disaster recovery before disaster strikes. It’s not enough to have backups; you need the ability to restore the backups when you need them.
Part of availability is ensuring users can access what they need. This requires that site be online, and that users have appropriate permissions. We talked about these aspects earlier (see above).
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are attacks in which your web server is inundated with traffic in an attempt to knock your site offline. Good hosts have measures in place to reduce the damage of such attacks. You can also consider Cloudflare, which adds a layer of security in front of your website. Some hosts have Cloudflare integrated and make it easy to enable. If your host doesn’t, you can still set it up directly through Cloudflare.
WordPress sites can be knocked offline by software conflicts and incompatibilities. (Within WordPress, the software is WordPress Core, plugins, and themes). Conflicts and incompatibilities can happen if you run outdated software alongside current software. To minimize this risk, install WordPress updates regularly.
Minimize Attack Surface
The attack surface “describes all of the different points where an attacker could get into a system, and where they could get data out,” according to OWASP. For your WordPress website, that means all the software that makes up your website, the data it contains, and the ways the software and data can be accessed.
You want to minimize your attack surface; basically, to reduce the number of ways hackers could damage your site.
Remove unnecessary plugins, themes, and users from your website. Learn how to do that in our post How to Declutter Your WordPress Website. Deactivating plugins and themes isn’t enough; they can still be used by hackers to get into your site! You must also delete them to remove their code from your WordPress site.
You should also check your web server for unnecessary files, whether related to your WordPress site or not. I’ve seen old copies of websites, scripts, and other files that could be misused sitting around on web servers months or years after they were needed. Log in with your host’s file manager (usually in the host’s control panel) or SFTP and clean it out (make sure to have a backup first!).
Defense in Depth
The principle of Defense in Depth means that you have multiple layers of defense. That way, even if a hacker gets through one or more layers, there are other layers that will stop them.
Your web host should have multiple layers of security. It would be wise to learn what they have by checking the host’s website or asking support.
- Hardening WordPress: Security Concepts (WordPress Codex)
- Security by Design Principles (OWASP)
- Information security (Wikipedia)
- What is confidentiality, integrity, and availability (CIA triad)? (TechTarget)
- Ask Sucuri: What is the Principle of Least Privilege? (Sucuri)
Baffled by these Security Principles?
If you don’t work in IT, you may find your mind boggled by these security principles. Don’t despair! You don’t need to figure out WordPress security by yourself. Contact us about applying security principles to your WordPress website.