WordPress seems to be infamous for getting hacked all the time. The solution itself tends to get dismissed immediately in the eyes of an IT professional - it’s not an ‘enterprise’ solution, or even a ‘professional’ one. Yet it’s still exceptionally popular and it’s so easy to get going, even if you don’t understand the technical intricacies. It just works… until someone breaks in and ruins it. WordPress isn’t really that bad, there’s just a few things people do (or don’t do) which unfortunately allows it to become pretty insecure. Hopefully you can implement some of the ideas I’ll present to help make your WordPress site more secure. This isn’t a step by step guide, but it will give you the concepts and information to help you out in your journey to make your WordPress site more secure.
As an aside, if you are an IT professional, you might be surprised at how many shadow IT instances of WordPress are currently operating under your business umbrella. It’s worth taking a look.
It’s also worth noting that there’s no magical vest to make WordPress secure. This applies to every solution, not just WordPress. However, we do have ideas like applying secure options where we can, and automating as much security as we can. This will help bolster the security posture of WordPress, and that’s all we’re trying to achieve. Even if you follow everything here, there’s no guarantee that your WordPress site will become hack proof, and anything saying otherwise is snake oil. In no particular order:
Taking backups won’t make you more secure, but it’s the best thing you can do for when something inevitably goes wrong. Your hosting provider might offer a backup service which you should strongly consider using. It’ll stop you having to install extra plugins (which is great!), if someone does get in they can’t delete your backups, and you can effectively just bundle your services together which will make it easier for you to manage. If you do go with a hosting provider backup, make sure that you can recover your site totally should somebody have complete control over your WordPress site - if you’re not sure then just ask your provider.
Outside of your hosting provider, there are plugins which will bundle up your site and send it somewhere (like Dropbox, for example). These are fine if you’re not able to use backups from your hosting provider as it’s better to have backups than no backups. Make sure that it doesn’t just save the site backups to the WordPress hosting, as if it does then they can just be deleted by the attacker. Additionally, if they’re going to Dropbox (or whatever cloud service), then try to make sure that the plugin doesn’t have access to delete the backups it creates. It’s also worth noting that the plugin should only be able to write to a specific directory, you shouldn’t be able to browse your cloud service from the plugin.
If you can’t do either of those, then you can look at doing a manual copy of the site via your hosting SFTP. This is more inconvenient but at the very least have one backup, or just accept that you stand to lose everything you’ve created.
The popular Green Padlock in your browser (By the way, it’s becoming not green in your browsers in an effort to be secure by default). You’ll find a reasonable amount of information arguing against HTTPS. There are some scenarios where you might not want HTTPS, but that’s typically only valid when an enterprise is trying to gain visibility into traffic on their network. They’ll probably have defence in depth in action, and implement this in a secure way. If you’ve just got a WordPress site on the internet, you want HTTPS. Security aside, it will help make your site faster! Seriously, check this out.
HTTPS is pretty easy to achieve now. More often than not, your hosting provider can get you a certificate (the thing that gives you HTTPS) for free! They’ll have easy to follow instructions where you’ll say “yes I want HTTPS”, and then you set your site to say https:// instead of http://. It’s pretty much that simple now. Of course, you can still pay for certificates, but there’s no security difference (if they say there is, you’re getting sold snake oil). There are different types of certificates, some where they ‘vet’ you more thoroughly, but from a technical perspective, they’re the same difference - you don’t need to pay for a certificate.
If your hosting provider can’t get you a certificate, then you can look at Cloudflare, which also has it’s own section later on for some other stuff. There’s an easy guide by Troy Hunt to help you through that. Cloudflare basically gives you ‘flexible’ HTTPS, as in from your customer to Cloudflare is HTTPS, but from Cloudflare to your WordPress isn’t. It’s better than nothing.
A strong password in conjunction with Multi Factor Authentication (the link has a lot of information, the first few paragraphs are all you really need) will seriously help you out, a lot. MFA also goes by the name 2FA. MFA is basically something you know (like a password), something you have (like a mobile phone), and something you are (like your iris). You need two factors or more. Most likely this means you will have a password, and a mobile phone.
There’s a bunch of things that you have that you can use as a second factor. The most convenient is to use your mobile number as that factor, otherwise known as SMS MFA. You’ll find people screaming that it’s not secure, and it’s true to a degree. It is the easiest other factor to steal (it’s surprisingly easy to hijack a mobile number, now you’ve stolen the tokens). However, if SMS is your only available other factor, it’s better to use that than to not have MFA at all.
I’d recommend using an application like the Google Authenticator, Authy, or something similar. There’s a whole mass of them out there. If you really want to go it, you can look at buying a hardware token, like a Yubikey. It’s a physical item you’ll pair to your service, and have to plug in when you need your second factor.
The elephant in the room is that WordPress doesn’t natively support MFA. You’ll need to install a plugin to get this to work, and then the plugins limit what factors you can use, but it’s well worth it. I’d suggest going with WordFence, which has it’s own section later on. Unfortunately, you need to pay for WordFence Premium to get MFA. WordFence have a page about WordFence and MFA.
If you know what your password is, there’s a big chance it’s not a ‘good’ password. Instead of debating what a ‘good’ password is, go sign up for and use a password manager. You’ll be good with either 1Password or LastPass. Now set a minimum password length of 64 characters and generate! You will definitely find people arguing that storing all your passwords in one place is even more risky! While it’s true that it’d be really bad if someone got into your password manager, it’s even more risky to use the same (or a similar) password you remember for all your services. As it turns out, humans all think they’re being smart by making their password look fancy with numbers and special characters. The problem is that the people trying to break in are, you know, also humans, and they’ve got stupid big and plentiful data sets to work with. They know what you’ll do, they know what words, characters, numbers, and special characters you’ll probably use. Besides, they’ll usually just break in doing something called Credential Stuffing anyway. Password Managers easily defeat this.
To quickly address your master password issue for your password manager, for starters you’re using MFA like we discussed before. And then, you’re not using a password, you’re using a passphrase. Have you ever heard anyone say correct horse battery staple?
It’s also worth just changing your administrator account username to a few random characters. People can try and break in, and they’ll basically always try ‘admin’, ‘root’, and then a password. Someone that cares more might even try and guess your name (your site probably has your name on it) as the username. It’ll never work if your username is ‘nqpyxb’.
This is the hardest one because everyone wants their site to look unique, and all that power the plugins give you is just so handy. It’s WordPress, it’s built around the concept of using plugins to expand functionality, and themes to customise the look. That in and of itself isn’t a problem, but you can’t guarantee that the extra code you’re plugging in is safe, or will be maintained safely. Compromised themes and plugins are a big reason WordPress gets hacked. The advice here is simple, but can be very difficult to follow. Don’t install plugins. Don’t install themes. It’ll also help prevent your site from being slowed down. It’s not practical to leave it at never installing anything, so install as few as you can possibly get away with.
There’s also some really sketchy things that they can do, like slowing your site down if you use a competitors hosting platform. It doesn’t matter so much whether or not the accused in the link are actually doing that (here is their response), the concept is definitely there and I wouldn’t put it past a company to do something along these lines.
If you can live with it, use the default WordPress theme. It’s supported by the maintainers of the WordPress Core - it’s about as good as you’re going to get from a security perspective. If you really need a custom theme, it’s almost impossible to reliably figure out which ones are good and which ones aren’t. Some things that might help are to try and find a theme that shows a history of recent updates, this is a big one. If it looks active in development then it’s being maintained and isn’t abandoned. You can try and find a popular theme, although popularity doesn’t mean it’s secure. The less ‘features’ you get is usually better (as there’s less code performing functionality that you might not actually want). You could argue that paying for a theme is better as they’re more likely to maintain the theme, although that’s really not definitive. Unfortunately the best advice on themes is to use the default.
Not installing plugins isn’t really practical, heck, WordPress even comes with some plugins installed by default. But you’re trying to install as little extra stuff as possible, and generally removing anything that isn’t used. Like the themes, there’s basically no way reliable to figure out which ones are good and which ones aren’t. There’s some stuff that you should just generally avoid, for example you probably don’t really need a plugin to browse your site directory as you can hopefully do that via your hosting provider. If you really need it, then install it and uninstall it when you’re done. There’s not much to elaborate on, don’t install it, consider if you really need it, if you have to, remove it when you’re done, otherwise it’s just something that needs to be installed.
This is a super easy thing to do which is really really good! As soon as an update for WordPress Core, any plugins, or any themes become available, update! As vulnerabilities are discovered, there are exploits that get developed. Eventually they get turned into effectively point and shoot exploits which are easy for anyone to purchase (or download for free) and start breaking into outdated software. You side step all this by keeping everything up to date. Of course, updates have a chance to go wrong - although you’re better off running the risk of a bad update than not updating. There’s a good reason why Windows 10 forces updates down your throat. Always take a backup before you update, just in case.
Just reiterating, update all your software. In fact, set WordPress to automatically update. Now the comparison to Windows 10 updates isn’t so bad because you don’t actually have to do anything - and that includes waiting.
If you can spare the gold, purchase and install WordFence Premium. It’ll help keep your site protected by proactively blocking the bad from touching your site. It does a bunch of other stuff too. Again, installing this doesn’t make you hack proof, but it’s a solid option to help keep things secure. It’s got a Web Application Firewall which will seriously help you out - not to mention that you get to plug in to their network of ‘badness against WordPress’, so you gain the visibility that all other WordPress sites have. Besides, you already got WordFence for MFA, right?.
Cloudflare is a bit unique here, for free you can leverage some of their services (like the free certificates for HTTPS mentioned before, and free DDoS protection), but their paid option unlocks their WAF. This effectively does the same thing as WordFence. If you can, use Cloudflare and WordFence - WordFence Premium and free Cloudflare is likely the most realistic option. In order to use Cloudflare you’ll need to move your DNS over to them.