English Portuguese

Wordpress Security Strategies

Wordpress is pretty popular nowadays. Out of every 100 domains registered in the U.S., 22 of them will be run on WordPress. Whereas malware are mainly developed to Windows platforms because of their popularity, it's very common to see new attempts to hack Wordpress. Both have many eyeballs.

If you want a secure Wordpress, first try to not use Wordpress. I'm not saying that Wordpress is that evil, but if you are developing something that could be turned into static pages, e.g., blogs, hotsites, I'd recommend using Jekyll, because static pages are very less likely to be hacked, are faster and cheaper to host.

However, in some situations you want dynamic features that only Wordpress provides. If you want to go that way, there are 2 main paths: self-hosting or delegate to someone host the Wordpress for you.

If you delegate the Wordpress hosting, you're delegating the security as well. Aware of this responsibility, Wordpress.com, for example, limits what you can do, e.g., install plugins only from their white-list. The rationale behind this is very simple: if you modify your blog too much, they won't be able to guarantee that the modifications you are making won't affect the system security. If you're new in system administration, or development, I highly recommend you to evaluate a Wordpress hosting provider instead of trying self-hosting first.

Take note that vulnerabilities can be introduced in your Wordpress installation by 3 main paths:

On the other hand, there is self-hosting, which is more challenging, although provide more freedom when it comes to customize your installation. For this case I have some tips as well:

From what I've seen in companies so far, basically 20% of cyber hygiene mitigates 80% of the vulnerabilities. Keep that in mind.

So let's start with the default installation of Wordpress. It doesn't make your wordpress installation secure by default. Basically it isn't trustworthy. You need to pass through a process that we call Hardening to secure such installation. With this magic keyword in your vocabulary, you can just search for "something hardening" on Google and apply security measures to any technology that some good soul wrote an article for. Always check the source and see multiple articles as well.

During the hardening process, you'll find that:


Other best practice is to hack yourself first. Basically run tools that hackers execute and fix any bug that you find. The most common scanner for Wordpress, if not the only one, is wpscan. Run that, check the results and fix the findings.

However you must remember that it is limited to your Wordpress. It's important to test your whole system as well, as the weakest link breaks the chain. For that, I recommend you to use Gauntlet.io that runs many security scanners at once and give you a consolidated report.

Security testing is not a one time event. It's a process. Every change in your environment must be tested again. If you don't do this, don't worry, hackers will.

PS: As Samuel Rossier pointed out, it's good to remember that you can't hack your hosting provider without authorization. Even for self-hosting, your infrastructure is probably under some cloud provider, e.g., AWS and AWS has a penetration test form to be filled before scanning their infrastructure. Don't expect every provider to have a nice form like that. Talk to them. Send an email to them. It's a common practice among companies to test the security of their vendors, but authorization is needed.

Share the knowledge :)

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News