Wordpress Security Strategies
Wordpress is pretty popular nowadays. Out of every 100 domains registered in the U.S., 22 of them will be run on WordPress. Whereas malware are mainly developed to Windows platforms because of their popularity, it's very common to see new attempts to hack Wordpress. Both have many eyeballs.
If you want a secure Wordpress, first try to not use Wordpress. I'm not saying that Wordpress is that evil, but if you are developing something that could be turned into static pages, e.g., blogs, hotsites, I'd recommend using Jekyll, because static pages are very less likely to be hacked, are faster and cheaper to host.
However, in some situations you want dynamic features that only Wordpress provides. If you want to go that way, there are 2 main paths: self-hosting or delegate to someone host the Wordpress for you.
If you delegate the Wordpress hosting, you're delegating the security as well. Aware of this responsibility, Wordpress.com, for example, limits what you can do, e.g., install plugins only from their white-list. The rationale behind this is very simple: if you modify your blog too much, they won't be able to guarantee that the modifications you are making won't affect the system security. If you're new in system administration, or development, I highly recommend you to evaluate a Wordpress hosting provider instead of trying self-hosting first.
Take note that vulnerabilities can be introduced in your Wordpress installation by 3 main paths:
- Wordpress Core: the Wordpress itself has some vulnerability which, depending on its severity, can compromise your system
- Plugins: yes, don't blindly install plugins as they have the same destructive power as a vulnerability in the Wordpress Core
- Themes: don't forget this one too, as themes are made from dynamic code (PHP) and HTML, which could allow bugs related to frontend, e.g., Cross-Site Scripting, or bugs as dangerous as plugins vulnerabilities and Wordpress Core vulnerabilities
On the other hand, there is self-hosting, which is more challenging, although provide more freedom when it comes to customize your installation. For this case I have some tips as well:
From what I've seen in companies so far, basically 20% of cyber hygiene mitigates 80% of the vulnerabilities. Keep that in mind.
So let's start with the default installation of Wordpress. It doesn't make your wordpress installation secure by default. Basically it isn't trustworthy. You need to pass through a process that we call Hardening to secure such installation. With this magic keyword in your vocabulary, you can just search for "something hardening" on Google and apply security measures to any technology that some good soul wrote an article for. Always check the source and see multiple articles as well.
During the hardening process, you'll find that:
- You need to remove the README and LICENSE files, as they inform the Wordpress version (a.k.a. banner), which is used by attackers to execute tailored attacks to your Wordpress version
- You need a certificate for HTTPS. There are many reasons for this as to:
- Increase your rank on Google search results
- Mitigate, at some sort, attempts to impersonate your website during Man-In-The-Middle (MITM) attacks
- Protect your password in traffic when accessing Wordpress admin
- If you have a fixed IP, you can limit access to your /wp-admin from your IP only. It can be accomplished by adding some lines to Nginx or Apache
- It's a good idea to install the Google Authenticator plugin to add 2 factor verification to your Wordpress account. One of the most common attacks is to brute force all Wordpress accounts (or only the admin)
- Wordpress can have bugs in their core, in plugins or in themes. It means that even if the core is safe (what you download from Wordpress site), any plugin or theme can potentially introduce security bugs. Try to have as few as possible. It's a good practice to review the source code for those who understand wordpress plugin development, PHP and application security
- Don't use passwords easy to guess
- Find out more in the official hardening guide http://codex.wordpress.org/Hardening_WordPress -- but don't limit yourself only to this guide. Search for more, keep studying.
Other best practice is to hack yourself first. Basically run tools that hackers execute and fix any bug that you find. The most common scanner for Wordpress, if not the only one, is wpscan. Run that, check the results and fix the findings.
However you must remember that it is limited to your Wordpress. It's important to test your whole system as well, as the weakest link breaks the chain. For that, I recommend you to use Gauntlet.io that runs many security scanners at once and give you a consolidated report.
Security testing is not a one time event. It's a process. Every change in your environment must be tested again. If you don't do this, don't worry, hackers will.
PS: As Samuel Rossier pointed out, it's good to remember that you can't hack your hosting provider without authorization. Even for self-hosting, your infrastructure is probably under some cloud provider, e.g., AWS and AWS has a penetration test form to be filled before scanning their infrastructure. Don't expect every provider to have a nice form like that. Talk to them. Send an email to them. It's a common practice among companies to test the security of their vendors, but authorization is needed.