WordPress has become the website development platform of choice for many businesses, and for good reason. WordPress allows non-web developers to quickly create attractive and functional websites, forums, portals, blogs, and much more. The developer community has also picked up on the popularity of WordPress and created a huge array of templates and plugins allowing anyone to simply download a new look-and-feel and add new features. Adding to this incredible offering, WordPress is a free and open-source project!
Unfortunately, this nearly limitless flexibility does have a cost. When developers and designers are given the ability to create WordPress themes and plugins, they are also given a great deal of power over those who use their themes and plugins. If developers do not practice secure software development methods, they can unintentionally put the users of their plugins or themes at risk of a website compromise. At the same time, hackers are also developing plugins and themes to intentionally compromise users’ sites and their visitors.
A simple WordPress site is part of a larger system of computers and networks. This larger system is also at risk of attack and must to be controlled to help ensure that hackers don’t get a foothold.
So, what are we to do?
Before we can discuss how to secure WordPress, we need to understand how WordPress works at a high level. WordPress is a series of software scripts (pieces of code) written in the PHP development language. The software code has been written and updated by developers around the world since its initial release in 2003. This code can be downloaded by anyone and hosted (or run) on a web server. WordPress also uses a database to store content, users, configuration settings, and everything else that makes WordPress great.
To summarize, to run WordPress, we need a web server that can run PHP scripts and a database to store our data. Pretty simple, in concept.
Understanding the Risks
WordPress is usually used as the face of your company’s brand; this is obviously something worth protecting. Beyond simple reputation management, a compromised website can lead to serious damage to your own computing environment and even that of your guests and customers. Given what we know about WordPress from the previous section, we can start looking into some of the specific risks of using this, or any other, modern web publishing platform. The table below summarizes some of the key risk areas that we want to minimize by securing WordPress.
There will always be some level of residual risk in your environment, regardless of what measures are taken to reduce that risk. This series will define specific ways in which to reduce the risk areas mentioned here.
Further in this section, we’ll discuss the following WordPress security topics:
- Enabling Multi-Factor Authentication in WordPress
- Setting Permissions Correctly in WordPress
- Obscuring Administrator Username in WordPress
- Updating WordPress to the latest versions
- Installing Software Security Products in WordPress
- Performing Backups in WordPress
- Securing your WordPress Server Filesystem