Introduction: Managing WordPress Security
I was prompted to talk about managing WordPress security a few days back when I got an email from one of my sites saying that someone had been locked out for failing to log in using a user ID that I thought was secret.
A lot of the vulnerabilities around WordPress come from the code itself. According wpscan.rog, only 14% from the core code, 11% from themes and a whopping 75% from plugins. One of the threat areas has nothing to do with code at all - it is simple and brute force attacks on guessing admin ID and password. That is the place to start protecting your site.
Secure admin ID is the first level of site security. In the old days, WordPress sites were installed with a default user ID of admin. Of course, you could change it but many sites did not. I am pretty sure my first site hack was through admin and a weak password. So I went about recording a video about managing WordPress security. In the video I walk through a strategic approach, talk about the plugins and denial of service service I use
Check out the video.
The key to managing WordPress security is to start from the outset with security in mind. Use a unique user admin ID with strong passwords. Keep that ID a secret. Adopt a belt and braces approach to protect from brute force attacks and protect the back end using proven plugins. I will summarise the key points
Unique User ID
Step 1: When you start a new site, select a unique user ID that is hard to guess. WordPress will now generate a complex password - use that one or generate your own. Make a note of it. Immediately the user is created go to edit the user and change the nickname away from the user ID (the default). I use my name for the nickname. This is a key step to hide the user ID.
Install a Backup Tool
Step 2: Install a backup solution. Do your own research to find what fits with your needs. I use Backup Creator - mostly it works but I have seen some iffy reviews about customer service. BackupBuddy is a popular choice - it also doubles as a cloning tool (like Backup Creator)
Install Security Plugins - belt and braces
Step 3: Install security plugins. My favourite plugins are Wordfence - use for the web application firewall - and iThemes Security - use for the gory details protection. Configure Wordfence firewall - it is a one click process and it starts learning. I will cover the iThemes Security steps further down. Now my early days coach also used to add in BulletProofSecurity plugin to bolster teh back end defcnes. I found this got in the way further along the journey when I wanted to run Cron jobs to update input from RSS feeds. It stopped the cron job tool I needed. It is also very difficult to remove if you want to.
Install Spam Protection
Step 4: Add in a layer of spam protection - I use WP-SpamShield. Now it looks like this is no longer available and maybe not supported anymore. It still works for me. WordPress installs Akismet in the default installation. You do need to pay for an API key to get the best protection.
Provide SSL Protection
Step 5: Then layer in an SSL service to serve your content over https rather than http. There are plugins that do this or you can work with your hosting provider or domain registrar to see what they offer. If you are still seeking out domain registrar or hosting, lean toward one that offers at least one free SSL certificate. Then go with that. I use Cloudflare as that provides a denial of service protection and free SSL. That is working for me so far. I would recommend using Cloudflare anyway as it also speeds up delivery of static content from your website from cache.
That is a 5 step approach - now what to do if you have a user ID compromised - change it.
Changing User ID
Changing a compromised user ID has a few key steps
- Create a new user with the right roles assigned (i.e., Administrator). Give it a unique user ID which is hard to guess. I use a combination of initials that only I know the code to unravel. Use the WordPress generated password or generate your own complex one - a mix of letters and numbers and symbols works - say 18 characters long.
- Immediately edit the new user to change the nickname away from the default user ID as nickname. Save the update.
- Log out of the user you were using and log in as the new user. This is a good test of "did you get the password written down right?" Now delete the old user. WordPress will ask you what you want to do with the posts associated with the old user - copy them across to the one you just created.
Managing Passwords Properly
A few words about passwords. Password security is not hard but it is easy to get wrong. WordPress installation typically requires 3 passwords (or more). One is for cPanel access so you can get into the back end from the hosting side. One is for each user to log in to WordPress. At a minimum you will have one administrator user. Each email addresses associated with the domain on which WordPress is installed will have a password too. I maintain a discipline of making all these different and all are complex. I use LastPass password manager to manage all this. It keeps track of all the login URL's, user ID's and passwords. It will generate a password to a specified standard - say 18 characters with uppercase, lowercase, numbers and symbols. I always use copy and paste to paste these passwords in to fields (rather than autofill). That way anytime I have to paste something into a password field for the first time I can paste in two places - the password field and a notepad file. If the LastPass "auto create a new record" fails I at least have the pasted password somewhere to go back to.The best part of LastPass is all my passwords can be complex and they are all unique. I also only have to remember one password. Now this is an important one because it is the key to your password file. So I have made sure mine is memorable but hard to guess. The email I use for LastPass is also unique to that service - I do not use it for anything else
Last part about passwords, I do not save passwords in browsers or my phone - lose your laptop or phone and someone has access to your stuff using your passwords.
The Gory Details Section: Protect the Back End
In the video I used a list of ideas from a WPbeginner.com blog post as to how to protect specific things in the back end of your WordPress site. My suggestion is to use the list in the blog post as a checklist and work your way through the Settings section of iThemes Security plugin to align them. That will provide a good start. You may noit have to follow the detail actions of the WPBeginner post - just get the topics and get iThemese Security to do it for you. Find that blog post here. What you want to block are the 4 category ares of risk mentioned in the iThemes article I referred to in the video.
- Brute Force Attacks
- File Inclusion Exploits
- SQL Injections
- Cross-Site Scripting (this is the big one)
- Malware
Managing WordPress Security: Updates and Digests
Hackers are continually seeking out vulnerabilities, especially in plugins. Plugin writers are working hard (mostly) keeping ahead of the game. Being up to date on all updates is a key part of managing WordPress security. When you install Wordfence and IThemes plugins, they will ask if you want to receive security digests. Put in an email address and read those. Some require action. Wordfence will tell you about plugins and themes that have updates available. Plan to make those updates. Now if a plugin is no longer being updated it is time to start looking for another one.They will tell you about failed logins and which user was tried - I always love it when one fails when they try to log in as admin - that is an immediate lockout offence in my gory details rules. The file changed notifications are a bit harder to deal with especially if you have auto updates set up (now a key part of WordPress 5.5.1 and beyond). You need to know a bit about the file structure to know if these are a worry or not. When I see a lot of files changed that I was not expecting I dive right in to see if the site is working and if there are any extraneous things added. For quite some time I was adding locked out IP's to a blacklist - that cost me a lot of trouble at one stage when my ISP changed my own IP without me knowing and I managed to lock myself out = ouch. Let the plugins manage that is my current approach.
Last point about plugins and themes that you are not using - deactivate them and delete them. For themes, I have only two for each site - the one I am using and one for backup in case the one I am using stops working.
Progress Report: Go4YogaHealth.com
PLugins and themes are up to date. Still need to migrate to new version of PHP. That pontetially takes a few hours if things go wrong. I will find a few hours spoare and do it. Support for two of my key plugins may be a challenge. They are still working. I might be needing to look for replacements. Finding replacements is easy enough. Applying them across the 30 or so WordPress sites is a journey. Now I can relate to why I wrote a blog post not that long ago about No Technical Experience Required. It feels like a myth at junctures like this.
Resources
Key resources mentioned in the video
Checklist for the gory details action steps
Issues: Overview of security issues surrounding WordPress sites
Security Plugins: Install Wordfence and iThemes Security plugins from WordPress repository - search from your dashboard. I use WP SpamShield for spam - looks like it is now not available.
SSL and Denial of Service (DDOS): I use Cloudflare for denial of service protection and free SSL
Password Manager: I use LastPass on a paid plan. All my passwords are complex and unique. Get LastPass here
Credits
Cyber Security image from Darwin Laganzon képe a Pixabay -en.
Posted from my blog with SteemPress : https://markcarrington.com/managing-wordpress-security/