One of the reasons for the tremendous popularity of WordPress is that it is open source. As open source software, the bare bones of WordPress are free, and the huge ecosystem of themes, plugins, and other extensions that developers are able to create can be combined in countless different ways to build practically any kind of unique, high-quality website. While this ecosystem is what gives WordPress its flexibility and range of capabilities, it is also the chief source of security concerns for websites using the leading content management platform.
Of just under 4,000 known WordPress vulnerabilities, plugins make up more than half, according to a recent report by wpscan.org. More than a third are found in the WordPress core, and 11 percent are from Themes. Many of these vulnerabilities can be mitigated simply by applying the next update to your WordPress core and each of your plugins, as developers are alerted of vulnerabilities and make changes to eliminate them.
Keeping everything up to date and using a complex password are the low-hanging fruit of website security. You can set WordPress to automatically apply core updates, and you can also install a plugin to automatically update your other plugins. There are also security-specific plugins to provide functions like malware scanning and a firewall.
Beyond these basics, there are a few other simple things that WordPress website operators can do to improve the security of their sites.
Unreliable or untrustworthy sources
Plugins from even the most professional and responsible developers have vulnerabilities – it is inevitable that hackers will find new ways to compromise previously secure programs and systems, forcing the developer to react with an update. Most attacks are not new, however, but are directed at vulnerabilities that should have already been dealt with.
A developer that is slow to close vulnerabilities with updates, or that does so improperly, may leave sites exposed even if everything is up to date. Even worse, a few free or cheap alternatives to popular plugins contain malware or built in-vulnerabilities for the specific purpose of attacking every site they are used in.
File and folder permissions
It is generally not necessary or advised for WordPress users to modify permissions for who can read, write, and execute (or run) files and folders. It is important that permissions are set properly, however, and if they have been set too broadly, a malicious actor could potentially take complete control over your site. If you discover a permission has been set to 777, it means that owners, privileged users, and the general public all have permission to modify your site in any way, should they gain access to it.
To change permissions, you need to use an FTP client. Once you have connected to your site, you can right click on root directories and then edit permissions by clicking on “File permissions” in the menu. Enter the recommended setting in the “Numeric field,” which for most users is 755 for all folder and sub-folders, and make sure that “Recurse into subdirectories” is checked, and click “Apply to directories only.” After you click “OK,” it will take a few seconds to make the changes, after which you can move onto files, by highlighting everything in the sites root folder and following the same procedure to bring up the “File permissions” dialogue box. For most users the permission is set at 644, and “Recurse into subdirectories” and “Apply to files only” are checked.
Two-factor authentication, or 2FA, adds an extra layer of security to your WordPress sign-in process. You can apply it with any one of several popular plugins, some of which use the Google Authenticator app to provide the second factor (in the form of a token), often by sending you a one-time password (OTP) to enter along with your usual credentials.
The plugin may provide options to send the OTP to your email account or mobile device, so that an attacker can only gain access to your site by both knowing your password and stealing your device or hacking your email account. It may also use another factor, such as a QR code that you scan. Some plugins provide an option to use a token along with either a username and password, or just a username. Whichever you choose, select a plugin that has been tested with the current version of WordPress.
Tools and resources
There are a number of useful tools and resources that have been created specifically for improving WordPress security, due to the platform’s enormous popularity.
WPScan.org offers a free tool for scanning WordPress sites for vulnerabilities, allowing you to address them before they are exploited. Companies in the WordPress ecosystem provide useful resources, like the “Learning Center” provided by security plugin developer Wordfence, which includes a nine-part series for dealing with malware. WordPress.org also offers quality documentation and forums, like any major software provider, which contain a lot of answers to security-related questions.
A quality managed service provider like TMD can also help WordPress users harden their perimeter and protect their websites. Just by taking a step beyond updates, any kind of business can have a secure, cost-effective, beautiful website.