How to secure a wordpress site ?

How to + WordPress + blog Z. Oualid today 5

share close

Hi everyone I hope you are doing well and safe … This is my first blog post and I really want to dedicate it to a question that many people have asked me which is HOW TO SECURE A WORDPRESS SITE?

Actually before thinking about making this article, I started to look a little bit on the internet to see what people are saying about it … maybe someone has already explained this in details so I just need to send the link to people that ask this question to read about it ….

and of course there were many people talking about it … but to be honest with you … I was really surprised by how easy people talk about WordPress security and how they think that by installing a WordPress plugin then that’s enough.

Sorry to say that but … Well, it’s not really that easy, I really hope it was. Securing a WordPress website is really so much difficult that a website developed from scratch and let me explain why.

Oooo yeh, before i start explaining how to secure your wordpress website let me first explain why a wordpress website security is more difficult that a website developped from scratch.

WordPress is a CMS that has a core code that does many things (adding posts, creating pages …) and we add to it a theme and a bunch of plugins to add more functionalities depending on what we want it to do. The core code of WordPress is really very secure, thanks to the community that performs multiple security tests on it, and each time they found something they fix it.

Unfortunnetly this is not always the case for plugins, it really depends on the team behind this plugin or theme … if there is a support that fixes vulnerabilities or not, and … how long it takes to fix a discovered vulnerability in one of their themes or plugins.

what makes the security of WordPress harder than a website developed from scratch is this actually. having multiples components from multiple teams is really not easy to deal with … to fix only one vulnerability that does not have a patch yet … your development team need to perform reverse engineering on the plugin to understand it first (and this is even harder than developing from scratch) and then locate the problem and fix it. AND TRUST ME THIS IS DEFINITELY NOT EASY !!! … and having one vulnerable component in your website … put the whole thing in danger.

But we all know that even with that … WordPress still the best option it term of functionalities and ease of use.

In this article I am going to explain in details step by step … what you need to do to make your a wordpress website really secure. even if you know nothing about codding or cyber security.

Step 1 : Choose a good hosting provider

Now before we start talking about anything related to your app, we first need to take a look at who is protecting your back. To secure a WordPress site you need to see first where are you putting your website, because trust me if the environment of the website is not safe … all that it will come after is useless … one vulnerability in your web server and it’s over.

So before you do anything from what it comes next, try to first take a look at your hosting provider and see what people are saying about it in forums in terms of security and protection mechanisms that it provides.

if you still not confident about your server, you can perform a system audit or a penetration test against it (if you use a VPS or dedicated server). This penetration test will give you a great idea about how secure is your server.

Step 2 : Update your theme and all your plugins

Now that we know our environment is well secured, let’s see what we can do for our WordPress website.

if you remember the first lines of this article, I was talking about vulnerabilities and how hard to fix them and all this stuff … Now if you don’t apply these fixes … your website will remain vulnerable … and that’s it. To Secure a WordPress site you first need to apply your updates.

Now for developers, I know I know … even the act of applying those patches is not easy, because sometimes they create bugs and a dysfunction … I’ve been there before … but there is no other solution trust me … you need to apply those patches every time it is needed.

Now here is some tips for those who want to automate the update process :

to update the wordpress core each time there is an available update put this in your wp-config.php file :

define( 'WP_AUTO_UPDATE_CORE', true );

to enable the auto update of your plugins, here is the code that you need to add in functions.php:

add_filter( 'auto_update_plugin', '__return_true' );

to enable the auto update for your theme, here is the code to add in the functions.php file :

add_filter( 'auto_update_theme', '__return_true' );

Now for those that do not want to touch the source code of their website, here is a nice plugin that does the job for you, it is called Easy Updates Manager. To be honest with you I have never tested as I do my best to not use plugins as they slow down the website, but as I said if you don’t want to make any changes in your code then this is the best solution for you.

Step 3: Take a full and periodic backups

Now that you have everything in place, you need to take a full backup of everything you have set it up (WordPress core, theme, plugins, and the Database) and you need to do this periodically.

you may ask why I am going to do this, well it’s that simple, what if someone hacked your server (and you wasn’t of course responsible for this … this is your service provider responsibility) and you have lost all your data because of some sort of malware … what you are going to do then?

Now to do that, you have two choices, doing it manually or automatically. personally, I prefer doing it with a good plugin than doing it manually. It is simple, maybe at the beginning you would be able to do it manually as you have time, but once you have a lot of other things to do on your website, you won’t be able to perform backups periodically and you will start to forget about it.

You can use any plugin you want, all you need to verify in your plugin is where it is putting your backup, as some plugins put the backup in the same place as WordPress, and this is very critical, you don’t want someone to be able to download your backup. if the plugin has the possibility to upload the backup to google drive or some other places out of your actual server, then that would be great.

here is a list of plugins that exist :

Step 4 : Use a powerful password everywhere !

You need to know that the weakest part of all the security chain is actually human. If you put the most powerful security systems and you get the best security professionals in the world to secure your website, and you use a weak password … then trust me sooner or later you will be hacked.

Now here is the minimum that your password need to have to be concidered as powerfull :

  • at least has 8 chars
  • at least has 1 uppercase character
  • at least has 1 special character

Step 5 : Limit the number of password temptation

This step is very important and it will help you secure your website against bruteforce attacks. What is a brute force attack ?

Well, it’s simple … bruteforce attack is the act of sinding multiples combinations of username and password with the how of hope of guessing the correct combination.

Now, how can we do this? … you need to use a plugin for this (developers I am not talking to you guys … I know you can do it by your selves). Again there is a lot of plugins that do this job for you and here is a list of them :

Step 6 : Install an SSL certification to secure a WordPress site communications

Why using an SSL certification is needed to secure a wordpress site or any other site ?

Guys come on … I will not get deeper in this to not make this blog longer, but here is two main reasons :

  • It protects all client/site communication
  • It reinforces the customer’s confidence in your site (chrome does not show “Not secure” for your site)

This step actually has nothing to do with your website code. It is something you need to configure using the tools that your hosting service provider gives you. it depends actually on what service provider are you using. Sometimes it is even automatically made, you will just need to buy the certification and the service provider will implement it for you.

Now if you are still in a dev mode and you don’t want to invest in an SSL certification yet, here is a way to get a FREE SSL certification, that is valid for only 3 months and you can renew it as much as you want. the website is called Let’s encrypt.

Step 7 : Add Two Factor Authentication

One of the most powerful security mechanism that exists today, is the Two factor authentication. for those who have never heard about here is a quick definition :

the MFA or Multi-factor authentication is a method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. It could be as simple as receiving an email with a code, or an SMS or a call … with a code that you need to present to the app to be able to log in.

here is some plugins that you can use to implement this mechanism :

Step 8 : Perform periodic penetration tests

Now that you have implemented all the security mechanisms and that I have explained in the last 7 steps, now you need to test their efficiency to be sure that everything is well made. To test this you will need to perform what we call a penetration test.

A penetration test, also known as a pen test, is a simulated cyberattack against your website system to check for exploitable vulnerabilities. it means that you will need to ask a white hacker to test your website security and check if there is any vulnerability that someone could exploit to gain access to your website and steal your data.

Now it depends on how deep you wanna go in your penetration tests, but you need to know that there are 3 types of penetration tests :

  • White box
  • Gray box
  • Blackbox

White box penetration test is when you give your cybersecurity professional all access to your cpanel in the context of web applications

gray box is when you give him for example only some user account with different roles.

Black box, then is when you give no information about your website, all that you give is the URL and that’s it.

Now, which one is best for you? well, I could say it depends on how deep you wanna go in your tests, but I always recommend my clients to perform a BlackBox penetration test for WordPress-based websites. But for web applications developed from scratch, a gray box is really encouraged.

You need to know that penetration tests are really something important for your website, not because we offer this service no, but because it is recommended by all security standards, and because it really helps you enhance your website security.

A skilled penetration tester will look beyond what you expect him to see, and he will be using some more advanced techniques to test if it is possible to bypass some of your mechanisms. And trust me he may be able to use some unknown techniques that will at the end bypass your protections, which will give you an idea about how powerful your security plugins are.

I am thinking about creating a series of posts about what should a penetration tester check for you … if you are interested in this please let me know in a comment.

Step 9 : Install a malware scanner

Let’s say that someday you have made a new update, and one of your mecanismes stop working correctly or you have manually disabled it to perfome some updates or something like this, and BOOM a malware got uploaded to your system. What you are going to do then ?

Well, that’s why we all need to install a malware scanner. A website or a web malware scanner is typically the same as normal antivirus, it helps you defend your website against dangerous files.

Now here is a group of possible plugins that you can use for this :

Step 10 : Use a firewall

firewalls are realy an interesting component to add to your website, for multiple reasons:

  1. they protect you from DDOS attacks
  2. they protect you from exploits in case of a zero day vulnerability
  3. and more …

DDOS attacks or Distributed Denial of Service is an attack where bad peoples try to shut down your website and make it inaccessible, which may cause a lot of financial losses, A Corero survey found That DDoS attacks can cost enterprise organizations $50,000 in lost revenue from downtime and mitigation costs.

Over 75 percent of businesses surveyed by Corero believe a loss of customer confidence is the worst result from DDoS attacks. That confidence loss can lead customers to flee to competitors, making the overall financial impact completely difficult to determine.

Bonus : Step 11 : Perform professional code review of all your plugins

One of the most advanced security checks that we perform for our clients is code review, and this really the top of what a person can do to make his system secure. we literally look for possible zero days in his code. Now most of the time this is performed for those who have developed their website from scratch, but we also perform this against WordPress plugins

This month only I was able to find, 20 zero-days in multiples plugins and we have contacted their support to fix them before we are able to publish on our website … STAY TUNED !!!

And we get to the end of the post I hope you enjoyed reading it … if you have any questions please comment below and I will be very happy to answer as soon as possible or send me an email.

Written by: Z. Oualid

Tagged as: .

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *