WordPress has become the most preferred choice of web professionals today – be it start-ups, bloggers, agencies, designers, amateurs and many others. With this upward trend in WordPress acceptance, its security needs to be considered like never before. Securing your WordPress site should be given as much importance as deciding about any other aspect of your site, be it designing, development or hosting. Though WordPress itself is very particular about security, a number of security precautions need to be taken in order to convert your WP installation into a secure fortress.
In this and the other three forthcoming articles, I will discuss few common security vulnerabilities and will provide you with steps that you can take to keep your WordPress site secure.
1. Webserver Security
The most fundamental step in securing your site is securing your server. A secure server is one which maintains the privacy and integrity of your data. The server running WordPress along with its software can have vulnerabilities. Thus, you need to ensure that your webserver and the software on it is running on the latest and secure version.
Securing your server is your web host’s responsibility. So you should go for a hosting provider who:
- Is able to address your concerns for security by clearly stating which security processes and features they are offering with their hosting plans.
- Updates and provides server software of most recent and stable version.
- Offers proper setup for backup and recovery.
ZNetLive addresses all your WordPress related concerns by providing a WordPress Hosting environment that is crafted with powerful and optimized resources, including automatic installation and updation, SSD, NGINX architecture, server level protection and more.
You should decide your web host wisely and also decide about the security your server requires, by determining and pre-discussing about the data and the software that needs to be safe.
2. WordPress Vulnerabilities
Just like any other advanced software, WordPress too is updated on a regular basis in order to address the security issues that surface from time to time.
Update your WordPress
You should ensure that you always update your WordPress installation to the latest available version as older WordPress versions may not have latest security updates. You can download it directly from official WordPress site.
WordPress, since version 3.7, has rolled out automatic updation feature, which can be used for easing the process of continuous updation. WordPress dashboard can also be used for keeping oneself informed about the latest updates. One can also read WordPress Developer Blog for determining the steps that should be taken for updating and remaining secure.
If you are maintaining a number of WordPress installations, you can also use Subversion for managing them easily.
Report Security Issues
In case you find a bug in WordPress, you should report it. It may be a vulnerability or a bug that might lead to one.
In case you have uncovered a security flaw, you can report it. For more information on how to report it, visit Security FAQ.
3. Network Vulnerabilities
It is imperative that the network on the server and the client side should be trustable. If you are using an Internet cafe where your passwords are being sent over an unencrypted connection, then that network doesn’t qualify as a trusted network. Sensitive and personal information like password is prone to interception if the network is vulnerable.
You should be careful about the networks that you work from. Also, you should update firewall rules on the router at your home to secure yourselves from network vulnerabilities.
Also, your web host needs to ensure and take proper measures so that that their network does not get compromised.
4. Database Security
If many blogs are being run on a single server, then the best strategy to keep them safe is to keep each in a different database with a different admin managing each blog. This can be done best in the beginning of WordPress installation. This helps in securing your WP blogs as even if a hacker is able to access a blog, he will not be able to crack all of them.
In case you are administering MySQL yourself, you need to make sure that it is properly configured and any unnecessary features are disabled, like accepting remote TCP connections.
Limiting User Privileges
A MySQL database user requires only data read and write permissions (INSERT, DELETE, SELECT and UPDATE) for regular WordPress operations, like publishing blogs, posting comments, adding media files, creating new users, posting comments and installing plugins.
Thus permissions related to database administration and structure, like GRANT, ALTER and DROP can be repealed. Such granting of selective privileges can better the containment methodologies.
Note: Majority of WordPress updates, a few themes and some plugins may need to make structural modifications in the database, like adding new tables or changing the schema. In those cases, the database users need to be granted required permissions before software updation or plugin installation.
WARNING: If database updation is attempted without having the requisite permissions, problems may surface when there is a change in database schema. So revoking these privileges is NOT recommended. In case you have to do it for reasons related to security, then ensure that there exists a strong backup plan first, complete with full database backups that have been tested to be valid and that are easily restorable.
If a database upgrade fails, then database needs to be restored back to an older version, proper permissions need to be granted and then WordPress should be allowed to update the database again. Database restoration will return it to its older version. WP administration screens will detect the older version and will permit you to operate the required SQL commands on it. A number of WordPress upgrades don’t alter the schema, but there are a number of them that do.
The schema is altered only by some major point upgrades, like 3.7 to 3.8 and not by minor upgrades, like 3.8 to 3.8.1. However, keeping a regular backup is essential.
NOTE: This blog is first part of a four blog series on WordPress hardening. Part 2, 3, and 4 will be published soon and will deal with 11 more steps for WordPress hardening – including Passwords, FTP, file permissions, securing wp-admin, wp-includes, securing wp-config.php, plug-ins, file editing, data backups, logging and monitoring.
Update: Part 2 is now live.
Update: Part3 is now live.
Update: Part 4 is now live.
Jyotsana Gupta - the content and communication head, is an engineer by education and a writer at heart. In technical writing for 6 years, she makes complex topics interesting to general audience. She loves going on long drives in her spare time.