WordPress is the most accepted CMS platform in the world right now.
WordPress is designed, developed and updated keeping the ‘easy to use’ mantra in place and this, and many other simple features like quick installation and such has helped it to ascend new heights.
However, because of this simplicity and with WordPress being open-sourced, come many challenges and one such major challenge that WordPress faces is security.
Also Read: What are cloud-native applications? How they differ from traditional enterprise applications?
In our previous blogpost on WordPress security, we discussed about webserver and database security, vulnerabilities related to network and WordPress and the steps that you should take for WordPress hardening.
In this blog post, we will discuss about some other security-related issues that need to be addressed and steps that can be put to effect for hardening your WordPress installation.
#5 Security with Strong Password
It is possible to avoid a majority of prospective vulnerabilities by following some basic security precautions, like maintaining a strong password.
The password strength is important because the stronger the password, the more difficult it is for people to guess it or for a brute force attack to succeed.
Also, a strong password is important to protect the content of your blog as well as to prevent a hacker from gaining access of your admin account who can deploy some malicious content that can jeopardize your complete server.
In order to prevent all this, you can generate strong passwords by using easily available automatic password generators.
You can also add two-step authentication method as an added security precaution.
Also, in WordPress, when you try to change your password, there’s a ‘password strength meter’ feature, which can be used for checking if your password is of adequate strength.
Also, there are some things that should be avoided when you choose a password, like using your own name, your family members’ names, company name or your website name; choosing any word directly from the dictionary; or choosing a short password. Ideally, your password should be a combination of alphanumeric characters.
#6 Protected File Transfer
It is recommended that when you try to connect to your server, use SFTP encryption instead of regular FTP. SFTP though functionally similar to FTP, utilizes SSH for managing, accessing and transferring files between the local server and the remote server.
Thus, SFTP is more secure as it encrypts your personal information like password and other data when it is transferred from your site to server and vice-versa. This provides added security, as an attacker would not be able to intercept encrypted data.
#7 Restricted File Permissions
Various important features in WordPress are a result of its ability to allow different files to be written by a web server. Yet, providing write access permissions to your files can pose many security related issues, especially if you are in the shared hosting space.
It is advised that file permissions should be restricted as much as possible with occasional relaxations only when you don’t have any other option but to provide write permission, or for creating particular folders having lesser restrictions for doing some specific jobs like uploading files.
Managed Alibaba Cloud
Cheaper, Faster & Secure Cloud Hosting
A viable permission scheme that you can use is given below:
Your user account should be the owner of all the files and you should have the write permission.
If a file requires write permission from WordPress, then web server should be able to write to it, if it is required by your hosting set-up, which translates to those files being group-owned by that user account which is being utilized by the web server.
/
The root directory: Only your user account should be able to write to all the files, barring .htaccess in case you would like WordPress to create rewrite rules automatically for you.
/wp-admin/
The administration area: Only your user account should be able to write to all the files.
/wp-includes/
The bulk of WordPress application logic: Only your user account should be able to write to all the files.
/wp-content/
Content supplied by the user: Your user account as well as the web server process should be able to write to it.
In /wp-content/, you will also get:
/wp-content/themes/
Theme files. In case you intend to utilize the in-built theme editor, the web server process need to have the write permission for all the files. In case you do not intend to utilize the in-built theme editor, only your user account should be able to write to all the files.
/wp-content/plugins/
Plugin files: Only your user account should be able to write to all the files.
Additional directories that may be there with /wp-content/ need to be logged by any theme or plugin requiring them. Permissions may differ.
Managed Alibaba Cloud
Cheaper, Faster & Secure Cloud Hosting
Modifying file permissions
File permissions can be repeatedly modified if you possess your server’s shell access, using the command given below:
For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;
For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
Regarding Automatic Updates
When WordPress is asked for performing an automatic update, the file operations are implemented as if the user is the owner of the files and not as the user of the web server.
Permissions to all directories are given as 0755 and to all files as 0644 and are made writable only by the user and everyone else, including web server, get the permission to read them.
Also Read: What is Digital Information Security in Healthcare Act (DISHA) in India?
NOTE: This blog is second part of a four blog series on WordPress hardening. Part 1 is already live. Parts 3 and 4 will be published soon and will deal with 8 more steps for WordPress hardening – including securing wp-admin, wp-includes, securing wp-config.php, plug-ins, file editing, data backups, logging and monitoring.
Update: Part 3 is now live.
Update: Part 4 is now live.
Services ZNetLive offers:
AI-powered Backup Solution
Unmatched Backup Features from Future
