WordPress is a widely used software for websites, blogs and landing pages. The setup of WordPress is pretty easy and straight-forward even for non-technical users, and users can host their website either on the WordPress website or on an own server. Most shared hosters like to install it for you, and once set up, you can start creating content right away.
But, as you are reading a security blog, you might know that WordPress is not the safest software out there, and has lots of pitfalls that can lead to vulnerabilities and problems. People in the past have been able to take control of WordPress blogs through vulnerabilities in plugins (which are similar to additional apps that enable new functions), misconfigured user accounts (the infamous admin accounts with easy-to-guess passwords) and insecure settings of the web server running behind the WordPress installation.
With a small series of posts on this topic, I want to talk about the different problems that can occur and how you can harden your website as an administrator or owner of a WordPress installation.
A configuration for small and simple websites
If you are only using WordPress for small projects, such as a personal website, a landing page for your product or similar, you often do not need much configuration.
The most important steps towards WordPress security are updates. Fortunately, the WordPress developers are quick to react to vulnerabilities and bug reports. This is only valid for core files, while plugins and themes are maintained by different people. Since WordPress 3.7, the updates are automatic, meaning minor bug and security fixes are applied automatically without requiring user input. So, in most cases, you want to keep your installation up-to-date at all times. There are exceptions if your website depends on specific themes or plugins to function correctly, but this should really be an edge case.
In the past, there were one or two plugins that sent email notifications when plugins or themes had updates. Unfortunately, they are outdated and you need to log in from time to time to check for updates.
Similar to Microsoft Windows, WordPress creates a default administrator account during the setup. Similar to Windows, this is horrible for security. If your account is compromised, your whole website is. Therefore, it is better to have an admin account for administrative matters (updates, install stuff, settings) and a new user account with limited privileges for publishing content.
Create a user account
In the WordPress menu, press on Add New and you are presented with the following form.
Fill out the form and set the Role to Author. You can read about roles here. The author role is allowed to publish and modify posts, and this should be enough for creating content. Choose a secure password (WordPress shows the password strength, make sure it is at least Strong). Do not choose the same password for user and admin account!
If your current administrator account is named admin or root or something obvious, you can select Your Profile in the Users menu to change it to something that is not easily guessed, like TheAlmightyAdministrator4050. This is going to help mitigate simple automated bruteforce attacks. Also, if you only use the Author account for publishing, only the Author username is shown in the posts, and the administrator account remains hidden.
A short and insecure password is often the reason an attacker can successfully overtake a website. It is therefore crucial to use a secure password. What does secure mean? The password should be:
- difficult to guess
- too long to bruteforce
- safely stored (WordPress does that for you)
The best password is one you do not know. How does this even work, you might ask? Password managers are the answer. I always recommend the use of password managers for every password you use. See my other posts for how to set up one.
Again: Use different passwords for different accounts!
Finally, the above tips are the bare minimum required for a secure website. Most attacks on the Internet are automated scans and exploitations (e.g. bruteforce) and the suggested settings do prevent them.
Once your website starts attracting more visitors and more popularity, you can think about adding more security, as a website with more traffic is always more interesting to potential attackers, competitors or vandals. Part 2 of this series on WordPress security describes techniques to further secure your website with access to the server.