WordPress: 10 good practices in terms of security for websites

WordPress (WP) is known as the most popular CMS, among many things, having been designed with emphasis on accessibility, performance, and ease of use, be in continuous development (current version 5.2), have a huge community of users in many languages ​​and have a huge capacity for personalization through the use of themes (themes) and complements (plugins) own or third parties.

Also because it is very safe, but for that, as in any application or system, good practices must be followed to achieve a long-term safe implementation. And in this publication we want to provide some basic recommendations in this regard.

WordPress: 10 good practices in terms of security for websites

Introduction

WP, being the most popular CMS to build websites, is also often a frequent target of computer attacks, so apart from its constant updating, it requires frequent maintenance, updating, and securization procedures to avoid weaknesses due to vulnerabilities. in add-ons, weak passwords, obsolete software, among many other reasons, that is, to greatly reduce their vulnerability to any planned or unforeseen attack.

In addition, WP like any other Content Management System (CMS) allows you to quickly and efficiently build a website and then put it online. Their high capacity for work and growth, via modules, supplementary subjects, makes it easier than ever to achieve this task but without the need for the long years of learning that are usually required for this.

However, an unpleasant side effect that may arise from this, it may be that some managers of this tool, usually ignore, the necessary measures to ensure that the website created or maintained is safe. For this, it is important to keep in mind some general and specific measures (good practices), about WP or any other CMS and website to keep it safe.

Good practices

1.- Strengthen your security in general

WP surely surpasses today easily 30% of the base of active websites on the Internet, which makes it a favorite target for invaders and / or attackers (hackers / crackers) with good or bad intentions. Therefore, a vulnerability known and already exploited successfully in a similar site with WP will be attempted in other similar sites with WP.

Strengthen your security in general

So if you manage and / or use one or several web site (s) with WP, be sure to be more careful, thorough and aware of their online security. Keep in mind that the majority of security breaches analyzed and reported on websites with WP were had little or nothing to do with the core of the application itself, but much to do with everything related to its implementation, configuration and general maintenance, carried out incorrectly by developers or administrators.

WordPress Security

2.- Know your vulnerabilities

WordPress has about 4,000 known security vulnerabilities, distributed as follows: WP Core (37%), Add-ons (52%) and Themes (11%), according to a recent report from the WPScans website, now called WPSec ( since 01-05-2019). Investigate the security vulnerabilities that your website faces and look for a solution to solve those problems. Avoid running unsafe versions of the WP Core, or its add-ons and themes.

Focus on the following security issues in your WP or website, that is, in the different types of Attacks:

• Brute Force: Reinforcing security on your login page.
• File inclusion: Reinforcing the security of your wp-config.php configuration file.
• SQL injection: Reinforcing the security of your MySQL database associated with WP.
• Cross-site scripts: Reinforcing the security of used WP plugins.
• Malware infection: Reinforcing the general security of your website to prevent unauthorized access, the insertion of malware and the subsequent collection of confidential data by these malicious codes. Malware or most frequent attacks are usually of the type: Backdoor, Spam SEO, HackTool, Mailer, Defacement and Phishing. Seek to protect your site against each of these types of malware or attack.

Remember that once any website is compromised, your SEO ranking may be affected. Since the search engines usually register quickly the violated websites so that, consequently, the navigators indicate to the visitors warning signs or completely block the ability to navigate said sites.

Know your vulnerabilities

3.- Know the infrastructure of your hosting provider

If your website uses external hosting, that is, hired outside of your infrastructure, do not skimp on costs to ensure the quality of service of your hosting provider. Above all, if it hosts your site under the scheme of "shared hosting".

Because if the "shared hosting" is of low quality you can make your site more vulnerable by being compromised one of the several websites stored on the same server. That is, if a website is hacked into a server with "shared hosting", attackers can also gain access to other websites and their data.

Know the infrastructure of your hosting provider

4.- Know the web technical specifications of your hosting provider

When evaluating a hosting provider, your infrastructure is not everything. The technical web specifications used by your hosting provider to achieve better security of the hosted websites is also important. Make sure that it follows the recommended security guidelines for hosting your website:

• Easy installation of SSL certificates
• Active management of software versions of the web server.
• Firewall protection
• Register of access to the website
• Routine security audits
• Malicious activity detection
• Support for SFTP (not only FTP), TLS 1.2 and 1.3, and for PHP 5.6, at least although it is recommended from 7.0 onwards.

All this is necessary, at least to increase the security of your website with or without WP as CMS used.

Know the web technical specifications of your hosting provider

5.- Beware of the Topics and Complements used

The plugins and themes that are installed matter a lot at the security level. Try to use only official WP themes or add-ons or certified by the Community, from well-known commercial repositories or directly from accredited developers. Since many of them (not certified) may contain malicious code.

It does not matter how much your WP website protects if you are the one installing the malware. Investigate before downloading and installing any theme and add-on, or your developer or promoter website, and have your reservations with free or discounted ones.

6.- Try to update your CMS frequently

Updates to your web platform are very important for your security. Whether WP your CMS or not, obsolete versions of your Core, Theme or add-ons can lead you to harbor known vulnerabilities on your website. In the case of WP that is open source there is a team specifically dedicated to that matter within the Core of the application.

Each security vulnerability discovered in WP is corrected and eliminated immediately in order to solve each new security problem discovered in WP. Because of that, updating WP and all its themes and complements to the latest version is a vital component of a successful security strategy.

7.- I got an adequate password

The quality or strength of our passwords on websites is very important. The login of our websites is a favorite target for exploiting vulnerabilities, because it provides easier access to the administration page of your website.

Brute force attacks are the most common method to exploit your login, discovering the username and password combinations to gain access to the website. In the specific case of WP, by default it is not limited to the number of unsuccessful login attempts that someone can make, therefore, the most advisable is the use of a complex password for the login of your WP administrator.

When choosing a password take into account these 3 fundamental requirements based on the CLU format (Complex, Long, Unique):

• COMPLEX: The passwords must be as random as possible and least related to the Web Administrator or the Website.
• LENGTH: Passwords must be 12 or more characters long. And strengthened with restrictions or limitations on the number of failed connection attempts.
• UNIQUE: Do not reuse passwords. Each password must be unique in time. This simple rule drastically limits the impact of any password that is compromised.

Recommendation: Use a password manager such as "LastPass" (online) and "KeePass 2" (offline) to generate and store all your passwords in an encrypted format.

I got an adequate password

8.- Always have prepared your anti-disaster plan

If you use WP, remember that it does not have a built-in backup system. Include one as a priority, so you always have an up-to-date backup of your website. Backup copies are critical and a general security strategy to be implemented.

Do not forget that you should not only support your websites and databases used, but all configurations of the entire server through automated tasks with scripts or cloned image systems, to facilitate the necessary restoration and re-installations in the shortest possible time.

Always have prepared your anti-disaster plan

9.- Increase your security using 2FA

Strengthen your login as a WP administrator or your website through the two-factor authentication mechanism (2FA), which is one of the best ways to secure your website today. Two-factor authentication adds an additional layer of protection to your website login, by requiring that the use of your password requires additional code sensitive to the time of another device, such as your smartphone, to log in correctly. .

In the case of WP that does not offer by default this functionality incorporates the same through the use of an add-on, such as iThemes Security to add it.

10.- Use any necessary security add-on

Most CMS like WP use add-ons to increase their own security potential. In the specific case of WP, it is recommended to use the security plug-in called iThemes Security to add even more protection to your website. This add-on locks WP, repairs known holes, stops automated attacks and strengthens users' credentials.

It has a free version (iThemes Security) and a payment (iThemes Security Pro) that evidently provides more security features such as 2FA, scheduled malware analysis, user registration, among other things.

Conclusion

Whether it's about WP or another CMS, you can avoid most of the security problems of your website simply by following these best or best security practices. Your website deserves and must have implemented the necessary security measures that guarantee or minimize their inviolability in these times so convulsed by the activity of hackers and crackers.

Finally and as an addition, we recommend reading this other article of our blog on the subject to strengthen the security of your website, called: Linux Permissions for Administrators and Systems Developers.