WordPress security is not just about installing a WordPress security plugin and configuring a WordPress firewall. And even you have have installed a WordPress audit trail plugin, to keep a record of every change that takes place on WordPress, that might not be enough.
In all fairness if your WordPress website is running on a shared or managed hosting service there is not much more that you can do. But if your WordPress website runs on a dedicated server, you need to take a more holistic approach towards the security of your WordPress website. WordPress is just the tip of the iceberg. It is just a web application that is hosted and runs on a web server. The server is made up of several other software components. And like WordPress, all of them need to be secured and kept up to date because all software has vulnerabilities.
Read this article for more information on the common components that make up a web server and your WordPress. If your WordPress runs on a hosting service I would still read this article to get a good idea of what makes it possible to run WordPress.
Below is a list of components that are typically running on a server (called a web server since it hosts a web application) that hosts your WordPress website or blog.
Web Server Service
The web server service is the actual service (software / process) that handles the incoming and outgoing communication between the web application, in this case WordPress, and the visitors’ web browsers. WordPress is typically hosted on either Apache or NginX web servers. WordPress can also be hosted on Microsoft IIS server, though such setup is not so popular.
Both Apache and NginX web servers run on either Linux or Unix operating systems and they need to be secured and kept up to date. There are several security techniques you can apply to harden the security of a web server service and the below are a few basic tips to help you get started;
- Only enable the web server modules that you need (use a whitelisting approach:disable everything and only enable the modules that you need).
- Always use the latest version of the web server software and its modules.
- Configure the correct file, directory and process permissions.
- Only allow access to the directories where the WordPress website is running.
Web Technology / Scripting Language
WordPress is written in PHP, a server-side scripting language. For the web server to understand and execute WordPress’ PHP code you need to install PHP on your server and enable it as a module on your web server service. PHP has a configuration file from where you can configure it and you can refer to a PHP configuration file cheat sheet to ensure the configuration is secure. The PHP software has to be kept up to date to ensure that the version that you are running is the most efficient and secure. Refer to the PHP versions section for more information on which versions are still supported and which version you should be running.
A database server is the service that hosts the WordPress database. In case you have multiple web applications running on your web server the database server will have more databases hosted on it, apart from the default and WordPress ones. The most common database server used for the WordPress database is MySQL, though there are implementations on MariaDB, Microsoft SQL Server and other database servers. Below are a few basic tips to help you maintain a more secure database server.
- Always use the latest version of the database server software and its modules.
- Restrict the privileges of the WordPress database user to read, write, delete and update data only. It does not need to modify the database structure as explained in Implementing secure WordPress database privileges.
- Use strong credentials for the database users.
- Use a different user for every web application and database you have running on the server.
- Never use the MySQL root user in web applications and to access databases or the database server itself unless it is required.
- Close any sort of remote access to the database server.
The Simple Mail Transport Protocol server is the service that is used to send emails. The most common SMTP server software used on Linux/Unix servers are PostMail and Sendmail. Below are a few basic tips which you can follow to ensure the SMTP Server is secure and that it cannot be used by malicious users to relay spam through it.
- Always use the latest version of the SMTP Server software available.
- Only allow the IP address of the server itself to relay emails through the web server.
- Enable authentication and only allow authenticated hosts to relay emails through the SMTP server.
- If it won’t be used from remote hosts to relay emails, configure it to listen only on 127.0.0.1.
- Configure a home domain.
FTP / SFTP / FTPS Server
The FTP server (FTP stands for File Transfer Protocol) is the service that you connect to to access the WordPress website’s files and directories. FTP is frequently used to transfer files from and to your website, such as when installing a new theme or WordPress plugin, or when troubleshooting an issue. Below are a few beginners’ tips which you can follow to ensure the security of your FTP server and all of its operations.
- Always run the latest version of the FTP server software.
- Use strong credentials.
- Disable anonymous access unless it is specifically needed.
- Restrict the access of FTP users to the directories they should have access to.
- Do not allow the users to navigate out of their home FTP directory.
- Always use SFTP and FTPS to encrypt the communication channel. When using FTP, your username and password are sent in clear text.
- FTP users should not be able to login to the server’s operating system. Alternatively use the FTP server’s users system rather than the operating system ones.
CPanel, phpMyAdmin, Webmin and Other Administrative Web Interfaces
Web based administrative interfaces have become really popular because they simplify the management of the web server and its software. If you are using any of them below are a few tips which you can follow to make sure such interfaces are secure:
- Always run the latest version available.
- Even though such interfaces have their own login page, add HTTP authentication as an extra layer of security.
- Make them available over HTTPS only.
- Use very strong credentials.
- If possible restrict access to your IP address only.
Server Operating System and Other Generic Security Tips
The most common operating system used on servers that host WordPress is Linux, though there are a few who prefer to run a web server on Microsoft Windows Server and Unix. The list of security hardening tips and best practices for an operating system (and any other software) can be endless, and it all depends on the services and software components that you have installed on it. Though the below beginners’ security hardening tips should be enough to help you get started and stay one step ahead of the bad guys:
- Always install the vendor released security patches.
- Use strong credentials.
- Use a whitelisting approach when it comes to software and services. Only install the software that you need.
- Never use the root username. Use users with normal privileges and encourage the use of the sudo command.
- Create a different username for every person accessing the server.
- Every user should have the least possible permissions / privileges.
- Always use an encrypted channel to access the server remotely such as SSH.
- Use a firewall such as IPTables and only open the ports that are needed. In most cases you only need to allow access to the following ports:
- UDP port 22 for SSH and FTPS
- TCP port 25 for SMTP (this is only needed if you are receiving incoming emails through your SMTP server or you need remote hosts to relay emails through it)
- UDP /TCP port 53 for DNS queries and Zone Transfers (if you are running your own DNS server)
- TCP port 80 for HTTP
- TCP port 443 for HTTPS
- Where possible restrict access to the network services such as SSH and FTPS to a specific set of IP addresses.
The computer or laptop that you use to access, manage and maintain your WordPress websites, blogs and web servers should also be secure. More often than not we focus a lot on the server and WordPress security and forget about the security of the computer that we use, turning it into a potential easy to exploit attack surface that allows direct and easy access to the server and the WordPress website.
Similar to a server operating system, there are several hardening tips you can follow to ensure the operating system and software that you use are secure. Below are just a few basic ones:
- Use strong credentials.
- Always use the latest version of all the software that you use.
- Avoid saving credentials (including passwords) in the browser for the WordPress admin pages, the web server’s CPanel and other similar sensitive websites.
- Use a good password manager.
Ensuring the Security of All the Components of Your WordPress Ecosystem
The above are just a few tips to help you get started. There is much more to security, and if you responsible for the security of your WordPress and web server you should definitely read more about it. Don’t forget that the security of your WordPress website is as strong as the weakest link in the chain, therefore all the components should be given the same importance. It does not make sense to beef up the security of your server only because if your personal computer is hacked, the malicious attacker has just gained direct and easy access to your WordPress website.
Don’t beat yourself over it. It all boils down to the way of doing things. Once you apply the concept of the WordPress security wheel and the principle of least privileges to all your security processes, and you should be fine. Last but not least, keep yourself informed. Subscribe to WP Security Bloggers, an aggregate of the most popular WordPress security news websites to keep yourself up to date with what is new in the World of WordPress security. As for the rest, there is Google.