WordPress is one of the most popular content management systems in the world today. I believe it is about 35% of the market share globally. That is a lot of sites.
I have been using WordPress for years myself; some people give it some stick for being vulnerable but that is usually them referring to third party plugins. I like it because you can build a site easily, without having to spend ages and you can deploy it and migrate etc. without having a huge headache.
Some Key Capabilities
Backup
Always have a backup of the site, ensure this is transmitted and stored securely in another location that is immutable from the site itself. You can backup using a cloud provider, using a plugin or by doing some wizardry with database and WordPress file backups.
Audit Logs
By default, the WordPress logs are not very accessible (there’s HTTP access logs) so what we are going to want is an audit log capability.
Securing XML-RPC & REST API
WordPress has an XML RPC API if it is running > version 3.5. So, make sure you review the configuration. In later version of WordPress (5.6 and above) the XML-RPC API has been replaced with a REST API.
Remove Unused Content
Unused themes, readme.txt, license.txt, unused plugins etc. can all be removed. You do not want to leave junk laying about that may lead to enumeration or expose a vulnerability.
Web Application Firewall
Deploy a WAF, go do it now. Remember it is not a one hit and done job, you can enable learning mode and the configuration will need tuning.
Contend Delivery Network
It is generally a good idea to use a CDN, that means your real server IP should not be exposed (go check that now if this is your deployment model). Remember if you use a CDN you probably will need to update your hosts log configuration to record the actual IP addresses.
https://support.cloudflare.com/hc/en-us/articles/360029696071
Firewall Rules
You should generally not expose any administerative interfaces where possible to the open internet, use VPNs or allow lists etc. to secure SSH access.
Strong Authentication
Ensure you don’t use generic/shared accounts and ensure there are strong passwords at a minimum.
Multi-Factor Authentication
Deploy MFA if you can. I personally use DUO because it is simple to configure, easy to setup and takes minutes to roll out to WordPress. However, you do this though, adding MFA is a great idea.
Ensure you limit privileges
Using role-based permissions will help you ensure that not everyone can administer all the things. There is a range of built-in roles to help manage permissions.
Updates
Ensure your wordpress site and plugins are up to date, but also if you are running your own web server on a VPC etc. don’t forget to secure and update your host.
SMTP / Email Security
It’s important as well to understand your mail flow. You also will want to ensure your mail DNS configuration is right, so get your SPF, DMARC and DKIM records sorted.
Transport Layer Security
This is generic to any web applicaiton but make sure you review your TLS configuration and disable any weak ciphers and protocols (inlcuding legacy/depricated ones like TLS 1.1)
Admin Interfaces
Ok so /wp-admin is the default path and you need this for you site editors, mods, admin to use the site. You can however change this path (there’s risk of breaking some things). You also can restirct access using network of hosted based security tools.
Other interfaces to be mindful of are:
- CPANEL
- MYMPHPADMIN
- FTP/FTPS
- SSH
Ideally you don’t want any way of someone from an internet only facing perspective to access these. Use additional controls such as allow lists etc. to harden these.
Defender Plugin List
There is a ton of plugins and options, and I am sure the community can add more (please feel free to drop a comment on the post with recommendations).
- Wordfence
- Audit Log Pro
- DUO Multi-Factor Authentication
- Google Authenticator
- Security Ninja
- WP Fail2Ban
Think about the differences between free versions and paid for plugins. Take a business risk-based decision on that, the tools are not very expensive and could save you a ton of headache, reputation damage and ICO reporting grief in the long run.
Summary
Running a web service means more than just getting the content out, you need to ensure you identify, protect, detect, and respond to security threats. By nature of having a site on the internet means that you will be hit with random noise, specific scans and if you have n e-commerce element you will likely be targeted to some degree (even if it is just targeted by semi-automated methods).
Everyone has something of value, whether that’s time, data or simply brand, you want to ensure your internet facing web services are in a good shape. I hate to say it, but a lot of web services security postures are frankly quite poor, so get thinking about how you ensure you’re not leaving yourself and organisation exposed to risk. Be safe and may the force be with you.