Wordpress Security Overview

WordPress itself – is well organized free for use website control management system.

Wide range of plugins provides ability to enhance and modify default interface.

Plugins installation process is easy and not require some technical skills, however as soon as any plugin installed – the plugin .php program code is integrated to WordPress configuration.

Deduction, – not only WordPress source code is open, but plugin program code could be investigated, in case investigator will setup the same plugin on his WordPress.

As a result, each new plugin is a potential WordPress security issue and require attention in each case.

Of course it does not mean that there is no safe wp plugins at all, but it is just one side of WordPress security.

You are unable to guarantee wordpress security in general using only plugins, because plugins area restricted by web server and reproduce only one part of website security at all.

WordPress Security Consist of:

Secure WordPress Hosting

Restrict Connection

WordPress Database Security [if required]

WordPress Login Protection

Software/Plugins Update

Remove WordPress unused files

Restrict WordPress work files

WordPress SSL [if required]

WordPress Firewall [if required]

Backup WordPress

Privacy Policy

Secure WordPress Hosting

1. Website should be set to dedicated IP address.
As a result – Positive website ranking influence, also.

In case many websites linked to one IP, search engine bot may measure metrics of your website with taking in account neighborhood websites stats.

2. Website should be stored on own Virtual Server

In this case even Hosting Administrator unable to connect to the server.

3. Secure wordpress hosting maybe implemented only using virtual server from reliable hosting provider. We recommend Digital Ocean, however there exist many other companies with good reputation.

Restrict Connection

Non-trivial usernames ( do not use admin)
Long and spec symbols included passwords ( for example 24 characters password )
Restrict Access to Web Server via SSH with non-trivial login username, and IP

WordPress Database Security

If such prevention steps required WordPress Database Credentials could be stored outside /www/ directory, using .ini file.

wp-config.php

$config = parse_ini_file('/outwwwdirectory/wp.ini');

$idb = $config['db'];
$iuser = $config['username'];
$ipassword = $config['password'];

define( 'DB_NAME', $idb );

/** MySQL database username */
define( 'DB_USER', $iuser );

/** MySQL database password */
define( 'DB_PASSWORD', $ipassword );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

In this there should be created wp.ini file in /outwwwdirectory/ directory with content:

db = YOUR DATABASE NAME
username = DATABASE USER NAME
password = DATABASE USER PASSWORD

Also, in this case the directory /outwwwdirectory/ should be listed in open_basedir Apache httpd configuration file of website.

php_admin_value open_basedir /home/web/website.com/public_html:/home/web/outwwwdirectory

Was added :/home/web/outwwwdirectory

Encryption of WordPress Database also may implemented, however if such security steps became required, it is time to look for another CMS engine or solution to run website.

WordPress Login Protection

In case some additional scripts for example phpMyAdmin available on Server, ensure these tools available only from allowed IP

Restrict Access to /wp-admin/ via .htaccess ( in wp-admin )

Order Deny,Allow
Deny from all
Allow from YourIP_1
Allow from YourIP_2

Restrict Access /wp-login.php via .htaccess ( in www )

<Files "wp-login.php">
        Order Deny,Allow
        Deny from all
        Allow from YourIP_1
        Allow from YourIP_2
</Files>

If required dynamic IP address access, Apache .htpasswd basic authentication may replace IP address access restriction rule.

For the high level of security there maybe installed two-step authentication plugin additionally, however the .htaccess rule with restriction by IP or .htpasswd with access only by username and password required.

Software/Plugins Update

– Install only verified plugins with good rating and history
– Download plugins only from reliable websites
– Install as less plugins as possible
– Check all plugins, disable and remove which in not use

Web Server Software, WordPress, WordPress Plugins should be always up to date, it is base wordpress security requirement.

Remove WordPress unused files

Check which files in /www/ directory is not in use by WordPress and Plugins, remove files which not needed for stable WordPress website work.

Usually

wp-activate.php
wp-comments-post.php
wp-config-sample.php
wp-signup.php
wp-trackback.php
xmlrpc.php

However, do not remove files, just move file by file to another folder and check your website functionality after each move. Before moving read about represented functions in files and decide to remove it or not.

Restrict WordPress work files

Rest files which available in /www/ (except for index.php) should be closed for web calls via .htaccess ( in www ). Put Server IP if required or remove this line.

<Files "wp-load.php"> 
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP
</Files>

<Files "wp-login.php">
        Order Deny,Allow
        Deny from all
        Allow from YourIP_1
        Allow from YourIP_2
</Files>

<Files "wp-config.php">
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP
</Files>

<Files "wp-cron.php">
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP
</Files>

<Files "wp-mail.php">
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP
</Files>

<Files "wp-settings.php">
        Order Deny,Allow
        Deny from all
    Allow from SERVER IP
</Files>

WordPress SSL

In fact, SSL is only necessary if website provide ability to send or receive confidential data. However, the website with https get positive website ranking influence, too. But in case website process payments or users of website available to send / receive any confidential data, SSL is strictly required.

We are ready to setup SSL for your website for affordable $72
$22 – COMODO Essential Certificate included

Order now -> WordPress SSL Setup

If you already have SSL certificate, just uncheck SSL Registration Provisioning service and pay $25 for SSL Setup only.

WordPress Firewall

Use firewall, in case it is really required as web cache solution, or attack prevention tool. The base free firewall may realize negative website ranking influence in search engines. Due to other free plan users who setup cloudflare and use the same NS server. So, it is strongly recommended to understand firewall features before setup.

https://www.cloudflare.com/plans/#compare-features

We provide base cloudflare firewall setup just for $50 one time payment

Order Now -> WordPress Base Firewall Setup

WordPress Backup

Backup WordPress on regular basis. The backup process maybe implemented on different levels. For example Digital Ocean provides automatic snapshot backups for last 20, 13, 6 days. ( file version ) . Website backup files should be downloaded regularly. You also available to setup any another automatic backup process, if you do not prefer to store snapshot (image) of virtual server, as it provided in example, but would prefer to save copy of www directory and mysqldump file of database for free.

Privacy Policy

Create document and provide detailed information about data which server receives when web users interact with website. Specify which data stored and may use for what exactly purposes.

That’s all.

Other words, WordPress security require less amount of plugins, safe environment, and some time maintenance.