WordPress itself – is well organized free for use website control management system.
Wide range of plugins provides ability to enhance and modify default interface.
Plugins installation process is easy and not require some technical skills, however as soon as any plugin installed – the plugin .php program code is integrated to WordPress configuration.
Deduction, – not only WordPress source code is open, but plugin program code could be investigated, in case investigator will setup the same plugin on his WordPress.
As a result, each new plugin is a potential WordPress security issue and require attention in each case.
Of course it does not mean that there is no safe wp plugins at all, but it is just one side of WordPress security.
You are unable to guarantee wordpress security in general using only plugins, because plugins area restricted by web server and reproduce only one part of website security at all.
WordPress Security Consist of:
WordPress Database Security [if required]
WordPress Firewall [if required]
Secure WordPress Hosting
1. Website should be set to dedicated IP address.
As a result – Positive website ranking influence, also.
In case many websites linked to one IP, search engine bot may measure metrics of your website with taking in account neighborhood websites stats.
2. Website should be stored on own Virtual Server
In this case even Hosting Administrator unable to connect to the server.
3. Secure wordpress hosting maybe implemented only using virtual server from reliable hosting provider. We recommend Digital Ocean, however there exist many other companies with good reputation.
Restrict Connection
Non-trivial usernames ( do not use admin)
Long and spec symbols included passwords ( for example 24 characters password )
Restrict Access to Web Server via SSH with non-trivial login username, and IP
WordPress Database Security
If such prevention steps required WordPress Database Credentials could be stored outside /www/ directory, using .ini file.
wp-config.php
$config = parse_ini_file('/outwwwdirectory/wp.ini');
$idb = $config['db'];
$iuser = $config['username'];
$ipassword = $config['password'];
define( 'DB_NAME', $idb );
/** MySQL database username */
define( 'DB_USER', $iuser );
/** MySQL database password */
define( 'DB_PASSWORD', $ipassword );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
In this there should be created wp.ini file in /outwwwdirectory/ directory with content:
db = YOUR DATABASE NAME
username = DATABASE USER NAME
password = DATABASE USER PASSWORD
Also, in this case the directory /outwwwdirectory/ should be listed in open_basedir Apache httpd configuration file of website.
php_admin_value open_basedir /home/web/website.com/public_html:/home/web/outwwwdirectory
Was added :/home/web/outwwwdirectory
Encryption of WordPress Database also may implemented, however if such security steps became required, it is time to look for another CMS engine or solution to run website.
WordPress Login Protection
In case some additional scripts for example phpMyAdmin available on Server, ensure these tools available only from allowed IP
Restrict Access to /wp-admin/ via .htaccess ( in wp-admin )
Order Deny,Allow
Deny from all
Allow from YourIP_1
Allow from YourIP_2
Restrict Access /wp-login.php via .htaccess ( in www )
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from YourIP_1
Allow from YourIP_2
</Files>
If required dynamic IP address access, Apache .htpasswd basic authentication may replace IP address access restriction rule.
For the high level of security there maybe installed two-step authentication plugin additionally, however the .htaccess rule with restriction by IP or .htpasswd with access only by username and password required.
Software/Plugins Update
– Install only verified plugins with good rating and history
– Download plugins only from reliable websites
– Install as less plugins as possible
– Check all plugins, disable and remove which in not use
Web Server Software, WordPress, WordPress Plugins should be always up to date, it is base wordpress security requirement.
Remove WordPress unused files
Check which files in /www/ directory is not in use by WordPress and Plugins, remove files which not needed for stable WordPress website work.
Usually
wp-activate.php
wp-comments-post.php
wp-config-sample.php
wp-signup.php
wp-trackback.php
xmlrpc.php
However, do not remove files, just move file by file to another folder and check your website functionality after each move. Before moving read about represented functions in files and decide to remove it or not.
Restrict WordPress work files
Rest files which available in /www/ (except for index.php) should be closed for web calls via .htaccess ( in www ). Put Server IP if required or remove this line.
<Files "wp-load.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from YourIP_1
Allow from YourIP_2
</Files>
<Files "wp-config.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-cron.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-mail.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-settings.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
WordPress SSL
In fact, SSL is only necessary if website provide ability to send or receive confidential data. However, the website with https get positive website ranking influence, too. But in case website process payments or users of website available to send / receive any confidential data, SSL is strictly required.
We are ready to setup SSL for your website for affordable $72
$22 – COMODO Essential Certificate included
Order now -> WordPress SSL Setup
If you already have SSL certificate, just uncheck SSL Registration Provisioning service and pay $25 for SSL Setup only.
WordPress Firewall
Use firewall, in case it is really required as web cache solution, or attack prevention tool. The base free firewall may realize negative website ranking influence in search engines. Due to other free plan users who setup cloudflare and use the same NS server. So, it is strongly recommended to understand firewall features before setup.
https://www.cloudflare.com/plans/#compare-features
We provide base cloudflare firewall setup just for $50 one time payment
Order Now -> WordPress Base Firewall Setup
WordPress Backup
Backup WordPress on regular basis. The backup process maybe implemented on different levels. For example Digital Ocean provides automatic snapshot backups for last 20, 13, 6 days. ( file version ) . Website backup files should be downloaded regularly. You also available to setup any another automatic backup process, if you do not prefer to store snapshot (image) of virtual server, as it provided in example, but would prefer to save copy of www directory and mysqldump file of database for free.
Privacy Policy
Create document and provide detailed information about data which server receives when web users interact with website. Specify which data stored and may use for what exactly purposes.
That’s all.
Other words, WordPress security require less amount of plugins, safe environment, and some time maintenance.