In recent years, open-source content management systems (CMS) have gained popularity due to the availability of the software and the support of these great communities. However, because the open-source code is publicly available, it’s more vulnerable to security breaches. Security should be a top priority for those choosing to use any open-source solution.
According to WordPress.org, 28% of the web currently uses WordPress, making it a big target for hackers. Since WordPress is one of the most popular content management systems and is known for having one of the most supportive coding communities out there, things are usually well coded, and security precautions are taken very seriously. As long as you’re taking all of the proper precautions while coding your website, using as much core WordPress functionality as possible, and staying up-to-date, then you’re going to be in a pretty safe place.
Hosting Environment
Choosing a hosting service that has appropriate security protocols is incredibly important to securing an open source site. A few rules of thumb in choosing a hosting service are:
- Setup each website in its own FTP user environment. If one website is infected or hacked, this helps remove any bleed-over effect of other websites getting exposed.
- Use SFTP. SFTP is FTP over Secure Socket (SSH). SFTP will provide an encrypted connection to and from your server for transferring files.
- Use different passwords throughout your hosting account. Using different passwords for your hosting account and each FTP user within the account adds multiple layers of security throughout your hosting environment.
- Never share your primary hosting account details. Most hosting providers will allow you to invite users to your accounts as administrators under their own user accounts. This helps prevent someone from stealing your account down the road.
- Setup HTTPS/SSL. We’re at a point that SSL certificates are free (Thanks to LetsEncrypt) unless you need a fancy extended validation certificate. There’s no reason you shouldn’t be taking advantage of the extra layer of security by having an encrypted connection to and from your website. This will also promote your ranking on Google.
Here are some additional useful configurations for your .htaccess configuration file: https://gist.github.com/stesab92/daf8a710c69fa7dec40996c5d83f285c
File Permissions
Your file permissions should be setup accordingly:
- Folders should be set to 755.
- Files should be set to 644.
- Avoid setting any folders or files to 777.
Coding Securely
When you are working with a CMS, things need to be tailored to that system’s best coding practices to ensure long term support and a secure website.
Use Core Functionality
You should use officially supported WordPress functions wherever possible. This ensures that you’re always utilizing the latest technology, security implementations, and bug fixes deployed by the WordPress community. It also helps to ensure that things will not break when you update your website.
Prevent Direct Access to Includes
You can prevent direct access to includes by adding the code below to the top of your PHP file. This code isn’t required for everything, but there may be certain situations where a script could be a security hazard to have direct access to. For example, say the script makes a medium-large call to the database and someone figures out where this file is located and decides to spam requests to that script to issue a DoS/DDoS attack.
<?php
// If WordPress isn’t loaded, kill the script.
if (!defined("ABSPATH") {
exit;
}
?>
Restrict Cron Script Execution
<?php// If the script is being accessed in any way other than command line, kill the script.if (php_sapi_name() != "cli") { exit;}?>Other Priorities
Remember to always escape requests using the appropriate methods to prevent injection attacks. Also, make sure all database queries are properly cleaned and prepared before execution.
Security Software/Plugins
It is important to have some sort of security implementation in place to prevent the following issues:
- Brute Force Attacks. This occurs when someone issues login attempts (possibly by an automated script) until they find the password that works. Proper brute force protection will only let you have a certain amount of logins every “so many” seconds. It should also ban the IP if there are a certain number of failed login attempts within a specific amount of time.
- DoS/DDoS Attacks. This is when someone spams more requests than your server can handle to your website causing it to run out of memory and go down. A powerful server helps prevent this, but a smart attacker will try to target pages where there are large calls to the database or large amounts of memory in use, since it will aid in the attack and bring your website down. You can prevent this from happening by only allowing a certain number of requests to these areas within a specific amount of time. If appropriate, you can restrict direct access to these areas as well.
- Form Spam. We all know how annoying spam can be. This is usually a simple fix and just a matter of adding a Google ReCAPTCHA to your forms to eliminate any spam problems you are having.
There are great tools available for you to use to protect you from the issues listed above. A couple of the more popular tools are WordFence and Securi. Look into solutions to these problems on a per-project basis to suit your security needs.
Maintenance
The maintenance of your website is key to keeping your website secure and performing at it’s best. The most important maintenance tasks are to:
- Keep up-to-date. The more frequently you update WordPress, the higher the probability nothing will break and everything will run smoothly during and after the update. Updates also keep your website secure and running at its best. One tool I use to manage multiple websites under a maintenance plan is ManageWP.
- Set up Backups. You should have backups setup for your individual needs. We recommend a 3-2-1 backup strategy as a start. This means you keep one backup on your local machine, one on an external storage device locally, and then one remotely on the cloud (preferably). Not only does this allow you to have multiple backups, but the local copies will allow you to restore data in the time of need at much quicker transfer rates.
WordPress is a great content management system when properly implemented and secured. Once set up correctly it’s typically just a matter of staying up-to-date and updating deprecated code as WordPress advances. Think I’m missing anything from this article? Feel free to leave comments below.