WordPress Security

Follow the guidelines in here to make your WP site more secure. Some of what is in here will be redundant if you’ve already read the Best Practices article. Big whoop…wanna fight about it?

Ok here is the list with links to resources with more info. Go through this when you make your site, and life will be rosier for everyone.

  • Keep the WordPress Core and Plugins Up-to-Date
    Pretty self explanatory. WordPress releases security and maintenance updates pretty often and so do responsible plugin developers. Keep that shit updated. WP has auto-updates built in and turned on by default. Do not disable that unless you absolutely have to for some reason. Also never alter the WP core code directly.
  • Delete Shit You Aren’t Using
    WordPress comes pre-packaged with themes and plugins and WP sites have a tendency to rack up plugins over time. If they aren’t being used, remove them.
  • Push uploads (especially user submitted content) to S3
    If you have file uploads for users, with a Gravity Form, for example, make sure those files are pushed to S3 and removed from the WP server.
  • Plugins and Themes
    If you are using plugins and/or themes that you did not build, review them thoroughly: read reviews, scan through the code, check google to see if there is anything out there about a security risk related to the theme or plugin. I have a list of plugins I’ve reviewed and use all the time, so check that out. WPE also has a banned plugin list that’s worth reading.
  • Sanitize all user inputs
    WP has a bunch of great functions for sanitizing user submitted data.
  • Enqueue your scripts and style sheets
    Rather than hard-coding into the theme header and footer, scripts and stylesheets should pass through the WP enqueue functions. This prevents collisions with other scripts and allows you to load them only when and where you need to. Ref: https://developer.wordpress.org/reference/functions/wp_enqueue_script/
  • Use WordPress functions to accomplish the tasks you need accomplished in your site
    WordPress bakes a lot of security into its functions and as core updates roll out, using WP functions helps ensure site stability. For 99% of the work you do in WordPress, you should be able to use WP functions, along with your custom filters to accomplish your goals.
  • Custom Database Prefix
    It’s debatable how much this helps in terms of security but it’s easy to do (defined in the wp-config.php file) so you might as well.
  • Always use the wpdb class for custom interactions with the database
    If you find yourself in a situation where WordPress just doesn’t have a method for you to access your data the way you want, use the wpdb class to interact with the database. And remember our mention of the database prefix above? Always reference this prefix using $wpdb -> prefix. This will keep any custom tables inside the WordPress ecosystem and they will subsequently benefit from WP’s baked-in security. Ref: https://codex.wordpress.org/Class_Reference/wpdb
  • Lock Down the Admin
    Don’t let people in who shouldn’t be and don’t give people more permissions than they need. Most clients never need higher than “Editor” level permissions. For sites that have public sign-up, make sure those people only are granded “Subscriber” level and that (unless specifically required by the site) Subscribers cannot access the WP-Admin. Disable signups on sites that don’t need them. Ref: https://codex.wordpress.org/Roles_and_Capabilities
  • Change/Remove the default Admin account
    No one needs a user named “admin”. Come on. Low hanging fruit.
  • Lock down discussion settings
    Check out my discussion settings guide for more info.
  • Define the SALT in the wp-config.php
    Get those security keys defined.
  • Use SSL whenever you possibly can
    There’s lots of ways to set this up, but letsencrypt.com is free and easy.
  • Disable the Plugin/Theme editor
    Throw this in the wp-config.php to prevent the editing of plugins and themes from the wp-admin:
  • If you are using the WP REST API for anything more than getting a feed of already public data, such as writing/updating/getting secure data/etc, make sure to secure your endpoints with authentication.

OWASP has a comprehensive guide that is broader than what I have covered here. It includes a lot of stuff that we don’t really have control over in managed hosting environments, but it’s not a bad idea to give it a glance if you feel so inclined.