WordPress Security Solutions
A website is often the front door to a business yet if not kept under control is easily compromised. WordPress is the most popular CMS (Content Management Solution) for websites. It is estimated to be in use in 75% of CMS sites and to have twice the total installations than its closest rival Drupal. This information is hardly surprising nor the fact that with such a high base of installations WordPress sites are a magnet for hackers.
Restricting account access and passwords is a good place to start. WordPress accounts do not usually allow access to all files on the server. Although some plugins can override this (and ought to be avoided). Some of the built in accounts are so restrictive as to be close to useless. ‘Administrator’ allows full access but ‘Editor’ is sufficient for content creation without the ability to alter functionality of the site. On the dashboard the ‘Media’ option does allow files to be uploaded and modified. This should be restricted to true ‘read only’ media files; images, video, perhaps PDF documents. Some plugins can allow other files to be uploaded; again these should be avoided (there is a pattern emerging here). Access to the host will of course allow any files to be uploaded and modified. WordPress administration will only occasionally need access to the site host so access should be restricted. Another part of the WordPress puzzle is the MySQL database that holds the site content. This is protected by a username and password. Unfortunately these are stored in clear text within the wp-config.php file. So access to the hosted web files will give access to the database.
WordPress does its best to keep itself secure and the first line of defence for any WordPress user is to keep to the most up to date version. Updates will either auto-install or WordPress will warn that a new version is available and suggest that this be implemented. WordPress runs on PHP which in turn is regularly updated but doing usually requires the user to do this manually. Not keeping PHP up to date is another security vulnerability but is not as easy to fix as WordPress updating. The exact process requires direct access to the host rather than the WordPress dashboard. Some WordPress plans only allow access to the WordPress dashboard and not the underlying site: The plan provider looking after all hosting duties. This can be a good solution for a simple low maintenance site. Some hosting plans limit the ability to upgrade PHP. If a plan will not allow PHP to be upgraded to the minimum recommended by WordPress the site should be moved to another host at the first opportunity as the solution is insecure and not fit for purpose.
An inherent problem with WordPress is that sites tend to look the same and that customisation options are limited. The original purpose of WordPress was to host blog posts. Many users now want a lot more content and functionality than as a repository for short stories.
This is where themes and plugins come in; adding much to WordPress but opening up possible security leaks. Themes are displayed on the ‘Appearance’ menu. Themes will either be those available to any WordPress user, child themes that indicate some customisation of a more general theme or bespoke coded solutions. A theme does include PHP and JavaScript code so is more dangerous than the CSS and HTML markups used in simpler web pages. Themes that are no longer in use can be deleted from the system within the WordPress dashboard.
Plugins could prove a bigger security issue. When choosing a new plugin look at the user rating and version compatibility. If a plugin has been in use for a while check these details as well as its last updating. WordPress continues to evolve but plugin designers are under no obligation to keep their creations in line with this. The older a plugin the more time the hacker community have to develop and distribute attacks through that medium. Some plugins obviously interact directly with the WordPress database; forms for example as they will be using that to store user data. Many others are also interacting with the WordPress file system or database but are not obviously doing so. If something needs to interact with WordPress in any format other than a simple web read then it must have granted itself access. A hacker will exploit this to cause harm to the system. Deleting files, adding SPAM posts and setting redirects to malicious sites are popular starting points. In addition to any direct harm Google will detect malicious elements, restrict the site search results and warn users not to visit it.
Some plugins are so obviously beneficial that they will be deployed. Site administrators need to consider if a plugin is really necessary and not flood the dashboard with plugins that are not contributing to the site or obviously breaking WordPress’ rules (such as uploading exe files). Plugins can be deactivated to see what effect this has and if not in use should be deleted. This will remove any risk from residual code on the server.