WordPress Application Security

WordPress user management

Requires proofreading - Requires Peer Review

Generic

A key component to keeping your site safe is to audit who you are granting access to and what frequently privileges you grant them, using the principle of 'least privilege'.

WordPress has default roles and capabilities, but these can also be extended by a theme or plugin, so it's good to check what your application can do in this regard. Reducing the number of users on your site can reduce the risk of privilege escalation. Reducing the privileges reduces the risk of users having unintended access. You could also consider the following:

• Automatically remove, deactivate or de-privilege users based on conditions
• Authenticate with a corporate identity linked to corporate emails
• Remove access when a user has left the organisation
• Do not use admin accounts to publish content
• Do not use usernames as display names
• Reduce users
• Reduce privileges
• Change the default administrator's username

WordPress media management

Requires proofreading - Requires Peer Review

Generic

A key component to keeping your site safe is to frequently audit what you are uploading to your server, as If not blocked, files can be found via the WP Rest API or indexing.

• Is any of the media sensitive or private?
• Does any of the media contain PII?
• Are you uploading any other non-standard file formats, like SVG?

User audit logging

Requires proofreading - Requires Peer Review

Generic

Logging user activity helps with nonrepudiation, i.e. proving a user has done something that they claim not to have. It can also help with debugging issues, compliance and testing. There are also server logs, so checking what can be done at the OS or host level is worthwhile.

Plugins

WordPress has plugins that can help.

Multi/two-factor authentication

Requires proofreading - Requires Peer Review

Generic

Multi or two-factor authentication adds an extra step to the login process so that it requires something the user knows (the password), as well as something the user has (the second factor). This makes it harder for someone to login that only knows the password and username.

Plugins

WordPress has many plugins that offer this functionality.

Limit login attempts

Requires proofreading - Requires Peer Review

Generic

Limiting login attempts helps to prevent brute force attacks, where bad actors try things like numerous combinations of credentials to guess passwords programmatically. This can be mitigated with a WAF (Web Application Firewall), with software on the server, with CAPTCHA and/or a WordPress plugin. It's a good idea to find out what your host and server are doing in this space, too.

Plugins

Some WordPress plugins offer this functionality.

Password policies and password managers

Requires proofreading - Requires Peer Review

Generic

Having a password policy makes guessing passwords or using passwords obtained from data dumps harder for both humans and computers. You might want a password that is easy to remember but difficult to guess or just difficult to guess.

Plugins

You can set password policies in some WordPress plugins.

"I change ALL 300+ passwords twice a year"

"Every password I have is at least 128 characters long with the usual numbers, symbols etc. Not all sites and systems allow this, though, so there are some tweaks. I don't allow simple passwords and will check passwords against known breaches via Wordfence/other plugins."

"Have used Wordfence for some time, and even its default defences are robust"

Password manager

You may need a password manager, too, and you may or may not want it backed up and synced in the cloud.

"If 'the cloud' is a worry for some reason with bitwarden, you can self-host it officially - not to be confused with vaultwarden"

Penetration testing, bounties and audits

Requires proofreading - Requires Peer Review

Generic

This area covers a wider range of overlapping work, check the section on scanning too as many aspects there also overlap.

Penetration testing

You can attempt to find vulnerabilities in your application through penetration testing. This varies in scope and method and can be as little as an automated scanner with an automated report right though to full time teams continually trying to gain access both with and without information or access on your systems and code. It is wise to consider who will do the work and how this will be done. You might want to consider using themes and plugins that have had this work done.

Bug bounty

There are bug bounty programs for both the WordPress CMS and Automattic plugins. Some other plugins and themes may also have bug bounty programs too. These programmes encourage people to find and, in turn, fix vulnerabilities in software. It might be worth considering if such a programme would be beneficial to your application, or if you should use themes and plugins that participate in such programmes.

Theme and plugin reviews

Similar to bug bounties and pen tests, code can be reviewed and audited by individuals, companies or software to help identify issues or vulnerabilities in your theme, plugins or integrations.

Malware and vulnerability scanning

Requires proofreading - Requires Peer Review

Generic

It is a good idea to scan your application to check for malware and known vulnerabilities, this can be done with plugins, applications and online web scanners. Your host may already be doing this for you so it's a good idea to look into that first.

Plugins

Malware scanning is a process that detects malicious software on a system, there are various WordPress plugins that can help do this.

Network or external scan

An external scan such as the WPScan CLI tool or Imunify360 could be run from a computer or server. This could be helpful as some malware can stop a plugin or application working effectively.

"If you have multiple sites I think it can get very expensive easily, I decided to get immunify 360 and has been good so far it will try to patch the sites also clean the sites if infected I really like it"

Web scan

An external scan run from a third party online web site.

Malware removal

Requires proofreading - Requires Peer Review

Generic

If you find malware you will need to remove it and then fix the root cause. You might be able to do this with a plugin or two as well as some help from your host. You may need expert help from a sysadmin or a WordPress security expert. How you fix the issue will depend on your set up, access and skill set as well as the root cause and remediation required. You may need to set up a new or clean server and re-build everything from clean sources.

Plugins

Some WordPress plugins can check the integrity of core and plugin files, as well as look for unscrupulous or modified files. Some users like to run multiple tools as some tools can find issues others can't.

Service

Some companies offer services to scan and remove malware on your behalf, some hosts will do this for you too.

Salts, keys and hashes

Requires proofreading - Requires Peer Review

Generic

When you generate a password or log into WordPress your password is mixed with a salt to generate a hash. This hash is then stored in the database meaning WordPress never has your plain text password. This means that if the database is obtained by a bad actor they do not have access to the plain text version of your users passwords.

Spam

Requires proofreading - Requires Peer Review

Generic

WordPress was originally built as a blogging platform so comes built in with commenting functionality, however many WordPress website are not blogs and do not use comments so you may wish to disable these functions.

If you are running a blog you may wish to review the settings to make sure they work for your site. Spam can be relentless if not effectively managed and unnecessary accounts pose the risk of account escalation. Consider the following...

System Emails

Requires proofreading - Requires Peer Review

Generic

WordPress can send emails but reliably sending emails is a complicated matter. You might want to consider how emails are sent to improve the chances of delivery and to avoid block lists. There are also many security protocols around email sending so there is a lot to read.

• Do your emails contain sensitive data?
• Do your emails contain crucial updates?
• Is a form plugin emailing you a customers PII?

Coding best practices

Requires proofreading - Requires Peer Review

Generic

Standards help to avoid common errors, improve readability and make modification easier. It makes the codebase look like it was written by a single person making modification easier.

WordPress APIs

Requires proofreading - Requires Peer Review

Generic

WordPress has many public rest API endpoints, you should check you are happy with their default configuration.

Media API

When an image is uploaded to the WordPress media library that information can often be accessible by the public using the WordPress media API. You should consider reviewing your media or disabling access to help ensure no data is unintentionally exposed.

Users API

The WordPress API allows for username enumeration, WordPress considers the username as public, but many user may wish to hide this information from the public.

XMLRPC API

This core API was introduced to enable 3rd party apps to integrate with WordPress. Unless required it is recommended by many to disable access.

Admin URL

Requires proofreading - Requires Peer Review

Generic

Changing the admin URL can break your sites functionality and this is consider by many as security through obscurity, WordFence advise against this, but many WordPress users do change the admin URL.

De bugging

Requires proofreading - Requires Peer Review

Generic

De bugging tools can be used to show detailed information about errors. But you will want to make sure debugging is not available to the public on a production environment.

Forms

Requires proofreading - Requires Peer Review

Generic

Many WordPress sits add form plugins, forms can be a fantastic tool but they can also be used to send malicious content or files to a server so extra care must be taken.

• Is the input data sanitized?
• Is the input data sensitive or PII?
• Is the user uploading files?
• ... if so where, what type of files, how big, and are they secure file types?
• Is the data being send in plain text via email?
• Is the data being stored in your database?
• Can anyone fill out the form or should the user be logged in?
• Do you need a CAPATCHA?
• Do you need a honeypot?
• Can this be a 3rd party tool embeded?

File editing

Requires proofreading - Requires Peer Review

Generic

Some users like to be able to edit files via WordPress, however this can lead to your site being broken. WordPress advises against enabling file editing.

Theme and plugin updates

Requires proofreading - Requires Peer Review

Generic

The core CMS, themes and plugins in the WordPress repository can be set to auto update, this is a hot topic. Some perfere to autoupdate as many plugin related security fixes are automatically applied without the need to log in. Some think the risk of an updated plugin breaking your site is a bigger risk. Either way you will want to decided whats best for you and your situation. Many people like to take backups and test any changes on a test environment before they are released to production.

Unused themes and plugins

Requires proofreading - Requires Peer Review

Generic

Consider deactivating and removing all unused themes and plugins.

Web application firewalls

Requires proofreading - Requires Peer Review

Generic

Firewalls can monitor, filter and block traffic traffic between end users and your application, these can be added at the network, host or application level. You may already be using a solution that provides some protection so consider what you already have in place. There are pros and cons to each combination so think about what is right for you and your users.

"If you don't use a waf you're doing it wrong"

Domain Name System WAF

A DNS level firewall will help stop malicious activity getting to your server in the first place, potentially taking some of the pressure off your host and application.

"The benefit of using cloudflare is that their WAF doesn't use your servers resources. A simple way to take down a web server is to flood it with traffic."

A popular DNS WAF solution is CloudFlare, they are widely used and have a free plan. Some managed hosts also offer a DNS WAF as part of their product offering, so it would be wise to see if your host is helping too.

"I'm using Cloudflare for many sites, and am a fan of the service. It's nice that it blocks so many bots and other nasty crap before it even touches the web server. Unfortunately, not everyone wants to, or can give up control of their DNS to Cloudflare. We have a lot of banks and hospitals as clients who it's not a good fit for."

Host or operating system WAF

A WAF can be installed on the operating system or server, many hosts will have a WAF running on their servers, you should ask your host to see how they are helping. Using a WAF at the network VS the application or host will have pros and cons to consider.

"Any decent host has DDOS protection and Firewall Tool. If you are at some of EIG hosts or at shared plan, it's hard to be isolated from overflow attacks, no WAF can help you there."

"Sysadmins hosting WordPress should run modsecurity."

Application WAF

Plugins

WordFence have a huge number of downloads in the WordPress repository, and on those numbers it's the most used plugin based WAF. PatchStack is also a wildly discussed and praised plugin in the Redit foum. WordPress plugins often come bundled with has many features, so you might already be using a plugin that has a WAF and not even know it! It's a good idea to audit your plugins to see where your features overlap or have gaps.

"Wordfence. It's the best out of the box solution and even the free tier offers excellent protection. Spend some time reading the documentation then some more time setting it up as you require."

"a shared host running, say, ten wp instances, each with its own instance of wordfence is wasting resources." "WordFence is an example of how messy things get when WordPress Administrator gets blurred with the sysadmin role."

"I like patchstack because it's really simple to set up and understand."

Security headers

Requires proofreading - Requires Peer Review

Generic

Security headers can be modified to control things like what iframes can do with your users data

• Can an iframe access the microphone or camera or other data from the device?
• Do you mind if the user clicks a link that website knows the user came from your website?
• Do you mind which scripts can be embeded in the CMS?
• Do you mind what domains can be iframed into your site?
• Do you mind which domains can iframe your site?
• Do you want to force HTTPS connections?

This is quite complex, so it is best to consult an expert.

Back ups

Requires proofreading - Requires Peer Review

Generic

Many hosting companies also provide services, so consider that when making a plan.

Consider having a tested disaster recovery or business continuity plan.

"Schedule daily, weekly or monthly backups. Send backups to remote servers (AWS S3, Dropbox, Google Drive) or your local machine."

Plugins

If you do not have a host or server set up that provides adequate back ups then you may wish to use a backup plugin to provide automated backs ups.

"I don't like AIO because it uses a proprietary zip format. I've used Updraft for over 10 years, on hundreds of sites, its never failed me."

Certifications and bodies

Requires proofreading - Requires Peer Review

Generic

When working with suppliers it’s a good idea to understand the certifications and governing bodies they may belong to, this can but is not always be a good barometer to their understanding of security. You can also understand take a vendor security assessment using a framework to ascertain a suppliers security maturity.

HTTPS TLS SSL

Requires proofreading - Requires Peer Review

Generic

This is something that cannot be done in the application and has to be done on the host or server. However this is worth a mention as it will be important for many to secure.

Setting up an SSL certificate is now pretty standard for most websites. With Let’sEncrypt it’s often very easy and free, many hosting companies will offer free SSL certificates from Let’sEncrypt. It’s a good idea to check you SSL certificates is valid and to make sure you are using modern TLS versions.

Domain names

Requires proofreading - Requires Peer Review

Generic

This is something that cannot be done in the application and has to be done on the host or server. However this is worth a mention as it will be important for many to secure.

Securing access to your domain registrar, Name Server and domain name system records is good idea. Unauthorised access to these systems can lead to traffic and data being diverted or domains being transferred. It might be useful to monitor domain squatting to potentially reduce fishing. Audits should be carried out on all systems.

Version control

Requires proofreading - Requires Peer Review

Generic

This is something that cannot be done in the application and has to be done on the version control system. However this is worth a mention as it will be important for many to secure.

When managing code in a version control system, care must be taken to manage what is and is not tracked in such a system. Having secretes, passwords, credentials or keys tracked can provide a bad actor with access if they gain control of such a system and care should be taken if they are in the code of commit history. Some hosted version control system offer additional features such as code scanning and commit scanning to help reduce this type of data entering the system. Some systems also help with managing issues and vulnerabilities reported in any software your code is dependent on. As with managing user access to the CMS access to version control systems should also be audited.

Server user management

Requires proofreading - Requires Peer Review

Generic

This is something that cannot be done in the application and has to be done on the host or server. However this is worth a mention as it will be important for many to secure.

You should speak with your host or sysadmin to make sure this is secure. You might want to check the following

• Who has access?
• How do they have access? SSH SFTP
• Is the access audited?
• What ports are open?
• Are there any access rules?
• How and when are things patched and updated?
• Is directory browsing blocked?
• is access to files and directories restricted?
• Is PHP script execution forbidden in non essential directories (uploads, includes, cache etc)?

In short it’s best to speak to an expert here.

Or outsource to a very good managed host, take a look at the hosting guides on the right hand side of this page.