The good stuff...
WordPress user management
Requires proofreading - Requires Peer Review
Generic
A key component to keeping your site safe is to audit who you are granting access to and what frequently
privileges you grant them, using the principle of 'least privilege'.
WordPress has default roles and capabilities, but these can also be extended by a theme or plugin, so it's
good to check what your application can do in this regard. Reducing the number of users on your site can
reduce the risk of privilege escalation. Reducing the privileges reduces the risk of users having unintended
access. You could also consider the following:
- Automatically remove, deactivate or de-privilege users based on conditions
- Authenticate with a corporate identity linked to corporate emails
- Remove access when a user has left the organisation
- Do not use admin accounts to publish content
- Do not use usernames as display names
- Reduce users
- Reduce privileges
- Change the default administrator's username
WordPress User Management
WordPress User Capabilities
MelaPress
MelaPress
Key Takeaway: Consider reviewing your CMS users
WordPress media management
Requires proofreading - Requires Peer Review
Generic
A key component to keeping your site safe is to frequently audit what you are uploading to your server, as
If not blocked, files can be found via the WP Rest API or indexing.
- Is any of the media sensitive or private?
- Does any of the media contain PII?
- Are you uploading any other non-standard file formats, like SVG?
WordPress File Uploader
WordPress Media Guide
Key Takeaway: Consider if you need to remove any media from your library
User audit logging
Requires proofreading - Requires Peer Review
Generic
Logging user activity helps with nonrepudiation,
i.e. proving a user has done something that they claim not to have.
It can also help with debugging issues, compliance and testing.
There are also server logs, so checking what can be done
at the OS or host level is worthwhile.
See the conversation
Plugins
WordPress has plugins that can help.
WP
Stream
WP
Admin Audit
WP Activity Log
Log Dash
Key Takeaway: Consider if you need to know more about what your users are doing in your CMS
Multi/two-factor authentication
Requires proofreading - Requires Peer Review
Generic
Multi or two-factor authentication adds an extra step to the login process so that it requires something
the user knows (the password), as well as something the user has (the second factor). This makes it harder
for someone to login that only knows the password and username.
WordPress
Plugins
WordPress has many plugins that offer this functionality.
WordFence
WordPress MFA Plugin
SolidWP
AIOS Plugin
WPMU Defender MFA
Key Takeaway: Consider if and how you are using multi-factor authentication
Limit login attempts
Requires proofreading - Requires Peer Review
Generic
Limiting login attempts helps to prevent brute force attacks, where bad actors try things like numerous
combinations of credentials to guess passwords programmatically. This can be mitigated with a WAF (Web Application Firewall), with
software on the server, with CAPTCHA and/or a WordPress plugin. It's a good idea to find out what your
host and server are doing in this space, too.
PatchStack Guide
Fail2Ban
Turn Style
Plugins
Some WordPress plugins offer this functionality.
Limit Login Attempts
WordFence
Solid WP
Loginizer
Key Takeaway: Consider limiting the rate at which people can unsuccessfully log in
Password policies and password managers
Requires proofreading - Requires Peer Review
Generic
Having a password policy makes guessing passwords or using passwords obtained from data dumps harder for
both humans and computers. You might want a password that is easy to remember but difficult to guess or just
difficult to guess.
WordPress.org Guide
WordPress.org Advanced Guide
See the conversation
Plugins
You can set password policies in some WordPress plugins.
"I change ALL 300+ passwords twice a year"
"Every password I have is at least 128 characters long with the usual numbers,
symbols etc. Not all sites and systems allow this, though, so there are some tweaks. I don't allow simple
passwords and will check passwords against known breaches via Wordfence/other plugins."
"Have used Wordfence for some time, and even its default defences are robust"
Solid WP
Mini Orange
WordFence
Password manager
You may need a password manager, too, and you may or may not want it backed up and synced in the cloud.
"If 'the cloud' is a worry for some reason with bitwarden, you can self-host it
officially - not to be confused with vaultwarden"
KeyPass
1Password
EnPass
BitWarden
BitWarden Self Hosted
Key Takeaway: Consider creating a password policy
Penetration testing, bounties and audits
Requires proofreading - Requires Peer Review
Generic
This area covers a wider range of overlapping work,
check the section on scanning too as many aspects there also overlap.
Penetration testing
You can attempt to find vulnerabilities in your application through penetration testing. This varies in
scope and method and can be as little as an automated scanner with an automated report right though to full
time teams continually trying to gain access both with and without information or access on your systems and
code. It is wise to consider who will do the work and how this will be done. You might want to consider
using themes and plugins that have had this work done.
Crest
WordFence
NCSC
Bug bounty
There are bug bounty programs for both the WordPress CMS and Automattic plugins. Some other plugins and
themes may also have bug bounty programs too. These programmes encourage people to find and, in turn, fix
vulnerabilities in software. It might be worth considering if such a programme would be beneficial to your
application, or if you should use themes and plugins that participate in such programmes.
Make WordPress
WordFence
PatchStack
HackerOne
Theme and plugin reviews
Similar to bug bounties and pen tests, code can be reviewed and audited by individuals, companies or
software to help identify issues or vulnerabilities in your theme, plugins or integrations.
WordPress Plugin Checker
PatchStack Audit
Key Takeaway: Consider what checks, audits or reviews you should perform on your codebase
Malware and vulnerability scanning
Requires proofreading - Requires Peer Review
Generic
It is a good idea to scan your application to check for malware and known vulnerabilities, this can be done
with plugins, applications and online web scanners. Your host may already be doing this for you so it's a
good idea to look into that first.
Plugins
Malware scanning is a process that detects malicious software on a system, there are various WordPress
plugins that can help do this.
MalCare
JetPack Scan
AIOS
WordFence
CleanTalk
Ninja
Quttera
Network or external scan
An external scan such as the WPScan CLI tool or Imunify360 could be run from a computer or server. This
could be helpful as some malware can stop a plugin or application working effectively.
"If you have multiple sites I think it can get very expensive easily, I decided
to get immunify 360 and has been good so far it will try to patch the sites also clean the sites if
infected I really like it"
WPScan
Qualys
Clam
AV
Imunify 360
Quttera
Google Search Console
Web scan
An external scan run from a third party online web site.
Hacker Target
Sucuri
isitWP
Key Takeaway: Consider scanning your website for vulnerabilities
Malware removal
Requires proofreading - Requires Peer Review
Generic
If you find malware you will need to remove it and then fix the root cause. You might be able to do this
with a plugin or two as well as some help from your host. You may need expert help from a sysadmin or a
WordPress security expert. How you fix the issue will depend on your set up, access and skill set as well as
the root cause and remediation required. You may need to set up a new or clean server and re-build
everything from clean sources.
See the conversation
WordPress Guide: Remove the Malware
WordPress Guide: Fix the root cause
Plugins
Some WordPress plugins can check the integrity of core and plugin files, as well as look for unscrupulous
or modified files. Some users like to run multiple tools as some tools can find issues others can't.
WordFence
GOT MLS
JetPack
Service
Some companies offer services to scan and remove malware on your behalf, some hosts will do this for you
too.
MalCare
Sucuri
Key Takeaway: Consider how you would remove malware should you become infected
Salts, keys and hashes
Requires proofreading - Requires Peer Review
Generic
When you generate a password or log into WordPress your password is mixed with a salt to generate a hash.
This hash is then stored in the database meaning WordPress never has your plain text password. This means
that if the database is obtained by a bad actor they do not have access to the plain text version of your
users passwords.
Key Generator
SaltShaker
Wiki Salt
Wiki Hash
Wiki Key
Mela
Key Takeaway: Consider if you should rotate your keys and salts
Spam
Requires proofreading - Requires Peer Review
Generic
WordPress was originally built as a blogging platform so comes built in with commenting functionality,
however many WordPress website are not blogs and do not use comments so you may wish to disable these
functions.
If you are running a blog you may wish to review the settings to make sure they work for your site. Spam
can be relentless if not effectively managed and unnecessary accounts pose the risk of account escalation.
Consider the following...
block comments containing certain keywords
queue comments containing links
verify email addresses before allowing comments
require commenters to have an account
close comments on old posts
approve all comments before publishing
disable pingbacks
WordPress Settings
AntiSpam Bee
Honeypot
Akismet
Oopspam
Key Takeaway - Consider steps that can be taken to reduce spam.
System Emails
Requires proofreading - Requires Peer Review
Generic
WordPress can send emails but reliably sending emails is a complicated matter. You might want to consider
how emails are sent to improve the chances of delivery and to avoid block lists. There are also many
security protocols around email sending so there is a lot to read.
- Do your emails contain sensitive data?
- Do your emails contain crucial updates?
- Is a form plugin emailing you a customers PII?
See the conversation
PHP Mail in WordPress
WP Mail SMTP
Wiki SPF
Wiki DMARC
Wiki DKIM
MX Tool Box
Debouncer
Key Takeaway - Consider how important deliverability is to your application and if sensitive data is being
sent via email in clear text.
Coding best practices
Requires proofreading - Requires Peer Review
Generic
Standards help to avoid common errors, improve readability and make modification easier. It makes the
codebase look like it was written by a single person making modification easier.
WordPress Coding Standards
More WordPress Coding Standards
Plugin Checker Plugin
WPVIP standards
10Up Standards
Key Takeaway - Consider what standards you should have for you application.
WordPress APIs
Requires proofreading - Requires Peer Review
Generic
WordPress has many public rest API endpoints,
you should check you are happy with their default configuration.
WordPress Rest API Handbook
Media API
When an image is uploaded to the WordPress media library that information can often be accessible by the
public using the WordPress media API. You should consider reviewing your media or disabling access to help
ensure no data is unintentionally exposed.
WordPress Media Rest API
Users API
The WordPress API allows for username enumeration, WordPress considers the username as public, but many
user may wish to hide this information from the public.
See the conversation
WordPress Users Rest API
XMLRPC API
This core API was introduced to enable 3rd party apps to integrate with WordPress. Unless required it is
recommended by many to disable access.
WordPress XMLRPC
XML PRC Guide WP Beginner
Key Takeaway - Consider if your WordPress API endpoints work as you expect.
Admin URL
Requires proofreading - Requires Peer Review
Generic
Changing the admin URL can break your sites functionality and this is consider by many as security through
obscurity, WordFence advise against this, but many WordPress users do change the admin URL.
See the conversation
AUTO PLAYS - Video from WordFence
Wiki - Security through obscurity
Key Takeaway - Consider if you really need to do this.
De bugging
Requires proofreading - Requires Peer Review
Generic
De bugging tools can be used to show detailed information about errors. But you will want to make sure
debugging is not available to the public on a production environment.
WordPress Debugging
Query Monitor
Key Takeaway - Consider making sure diagnostics is not visible to users.
Forms
Requires proofreading - Requires Peer Review
Generic
Many WordPress sits add form plugins, forms can be a fantastic tool but they can also be used to send
malicious content or files to a server so extra care must be taken.
- Is the input data sanitized?
- Is the input data sensitive or PII?
- Is the user uploading files?
- ... if so where, what type of files, how big, and are they secure file types?
- Is the data being send in plain text via email?
- Is the data being stored in your database?
- Can anyone fill out the form or should the user be logged in?
- Do you need a CAPATCHA?
- Do you need a honeypot?
- Can this be a 3rd party tool embeded?
Honey Pot
Gravity Forms
WPForms
Contact Form 7
Key Takeaway - Consider the extra risks forms add to your site.
File editing
Requires proofreading - Requires Peer Review
Generic
Some users like to be able to edit files via WordPress, however this can lead to your site being broken.
WordPress advises against enabling file editing.
WordPress File Editing
Key Takeaway - Consider if you are happy with users editing files directly on the server.
Theme and plugin updates
Requires proofreading - Requires Peer Review
Generic
The core CMS, themes and plugins in the WordPress repository can be set to auto update, this is a hot
topic. Some perfere to autoupdate as many plugin related security fixes are automatically applied without
the need to log in. Some think the risk of an updated plugin breaking your site is a bigger risk. Either way
you will want to decided whats best for you and your situation. Many people like to take backups and test
any changes on a test environment before they are released to production.
See the conversation
See the conversation
WordPress Updates
Key Takeaway - Consider how you will keep your CMS, themes and plugins up to date.
Unused themes and plugins
Requires proofreading - Requires Peer Review
Generic
Consider deactivating and removing all unused themes and plugins.
See the conversation
Key Takeaway - Consider deactivating and removing all unused themes and plugins.
Web application firewalls
Requires proofreading - Requires Peer Review
Generic
Firewalls can monitor, filter and block traffic traffic between end users and your application, these can
be added at the network, host or application level. You may already be using a solution that provides some
protection so consider what you already have in place. There are pros and cons to each combination so think
about what is right for you and your users.
"If you don't use a waf you're doing it wrong"
See the conversation
Wikipedia - WAF
Domain Name System WAF
A DNS level firewall will help stop malicious activity getting to your server in the first place,
potentially taking some of the pressure off your host and application.
"The benefit of using cloudflare is that their WAF doesn't use your servers
resources. A simple way to take down a web server is to flood it with traffic."
A popular DNS WAF solution is CloudFlare, they are widely used and have a free plan. Some managed hosts
also offer a DNS WAF as part of their product offering, so it would be wise to see if your host is helping
too.
"I'm using Cloudflare for many sites, and am a fan of the service. It's nice that
it blocks so many bots and other nasty crap before it even touches the web server. Unfortunately, not
everyone wants to, or can give up control of their DNS to Cloudflare. We have a lot of banks and hospitals
as clients who it's not a good fit for."
CloudFlare
Securi
Akami
Fastly
CloudFront
Barracuda
Quic Cloud
Protect Origin Servers
Host or operating system WAF
A WAF can be installed on the operating system or server, many hosts will have a WAF running on their
servers, you should ask your host to see how they are helping. Using a WAF at the network VS the application
or host will have pros and cons to consider.
"Any decent host has DDOS protection and Firewall Tool. If you are at some of EIG
hosts or at shared plan, it's hard to be isolated from overflow attacks, no WAF can help you there."
"Sysadmins hosting WordPress should run modsecurity."
Ninja PHP app
Perishable Press
Fail2ban
OSWAP
modsecurity CRS
Application WAF
Plugins
WordFence have a huge number of downloads in the WordPress repository, and on those numbers it's the most
used plugin based WAF. PatchStack is also a wildly discussed and praised plugin in the Redit foum. WordPress
plugins often come bundled with has many features, so you might already be using a plugin that has a WAF and
not even know it! It's a good idea to audit your plugins to see where your features overlap or have gaps.
"Wordfence. It's the best out of the box solution and even the free tier offers
excellent protection. Spend some time reading the documentation then some more time setting it up as you
require."
"a shared host running, say, ten wp instances, each with its own instance of
wordfence is wasting resources." "WordFence is an example of how messy things get when WordPress
Administrator gets blurred with the sysadmin role."
"I like patchstack because it's really simple to set up and understand."
WordFence
WPMU
Defender WAF
PatchStack
Ninja WP Plugin
BBQ
BlueSix WF Settings
Key Takeaway - Consider where you should use web application firewalls.
Security headers
Requires proofreading - Requires Peer Review
Generic
Security headers can be modified to control things like what iframes can do with your users data
- Can an iframe access the microphone or camera or other data from the device?
- Do you mind if the user clicks a link that website knows the user came from your website?
- Do you mind which scripts can be embeded in the CMS?
- Do you mind what domains can be iframed into your site?
- Do you mind which domains can iframe your site?
- Do you want to force HTTPS connections?
This is quite complex, so it is best to consult an expert.
Security header plugin
Security header checking
Report
URI
Moz - CSP
Moz - CSP 2
Moz - Xframe
Moz - STS
Moz - Permissions
Moz - X content
Key Takeaway - Consider if security headers could protect your users from things like rogue iframes or
embeds.
Back ups
Requires proofreading - Requires Peer Review
Generic
Many hosting companies also provide services, so consider that when making a plan.
Can you recover your site from the back up?
What would happen if your server is no longer available?
Will you need snap shots or full back ups?
What will be in the back up?
How long will you keep the back ups?
How frequent will you take them?
What if your back up is corrupt will the other backups also be corrupt?
Can your back ups be found with scanning tools?
Do non logged in users have access to the back up via a URL?
Consider having a tested disaster recovery or business continuity plan.
"Schedule daily, weekly or monthly backups. Send backups to remote servers (AWS
S3, Dropbox, Google Drive) or your local machine."
WordPress Guide
WP (back up) Config Finder
WPScan (back ups)
See the conversation
Plugins
If you do not have a host or server set up that provides adequate back ups then
you may wish to use a backup plugin to provide automated backs ups.
"I don't like AIO because it uses a proprietary zip format. I've used Updraft for
over 10 years, on hundreds of sites, its never failed me."
Updraft
SolidWP
JetPack
BlogVault
WPVivid
WP
Time Capsule
Duplicator
Manage WP
Back Up
WP
AIO
Key Takeaway - Consider having business continuity and disaster recovery plan.
Certifications and bodies
Requires proofreading - Requires Peer Review
Generic
When working with suppliers it’s a good idea to understand the certifications and governing bodies they may
belong to, this can but is not always be a good barometer to their understanding of security. You can also
understand take a vendor security assessment using a framework to ascertain a suppliers security maturity.
OWASP
NIST
Cyber Essentials
SOC2
ISO 27001
Vendor Security Alliance
NCSC
PCI Standards
Key Takeaway - Consider if your suppliers should hold certifications or be members of trade organisations.
HTTPS TLS SSL
Requires proofreading - Requires Peer Review
Generic
This is something that cannot be done in the application and has to be done on the host or server. However
this is worth a mention as it will be important for many to secure.
Setting up an SSL certificate is now pretty standard for most websites. With Let’sEncrypt it’s often very
easy and free, many hosting companies will offer free SSL certificates from Let’sEncrypt. It’s a good idea
to check you SSL certificates is valid and to make sure you are using modern TLS versions.
See the conversation
WordPress HTTPS
Lets
Encrypt
SSL Labs Cert Checker
Hows
my SSL - Browser
CloudFare Check - Browser
Key Takeaway - Consider checking your SSL certificates.
Domain names
Requires proofreading - Requires Peer Review
Generic
This is something that cannot be done in the application and has to be done on the host or server. However
this is worth a mention as it will be important for many to secure.
Securing access to your domain registrar, Name Server and domain name system records is good idea.
Unauthorised access to these systems can lead to traffic and data being diverted or domains being
transferred. It might be useful to monitor domain squatting to potentially reduce fishing. Audits should be
carried out on all systems.
Domain Squatting
Domain
Squatting
Key Takeaway - Consider if your domains, NS and DNS records are secure.
Version control
Requires proofreading - Requires Peer Review
Generic
This is something that cannot be done in the application and has to be done on the version control system.
However this is worth a mention as it will be important for many to secure.
When managing code in a version control system, care must be taken to manage what is and is not tracked in
such a system. Having secretes, passwords, credentials or keys tracked can provide a bad actor with access
if they gain control of such a system and care should be taken if they are in the code of commit history.
Some hosted version control system offer additional features such as code scanning and commit scanning to
help reduce this type of data entering the system. Some systems also help with managing issues and
vulnerabilities reported in any software your code is dependent on. As with managing user access to the CMS
access to version control systems should also be audited.
GitHub Security
Key Takeaway - Consider how to secure the code stored in your version control system.
Server user management
Requires proofreading - Requires Peer Review
Generic
This is something that cannot be done in the application and has to be done on the host or server. However
this is worth a mention as it will be important for many to secure.
You should speak with your host or sysadmin to make sure this is secure.
You might want to check the following
- Who has access?
- How do they have access? SSH SFTP
- Is the access audited?
- What ports are open?
- Are there any access rules?
- How and when are things patched and updated?
- Is directory browsing blocked?
- is access to files and directories restricted?
- Is PHP script execution forbidden in non essential directories (uploads, includes, cache etc)?
In short it’s best to speak to an expert here.
Or outsource to a very good managed host, take a look at the hosting guides on the right hand side of this
page.
WordPress File Permissions
Key Takeaway - Consider working with your host or sysadmin to make sure your host and server are secure.