Securing WordPress

There’s a 62.8% chance your organization is using WordPress to manage its website if using a CMS (according to wpzoom.com).

This market share dominance is one of the reasons it is highly targeted by hackers.

Another reason WordPress is targeted and compromised often is relatively poor default security.

Here are some tips to secure the default weaknesses in your corporate WordPress site:

• Contractually obligate your marketing vendor to keep it secure, if applicable.
• Ensure automatic updates are working for the framework, plugins, and themes.
• Install Wordfence Security or Sucuri Security plugins for hardening, basic firewall, malware protection, login security & notifications, MFA, common secure configurations, etc.
• Install Jetpack Protect plugin to monitor for vulnerable versions of WordPress, plugins, and themes.
• Disable plugins, services, XML-RPC, etc. that are not needed, to minimize the attack surface.
• Get the underlying server updated and secure, or it won’t matter how secure WordPress is.
• Disable PHP debug and version information, which aids the attacker.
• Install fail2ban and mod-evasive to block various automated attacks.
• Secure SSH configuration – e.g. certificate-based auth only.
• Whitelisted access control and notifications for SSH and WordPress admin portal – e.g. only allow your corporate IP range through the firewall/WAF.
• Securely configure various HTTP response headers – HSTS, X-Frames, Caching, Referrer-Policy, and so on.
• Cache locally and in the cloud to help prevent basic DoS attacks
• Ensure automated offline backups are in place and that you have the ability to recover.
• Log terminal/backend commands – something as simple as “script”, or various FOSS and COTS solutions.
• Monitor performance, which can also indicate a security issue.
• Monitor SSL certificates, and don’t let your certs expire.
• Create a vulnerability disclosure policy and add security.txt to your website.

_{^{Featured image is a derivative work from the following images: https://pixabay.com/illustrations/wordpress-wordpress-logo-1810632/, https://pixabay.com/vectors/castle-security-locked-safety-lock-1083570/, https://pixabay.com/vectors/firewall-security-internet-web-29940/, https://pixabay.com/vectors/gear-settings-options-icon-1077550/, https://pixabay.com/vectors/button-check-ok-protect-security-159335/, https://pixabay.com/illustrations/binary-digitization-zero-one-pay-1327490/}}