Welcome to the next of the securing WordPress series. We’ll continue where we left off in part I.
Secure WordPress Components (Contd)
II. Secure Important Components
6. Control the Content Published on Your Site
When you create a page or post in WordPress, you have an option to embed code into that page or post such as Youtube, JavaScript or external URLs.
Be careful with that because malicious code gives hackers a backdoor into your web application or web server.
To do that, there is an option in WordPress that allows you to auto-approve comments from visitors that have had at least one comment approved previously but don’t enable it as this is one of the ways many WordPress sites got hacked in the past. It’s better to moderate all comments manually.
7. New Users
If you allow visitors to register as users, please follow the least privileges meaning only gives visitors the just enough permissions needed to function and nothing more.
8. Credentials (Usernames & Passwords)
If you decide to allow users to register, you need to make sure they all use very secure usernames and passwords.
Although WordPress automatically generates a secure password for each new user, they can still edit their profile. That means they can also change their credential. Don’t ever let them change their password from secure to insecure one.
9. Widgets & Code
- Only put code into your posts, pages and widgets from a trusted sources.
- Only install widgets or plugins from a trusted and highly rated sources.
- Always do research and evaluate 3rd party themes or plugins before using them on your site officially.
10. Plugins
- Only install plugins form trusted sources. WordPress repository is one of the examples.
- Always keep plugins up-to-date.
- If you deactivate a plugin, don’t forget to remove it as well because even inactive plugins can be taken advantage to exploit your site if it’s vulnerable.
11. Themes
- If possible, always choose themes from WordPress theme repository. If you decide you use themes outside of its repository, make sure you do a research and evaluation.
- Keep themes up-to-date and install updates as soon as they’re available.
12. Limit Login Attempts
- If the login form is not protected then your site is vulnerable to endlessly brute forcing attack.
- You can write your own code or utilize well-known plugin to protect your site.
13. Multi Factor Authentication
Multi factor authentication is based you the following 3 factors:
- Something you know (you password)
- Something you have (your phone)
- Something you are (retina, fingerprint)
You should enable 2FA for admin or editor accounts which acts as a defence in depth strategy.
14. Login Page Protection
You should enable CAPTCHA protection in your login form.
15. Database Table Prefix
Before the installation process, by default WordPress creates the tables with prefix as “wp_”. However, since this is well-known which increases the success rate of database enumeration so make sure to change it to something else.
That’s it for part II, we’ll continue our discussion on Part III. Thank you and have a wonderful day.