The most widely used content management system on the Web relies heavily on plug-ins and add-on software — and that requires rigorous security measures at every level.
What’s the best way to secure a WordPress website? The answer varies depending on whether you’re talking about sites hosted on WordPress.com (the hosting provider) or those running on the WordPress content management system (CMS), hosted on a different server. Either way, it’s a question that matters greatly given the huge presence WordPress has on the Web.
According to survey site W3Techs, WordPress powers more than 38% of the top 10 million sites on the Web. When any single product is used by more than one-third of the Web, its security is important. And given WordPress’s structure, in which so much functionality comes through plug-in and add-on software, the details of that security are likely to be found in best practices rather than hard prescriptions.
In looking at the question of WordPress security, we chose to look at the broad WordPress installed base rather than those hosted on WordPress.com.
WordPress security begins with a secure hosting provider. Each hosting provider will deliver its own set of features and add-in services, and WordPress administrators should understand what can be provided and how those hosting-provided services support or collide with separate, customer-added, security features. As an example, Cloudflare presents a number of content delivery network (CDN), DNS, and anti-DDoS services to its customers in both free and paid versions, but it does so through a proxy mechanism, which means hosting-provided DNS and DDoS services are not compatible.
“Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10,” says Timothy Chiu, vice president of marketing at K2 Cyber Security.
WordPress itself calls attention to the OWASP Top 10 and its response to those vulnerabilities in its white paper on WordPress security.
“It’s critical to keep up with patches. Even if a WordPress is up-to-date, some of the common plug-ins may be vulnerable and will require immediate patching as [their revised code becomes] available,” says Ryan Smith vice president of marketing at SaltStack. “Some plug-ins don’t automatically update with plug-in managers and still need to be manually updated.”
In addition to the version of any updates, their provenance is something WordPress developers and enterprise security teams should keep in mind, says Ameet Naik, security evangelist at PerimeterX.
“Though updating the plug-in with the latest version is important, it does not guarantee the integrity of the third-party code,” he says.
Adds Leo Pate, application security consultant at nVisium: “Any plug-ins or templates used within WordPress should be from reputable sources and be kept up to date.”
What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.
Another factor many WordPress administrators say should be considered is how large the support group for the plug-in happens to be. Because WordPress is written in four very popular languages — HTML, CSS, PHP, and Javascript — many plug-ins are the work of individual developers. While these are not inherently dangerous, some administrators caution that vulnerabilities can take longer to discover and remediate when a single developer is maintaining the codebase.
It’s critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.
In addition to keeping software up to date, “don’t run the WordPress server’s services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3,” he advises. “The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency.”
WordPress administrators in online forums write of the importance of choosing security-focused plug-ins to help defend a WordPress installation. Common choices for plug-ins include Securi and Wordfence. Securi, available in both free and paid versions, provides malware scanning, configuration file hardening, and core integrity checks in the free version, and integrates with DNS-level firewall and DDoS protection services in paid versions. Wordfence, also in free and paid versions, provides malware scanning, login attempt limiting, and a web-application firewall (WAF) to WordPress installations.
Many other security plug-ins are available, many of which focus on a single issue, such as protecting authentication certificates, thwarting brute-force attacks by limiting the number of login attempts, or continuously checking the version and status of other plug-ins. Unfortunately, this breadth means installing and deploying security plug-ins can be as complex in concept and practice as deploying any other WordPress plug-in.
Chiu stresses that basic security processes are as critical for WordPress installations as for any other piece of enterprise software.
“The simplest thing any organization can do to help reduce vulnerabilities is to keep their code up-to-date and patched,” he says. “It’s important to ensure you’re only enabling and using the plug-ins you really need for your site, while ensuring you have full security for your site, including edge security, runtime application security, and server security.”
CN2, China Telecom’s innovative network solution, plays a pivotal role in expediting AI and machine learning advancements in China. It furnishes the requisite computational prowess and swift data transmission crucial for AI operations, supports significant big data processing pivotal for machine learning, and tackles the hurdles in AI implementation head-on. CN2’s resilient network infrastructure amplifies …
A server IP address serves as a unique identifier on the internet or local network, composed of a series of numbers to locate and recognize servers. Selecting the appropriate server IP type is crucial for guaranteeing server security, stability, and performance. This article delves into four prominent server IP types: native IP, broadcasted IP, dedicated IP, and shared IP. …
The advent of the internet and the rapid advancement of technology have not only revolutionized our daily lives but have also opened doors for a clandestine world of cybercrime. These invisible perpetrators, akin to lurking shadows in the digital realm, pose a significant threat to our digital security, wreaking havoc on individuals, organizations, and nations …
Expert Tips to Keep WordPress Safe
The most widely used content management system on the Web relies heavily on plug-ins and add-on software — and that requires rigorous security measures at every level.
What’s the best way to secure a WordPress website? The answer varies depending on whether you’re talking about sites hosted on WordPress.com (the hosting provider) or those running on the WordPress content management system (CMS), hosted on a different server. Either way, it’s a question that matters greatly given the huge presence WordPress has on the Web.
According to survey site W3Techs, WordPress powers more than 38% of the top 10 million sites on the Web. When any single product is used by more than one-third of the Web, its security is important. And given WordPress’s structure, in which so much functionality comes through plug-in and add-on software, the details of that security are likely to be found in best practices rather than hard prescriptions.
In looking at the question of WordPress security, we chose to look at the broad WordPress installed base rather than those hosted on WordPress.com.
WordPress security begins with a secure hosting provider. Each hosting provider will deliver its own set of features and add-in services, and WordPress administrators should understand what can be provided and how those hosting-provided services support or collide with separate, customer-added, security features. As an example, Cloudflare presents a number of content delivery network (CDN), DNS, and anti-DDoS services to its customers in both free and paid versions, but it does so through a proxy mechanism, which means hosting-provided DNS and DDoS services are not compatible.
“Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10,” says Timothy Chiu, vice president of marketing at K2 Cyber Security.
WordPress itself calls attention to the OWASP Top 10 and its response to those vulnerabilities in its white paper on WordPress security.
“It’s critical to keep up with patches. Even if a WordPress is up-to-date, some of the common plug-ins may be vulnerable and will require immediate patching as [their revised code becomes] available,” says Ryan Smith vice president of marketing at SaltStack. “Some plug-ins don’t automatically update with plug-in managers and still need to be manually updated.”
In addition to the version of any updates, their provenance is something WordPress developers and enterprise security teams should keep in mind, says Ameet Naik, security evangelist at PerimeterX.
“Though updating the plug-in with the latest version is important, it does not guarantee the integrity of the third-party code,” he says.
Adds Leo Pate, application security consultant at nVisium: “Any plug-ins or templates used within WordPress should be from reputable sources and be kept up to date.”
What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.
Another factor many WordPress administrators say should be considered is how large the support group for the plug-in happens to be. Because WordPress is written in four very popular languages — HTML, CSS, PHP, and Javascript — many plug-ins are the work of individual developers. While these are not inherently dangerous, some administrators caution that vulnerabilities can take longer to discover and remediate when a single developer is maintaining the codebase.
It’s critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.
In addition to keeping software up to date, “don’t run the WordPress server’s services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3,” he advises. “The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency.”
WordPress administrators in online forums write of the importance of choosing security-focused plug-ins to help defend a WordPress installation. Common choices for plug-ins include Securi and Wordfence. Securi, available in both free and paid versions, provides malware scanning, configuration file hardening, and core integrity checks in the free version, and integrates with DNS-level firewall and DDoS protection services in paid versions. Wordfence, also in free and paid versions, provides malware scanning, login attempt limiting, and a web-application firewall (WAF) to WordPress installations.
Many other security plug-ins are available, many of which focus on a single issue, such as protecting authentication certificates, thwarting brute-force attacks by limiting the number of login attempts, or continuously checking the version and status of other plug-ins. Unfortunately, this breadth means installing and deploying security plug-ins can be as complex in concept and practice as deploying any other WordPress plug-in.
Chiu stresses that basic security processes are as critical for WordPress installations as for any other piece of enterprise software.
“The simplest thing any organization can do to help reduce vulnerabilities is to keep their code up-to-date and patched,” he says. “It’s important to ensure you’re only enabling and using the plug-ins you really need for your site, while ensuring you have full security for your site, including edge security, runtime application security, and server security.”
Article resource: https://www.darkreading.com/cyber-risk/expert-tips-to-keep-wordpress-safe
Related Posts
What is CN2’s Role in Accelerating AI and Machine Learning in China
CN2, China Telecom’s innovative network solution, plays a pivotal role in expediting AI and machine learning advancements in China. It furnishes the requisite computational prowess and swift data transmission crucial for AI operations, supports significant big data processing pivotal for machine learning, and tackles the hurdles in AI implementation head-on. CN2’s resilient network infrastructure amplifies …
Unveiling Server IP Types: A Comprehensive Guide and Best Practices
A server IP address serves as a unique identifier on the internet or local network, composed of a series of numbers to locate and recognize servers. Selecting the appropriate server IP type is crucial for guaranteeing server security, stability, and performance. This article delves into four prominent server IP types: native IP, broadcasted IP, dedicated IP, and shared IP. …
Unmasking the Perilous Realm of Cybercrime: A Comprehensive Analysis and Preventive Measures
The advent of the internet and the rapid advancement of technology have not only revolutionized our daily lives but have also opened doors for a clandestine world of cybercrime. These invisible perpetrators, akin to lurking shadows in the digital realm, pose a significant threat to our digital security, wreaking havoc on individuals, organizations, and nations …