Often you hear the question, “What plugins should I use for WordPress Security?” It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!
It’s Everyone’s Responsibility!
It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins! :
1. Keep software updated
Has your site died on upgrade? Has your plugin author or developer told you not to upgrade because the site will break? These may be signs that a theme or a plugin enabled on the site may not have been developed with the WordPress Coding Standards in mind. It could be a theme/plugin that is deprecated and not compatible with the upgraded version of WordPress. Whatever the case may be, this is not ideal and it may be time to find a suitable replacement. Just ensure you research and review, and ensure the theme or plugin is being actively upgraded & supported by the author.
2. No Soup Kitchen Servers
Ever install a dummy WordPress instance for testing? Then you leave it there and it sits for a couple years? Ya, don’t do that. You end up putting every website on the server at risk of cross-contamination.
Attackers will find a weakness and continue to exploit it, they will then infect everything in your shared space. If you don’t clear the vulnerability, you can clean until your finger tips fall off, they will infect it again. This happens because often shared servers allow for the same root account owner to add multiple websites in their hosting area. You infect one, you infect all! If a site is not in use, remove it. At minimum refer back to step one above.
3. Reduce access
Give folks enough access to do their job, nothing more; remove it when they are done! This is the practice of least privilege, and you should be practicing this across any type of information system. This means WordPress, FTP, evens your databases, and any other logins. It comes down to proper management and use of roles and capabilities. If the user’s responsibility is to edit content, why would they need administrative rights? Use an administrator account only when performing administrative tasks like upgrading WordPress, or adding/removing a plugin, a theme or widgets.
Another access control risk website owners face is brute force attacks on their WordPress login page – /wp-admin or /wp-login.php. Check out the Google Authenticator Plugin if you haven’t already. It works great and if you’re already using Google Authenticator you know it works across a lot of your existing tools and devices.
4. Pass-phrases over Passwords
Did you know that “password” is still one of the most widely used and active passwords across the internet? If that’s public knowledge, don’t you think attackers know this? They do! Attackers looking to brute force your WordPress admin access, or even your SSH credentials will enumerate using known passwords like this. The most important thing I want you to take away from the password discussion is to be unique!!!
Instead of short passwords, use long pass-phrases like the lyrics to your favorite Notorious BIG song. Use different pass-phrases across your different logins. Another great approach is to not know your passwords at all and let a password management tool like Last Pass do the heavy lifting. It stores them securely, and even helps make them for you without you even knowing them.
5. Institute a Backup Schedule
If you don’t have an active backup schedule and solution in place, you’re not right! Countless are times we have been approached to clean a site and we quickly determine the attacker has wiped out crucial data components or a ton of their theme files. Come to find out when we ask for a backup of the data or files that they don’t have one, and their host doesn’t have one. It’s like it never existed.
The Quick Close
Sometimes less is more, and with a lot of the plugins out there today, there is a considerable amount of overlap. I do like taking a defense in-depth approach so overlap can be a good thing, just don’t go crazy installing everything under the sun. It’s valuable to understand that the more you add, the more you have to maintain, and more potential vulnerabilities can arise. Keep it simple, kill the noise, and think risk reduction!