WordPress Security Hardening – without throwing away the baby with the bathwater

If, like us, you manage WordPress installs where many thousands of users with high level permissions (super-admins, admins, editors) can login to the backend you will want to consider hardening security on the wp-admin side. However there is a delicate balance to be hit if you wish to avoid frustrating your users and increasing support costs for simple access requests.

In addition to Web Application Firewalls like Incapsula which are in place on our systems, at the WordPress level we have chosen two key ways of ensuring the backend is hard without being spikey…

WordFence – is rapidly becoming the de-facto standard security plugin for WordPress and it contains many options for actively scanning & protecting your sites. While it can be a bit wide in scope (recently added caching features, which in this writers opinion are not needed in a security plugin) it does have some very low level firewall features that can be really useful in stopping things like Russian hacking attempts. For us, two of it’s basic’s are fundamental;

1) ensure passwords are not weak

2) lockout protection for repeated password attempts

The importance of 1 cannot be overstated! The annual SplashData report on most common passwords reveals that perennial favourites “123456” & “password” still top the list – therefore it’s still very important to protect the users from themselves.

2 is getting increasingly important – we see thousands of brute force password attempts per day…

Wordfence Realtime Protection

The vast majority probing for the “admin” user password – as such you’ll always want to avoid using this username. WordPress uses this by default – but it’s really easy to change at install time & we heartily recommend doing so.

Our last line of defence is to add some protection should the WordPress backend ever get compromised. By default WordPress allows admins to edit files from directly inside the backend – this means an attacker could drop code onto the server to execute if they are able to get in. We have the file editor feature turned off on all our installs by adding one simple line to the wp-config.php…

define('DISALLOW_FILE_EDIT', true);

That’s it – some simple changes to significantly harden your WordPress backend without increasing friction to the users.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>