WordPress Security posts often focus on mentioning a few magic plugins that you can install to get and stay secure. I use many of these plugins myself but they are not silver bullet to keeping your site secure. WordPress like most other technologies being considered from an information security perspective requires defense in depth to do the job right. For those of you not familiar with the defense in depth strategy it means that there is no one magic bullet to get and stay secure. An effective information security program requires a layered approach of multiple techniques to help mitigate the risk of any one control suffering a failure.
What are the different layers of WordPress Security?
Client Security –If the PC you administer your WordPress site on becomes infected with a keylogger your site is likely to be compromised. An attacker can use a keylogger to capture your WordPress, webhosting account, ftp, or database credentials any of which will cause major security headaches.
Network Security – If you administer your WordPress site or access your webhosting administrative log on page on an insecure network your logon credentials can be intercepted via a network sniffer program. Unless you have taken additional security measures such as encrypting your log in sessions with SSL that means your passwords will be captured in clear text making it easy for an attacker to login with your credentials. That is reason enough never to login to your administrative accounts on a network that may not be secure.
Webserver Security – Most of you are hosting your WordPress site on a shared service and are therefore very reliant on your service provider to take the needed steps to secure their DNS and Web servers. The major way you can influence security in this space is with your dollars and via the hosting companies help desk. If you experience or read about serious security incidents affecting your site you have the option to leave when your hosting contract ends and get your web hosting from a more secure provider.
Database Security – When you first install your WordPress site a MySQL Database is created. This database is the backbone of your site containing the structure and table entries that make your site work so it is essential that the integrity of this database be protected. The primary areas of concern here the database administrator password, managing database versions, and SQL manipulation attacks that could lead to unintended data disclosure.
WordPress Application Security – When you first configure your WordPress site you must select an administrative password to protect your account. It is essential that you follow good password practices when setting this password and be sure to change it promptly if you ever suspect it has been compromised or if your client PC becomes infected with malware. In addition, WordPress updates should also be applied promptly to ensure your site is protected against known vulnerabilities. If you run a WordPress site with multiple contributors it is important that you delegate access using role base security to limit their privileges to only what is necessary to perform their function.
WordPress Plugin Security – WordPress plugins should be considered an application and standard application best practices should be followed. Reference these WordPress plugin security tips when you are installing a new plugin.
Now that you are more aware of the various components that must be taken into account to have a secure WordPress site in the next article I will provide detailed recommendations on how to secure each one of these layers to help keep your site secure.