• Skip to secondary menu
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Blog
  • Web Design SIG Archive
  • WordPress SIG Archive
  • pacsnet.org

PACS WordPress SIG

A Special Interest Group of the Philadelphia Area Computer Society

  • .ORG
  • Codex
  • Design Resources
  • PACS Web SIGs
    • Python
    • JavaScript
You are here: Home / General News / WordPress Website Security

WordPress Website Security

October 22, 2022 by Matt Leave a Comment

WPSIG October 2022 Website Security

Layers of an onion with labels 'WordPress Core', 'Security Plugins', 'Server / Host' and 'CDN / Cloudflare' indicating layers of security.

This Month’s WordPress SIG Topics

  • What’s new in WordPress since we last met.
  • Our featured area is a discussion on WordPress website security.
  • But first, our Topics from the Trenches segment.

Topics from the Trenches

Anyone, anyone? Yes, in the back!

Nothing this month. This ad hoc section of our SIG permits time for us to take questions from online participants, or respond to inquiries submitted via our website or sent in by email.

Nothing came in early this month so we are doing a deeper dive into the latest updates in WordPress core.

What’s new with WordPress?

  • The Month in WordPress – September 2022 – Detailed blog post on what’s going on. Lots of details about the upcoming WordPress 6.1 release, scheduled for Nov 1. This includes a new default block theme, Twenty Twenty-Three with it very cool style options. Promising news about more and more WordPress meetups going back to in-person events.
  • We discussed briefly sources of good, pertinent WordPress news. I noted that I subscribe to several regular newsletters which feature excellent content dispensed in a thoughtful and readable format. The specific newsletters mentioned were:
    • WP-Content – weekly
    • The WP Weekly
    • SRH Design – Email marketing & WooCommerce focused
    • The WP Minute
    • Master WP

Featured Topic: Layers of Website Security

You have your SSL certificate and the green padlock in the address bar. You’re done. Your website is secure. Right? Not so fast.

Let’s take a walk past the ‘Let’s Encrypt’ cloak of security and see what you really need to do to help secure your website from the dangers of the public interwebs. No programming is needed. A little common sense, a plugin or two and you are well on your way to securing your site. All it takes is a few straightforward steps to eliminate almost all of the security vulnerabilities in the basic setup of your WordPress website.

Server/Hosting

Supported versions of PHP and their lifecycle
  1. SSL certificate – Start here. Let’s Encrypt is free with most hosts. Get an SSL certificate.
  2. Secure version of PHP – the software running your website. Secure means supported. The PHP project website shows a list of the currently available PHP versions.
  3. Secure usernames and passwords by default.
  4. Disable directory browsing / System file protection
    • Prevent anyone from seeing your WordPress files and prevent access to readme.html, readme.txt, install.php, and wp-includes.
  5. Disable PHP execution in the uploads and themes directories.
    Automatically block requests to maliciously uploaded PHP files in your WordPress directories.
  6. Web Application Firewall (WAF) options.
    • Web Application Firewall – WAF – at the server level to protect your websites against a variety of malicious URI requests, bad bots, spam referrers, and more.
    • It not only protects your website, but it will help reduce your server’s resource consumption.
  7. Disable XML RPC.
    – XML-RPC is a WordPress feature that enables the transfer of data between WordPress and other systems. It has now been largely replaced by REST API but is still included in installations for backward compatibility.
    – XML-RPC allows third-party apps to publish content on your WordPress website. For instance, if you use the WordPress mobile app to publish a post from your smartphone, XML-RPC allows you to do that.
    – Disable WordPress XML-RPC Using .htaccess
    – Paste this code snippet into your .htaccess file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Benefits of a security plugin.

The additional benefits that a plugin can offer outside of your host’s feature set are generally related to keeping you informed about the status of your websites.

  • Malware scanning and core file monitoring
  • Vulnerability patching
  • Email alerts
  • Ban Admin & sitename login attempts
  • Set Login Limits
  • 404 Detection

Plugin Recommendations

  • Wordfence
  • iThemes Security
  • Sucuri Security

Privilege Escalation

  • Don’t give your users more power than they need.
  • Learn about WP roles and capabilities — WP Beginner: User Roles & Responsibilities
  • Don’t share your admin account — Create a new one for them
  • Use Password Reset — Don’t email passwords. Use a secure note-sending service such as 1Tyme.

Lock Down Your Login Page

  • Two-factor authentication – 2FA
    —Works with Authy, Google Authenticator
  • Limiting login attempts
  • Local Brute Force Protection
  • Banned Users
  • 404 Detection

GoDaddy’s Garage blog is a wealth of useful information regarding website security.

Resources:

  • https://www.malcare.com/blog/wordpress-disable-xmlrpc/
  • https://gridpane.com/kb/secure-your-wordpress-websites-an-overview-of-the-security-tab/
  • https://capwebsolutions.com/presentations/wordpress-security-wclv18.html#/

Articles

  • https://www.wpbeginner.com/wordpress-security/
  • https://premium.wpmudev.org/blog/a-complete-guide-to-wordpress-password-security/
  • https://en.support.wordpress.com/selecting-a-strong-password/
  • https://www.wpbeginner.com/beginners-guide/wordpress-user-roles-and-permissions/
  • https://www.godaddy.com/garage/website-terminology-glossary-website-security-vol-1/

Plugin

  • iThemes Security https://wordpress.org/plugins/better-wp-security/
  • Wordfence https://wordpress.org/plugins/wordfence/
  • Sucuri https://wordpress.org/plugins/sucuri-scanner/
  • iThemes Security Pro https://ithemes.com/security/
  • UpdraftPlus: https://wordpress.org/plugins/updraftplus/
  • Two Factor Authentication https://wordpress.org/plugins/two-factor-authentication/

Photo Credits

  • Photo Credit: Padlocks on red by Jon Moore on Unsplash
  • Photo Attribution – “Red Onion Slice” by photobunny is licensed under CC BY-NC-ND 2.0.

Here is the Screencast-O-Matic recording of the session.

Filed Under: General News, WordPress SIG Tagged With: Security

About Matt

Web developer and designer. Learning all the time. Founder & CEO - Cap Web Solutions

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Get SIG News & Meeting Invites

Notes and invites for upcoming meetings, wrap-ups from previous meetings.
  • This field is for validation purposes and should be left unchanged.

Posts By Category

Tags

accessibility backend Beaver Builder blocks block themes CodePen CoffeeCup Software color ColorZilla css CSS Grid design development ecommerce email firefox framework GDPR git Gutenberg how to HSTS HTTPS JavaScript layouts Lets Encrypt local development material design media library migration pagebuilders patterns plugins Rachel Andrew resources responsive Security SMTP srcset SSL tools troubleshooting updates WooCommerce WordPress

Footer

Have an idea for a future meeting? Let us know.

  • This field is for validation purposes and should be left unchanged.

Search

PACS Disclaimers

Next Gathering

  • February 2023
    • Feb 18, 2023
    • 12:00 pm - 12:55 pm
    • Virtual-Google Meet


    • ,

  • View Upcoming Meetings
  • Email SIG Leader: Matt Ryan

    Privacy Policy · Terms & Conditions
    Copyright © 2023 PACS WordPress SIG · All Rights Reserved.
    Website by Cap Web Solutions
    Lifestyle Pro Theme on Genesis Framework
    Top of page