WPSIG October 2022 Website Security

This Month’s WordPress SIG Topics

• What’s new in WordPress since we last met.
• Our featured area is a discussion on WordPress website security.
• But first, our Topics from the Trenches segment.

---

Anyone, anyone? Yes, in the back!

Nothing this month. This ad hoc section of our SIG permits time for us to take questions from online participants, or respond to inquiries submitted via our website or sent in by email.

Nothing came in early this month so we are doing a deeper dive into the latest updates in WordPress core.

What’s new with WordPress?

• The Month in WordPress – September 2022 – Detailed blog post on what’s going on. Lots of details about the upcoming WordPress 6.1 release, scheduled for Nov 1. This includes a new default block theme, Twenty Twenty-Three with it very cool style options. Promising news about more and more WordPress meetups going back to in-person events.
• We discussed briefly sources of good, pertinent WordPress news. I noted that I subscribe to several regular newsletters which feature excellent content dispensed in a thoughtful and readable format. The specific newsletters mentioned were:
  • WP-Content – weekly
  • The WP Weekly
  • SRH Design – Email marketing & WooCommerce focused
  • The WP Minute
  • Master WP

Featured Topic: Layers of Website Security

You have your SSL certificate and the green padlock in the address bar. You’re done. Your website is secure. Right? Not so fast.

Let’s take a walk past the ‘Let’s Encrypt’ cloak of security and see what you really need to do to help secure your website from the dangers of the public interwebs. No programming is needed. A little common sense, a plugin or two and you are well on your way to securing your site. All it takes is a few straightforward steps to eliminate almost all of the security vulnerabilities in the basic setup of your WordPress website.

Server/Hosting

1. SSL certificate – Start here. Let’s Encrypt is free with most hosts. Get an SSL certificate.
2. Secure version of PHP – the software running your website. Secure means supported. The PHP project website shows a list of the currently available PHP versions.
3. Secure usernames and passwords by default.
4. Disable directory browsing / System file protection
   • Prevent anyone from seeing your WordPress files and prevent access to readme.html, readme.txt, install.php, and wp-includes.
5. Disable PHP execution in the uploads and themes directories.
   Automatically block requests to maliciously uploaded PHP files in your WordPress directories.
6. Web Application Firewall (WAF) options.
   • Web Application Firewall – WAF – at the server level to protect your websites against a variety of malicious URI requests, bad bots, spam referrers, and more.
   • It not only protects your website, but it will help reduce your server’s resource consumption.
7. Disable XML RPC.
   – XML-RPC is a WordPress feature that enables the transfer of data between WordPress and other systems. It has now been largely replaced by REST API but is still included in installations for backward compatibility.
   – XML-RPC allows third-party apps to publish content on your WordPress website. For instance, if you use the WordPress mobile app to publish a post from your smartphone, XML-RPC allows you to do that.
   – Disable WordPress XML-RPC Using .htaccess
   – Paste this code snippet into your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Benefits of a security plugin.

The additional benefits that a plugin can offer outside of your host’s feature set are generally related to keeping you informed about the status of your websites.

• Malware scanning and core file monitoring
• Vulnerability patching
• Email alerts
• Ban Admin & sitename login attempts
• Set Login Limits
• 404 Detection

Plugin Recommendations

• Wordfence
• iThemes Security
• Sucuri Security

Privilege Escalation

• Don’t give your users more power than they need.
• Learn about WP roles and capabilities — WP Beginner: User Roles & Responsibilities
• Don’t share your admin account — Create a new one for them
• Use Password Reset — Don’t email passwords. Use a secure note-sending service such as 1Tyme.

Lock Down Your Login Page

• Two-factor authentication – 2FA
  —Works with Authy, Google Authenticator
• Limiting login attempts
• Local Brute Force Protection
• Banned Users
• 404 Detection

GoDaddy’s Garage blog is a wealth of useful information regarding website security.

Resources:

• https://www.malcare.com/blog/wordpress-disable-xmlrpc/
• https://gridpane.com/kb/secure-your-wordpress-websites-an-overview-of-the-security-tab/
• https://capwebsolutions.com/presentations/wordpress-security-wclv18.html#/

Articles

• https://www.wpbeginner.com/wordpress-security/
• https://premium.wpmudev.org/blog/a-complete-guide-to-wordpress-password-security/
• https://en.support.wordpress.com/selecting-a-strong-password/
• https://www.wpbeginner.com/beginners-guide/wordpress-user-roles-and-permissions/
• https://www.godaddy.com/garage/website-terminology-glossary-website-security-vol-1/

Plugin

• iThemes Security https://wordpress.org/plugins/better-wp-security/
• Wordfence https://wordpress.org/plugins/wordfence/
• Sucuri https://wordpress.org/plugins/sucuri-scanner/
• iThemes Security Pro https://ithemes.com/security/
• UpdraftPlus: https://wordpress.org/plugins/updraftplus/
• Two Factor Authentication https://wordpress.org/plugins/two-factor-authentication/

Photo Credits

• Photo Credit: Padlocks on red by Jon Moore on Unsplash
• Photo Attribution – “Red Onion Slice” by photobunny is licensed under CC BY-NC-ND 2.0.

Here is the Screencast-O-Matic recording of the session.