Security Practice Guidelines for OWASP Wordpress – Part 2

Security Practice Guidelines for OWASP WordPress – Part 2

Previous article on ‘Security Practice Guidelines for OWASP WordPress‘, took you through WordPress security implementation and design, as well as mentioned some security features that can help in securing WordPress. This article continues with the checklist and some effective methods of securing WordPress.

Update Notifications – Your WordPress site needs to be updated at all times. An email is sent to you with the help of Update Notifications plugin, when there are updates available for your WordPress themes or plugins. These notifications are important because as soon as an update is released people can see the reason for the update to be released. Updates have to be informed to core WordPress, themes and plugins. The Update Notifications plugin have given the finest results in testing.

WordPress Firewall 2 – Your WordPress site needs to be protected from malicious requests and this can be done with the help of WordPress Firewall 2. The importance of WordPress Firewall 2 is that when hackers try to get an entry to your site by inserting a malicious code on your site, this plugin will stop this attack. If you are being attacked repeatedly from a specific IP address, access to the site from this Ip address, can be blocked.

Block Bad Queries – This plugin secures your WordPress site from malicious inquiries. A usual method for hackers to try and gain entry to your site is by inserting a malicious code as a request to your website. This plugin keeps a check on extremely long request strings (longer than 255 characters), along with the presence of ‘eval’ or ‘base64′ in the URL requested.

Wordfence – The integrity of your WordPress core files and themes can be checked by this plugin. The plugin also scans your site for phishing and malware URL’s, virus and backdoors infections. What you need to do is keep the WordPress site updated all the time, verify the sincerity of your WordPress themes, plugins and core files and scan your site for malware, backdoors and phishing.

Sucuri WordPress Security Plugin – This plugin enables you to take preventive action and protect your website, as well scans your website for signs of intrusion. It significantly improves your security by adding a web application firewall, activity reporting and audit logging, integrity monitoring, server side scanning and 1-click hardening.

WordPress Backup – Back up for the complete website needs to be provided on a regular basis. WordPress backup needs to be stored safely outside your hosting account. WordPress backup is important because if your website is compromised, you should be able to reinstate it quickly. The safest and quickest method to recover after the website has been compromised is by building up a good WordPress backup.

Delete Unused Themes and Plugins – Anything you are not using from WordPress has to be removed, eg. Themes and plugins have to be disabled. It is important to remove unused themes and plugins as all files in your root folder of WordPress are accessible through Internet, regardless of whether they are used or not. Even if a plugin is disabled, the files can still be accessed from the internet.

WordPress User Roles – If people are provided access to log on to your WordPress website, it becomes important that you provide the permission people actually require and nothing more. Providing people with more access is a big security risk. Restricting rights to access not only is good for security, but it also limits that a person can accidentally make.

Removing Default Admin User In WordPress – Most WordPress sites have wp_ as the prefix of database table and the default administrator user as admin. This makes breaking into your website very easy for the hackers. It’s important to get rid of the default admin user as it makes the hacker’s job easy, as they just have to guess the password to break into the system.

Disable User Registration If Its Not Being Used – Make sure not to allow users to register on your website unless you absolutely need them to. If they are required to register, you have to give them the minimum role required. It is important to disable user registration as any kind of access provided from your website, to the internet, can be a potential security risk.

File Permissions – Make sure that your directory and file permissions are as secure as possible, especially for important files. These permissions determine who is allowed to write, execute or read these files in the hosting account. If the permissions are too open, the visitors from internet may be able to read files, which may have sensitive information.

So,there goes some important security measures and security implementation guidelines that can help in securing WordPress.



Let us know what you think