Security Practice Guidelines for OWASP Wordpress

Security Practice Guidelines for OWASP WordPress-Part 1

This article aims at a unified approach towards WordPress security implementation and design. This is more than a checklist, it is a security implementation guideline and invitation towards considering and analyzing every individual case.

There is a long list of resources for procuring facets of the WordPress implementation. The project aims at offering free resources or open source rather than commercial ones. There are free versions for some plugins and some extra functionality for the paid ones. In these cases, the focus is more on projects which are on the free version.

General Security

All hard measures, towards WordPress security design, becomes useless if the attacker gets access to the users’ computer. Instead of spending a whole amount of time and effort by going into details, we list the good practices that every user should follow in order to improve security. There are a number of good resources available for anyone to accomplish the basics of security.

Security of Devices

While talking about devices that are capable of having access to the WordPress administration interface, we talk about not only the computers but mobile devices too. The following list of elements need to be taken into consideration while securing the devices accessing WordPress. Some of them mention PCs and mobile devices, others cite one of the devices.

  • Protect the device with a password
  • Use complicated and strong passwords
  • Keep your OS updated
  • Storage should be encrypted
  • Get an anti-virus installed and updated
  • Have a spyware/malware scanner installed and execute regular updates and scans
  • Get a firewall installed

WordPress Security
While implementing web security solutions there are three WordPress components that have to be considered.
Core – the key default installation files that offer most functionality
Plugins – special codes which improve and prolong the main functionality
Theme – the presentation layer that comes with few limited extended functionality

It is crucially important to keep WordPress core, themes and plugins updated. Once an update is discharged, the same needs to be enforced as soon as possible in order to close all security holes.
Practical problems with updates have to be studied. Its possible for an update to break some functionality, so it is advised to have a backup before updating the core.

WordPress Core

    There are three kinds of updates in the WordPress Core:

  • ‘Bleeding edge’ or the core development updates
  • Minor updates, such as security and maintenance releases
  • Major core updates

With the offset of version 3.7, automatic updates were introduced for minor core updates. This default behavior can be altered by editing the wp-config.php file with the following statement:

define( ‘WP_AUTO_UPDATE_CORE’, true );

All updates can be enabled when set to true. Through minor core updates translations can be updated by default.

Check list for Securing WordPress:

WordPress Update Notifications – This requires subscribing to the official WordPress notifications. These notifications are for the WordPress core updates and not plugins. WordPress update notifications are important for keeping your site updated. After the release of your update, it has to to applied to your site as soon as possible, in order to close any security holes recognized during the release.

Login Security Solution – Login security solution looks out for failed login attempts. If there is an attempt to log in too many times with an incorrect user name/password mix, the response time will be slowed down by this plugin. This makes the brute force attack futile. Other security functions added are – Enforcing password strength, enabling password aging, logging out idle sessions after a definite period of time and forcing users to change their passwords.

WP Login Security 2 – This process adds another layer of security to the process of login. IP addresses are tracked with the help of these plugins. If an administrator tries logging in from an anonymous IP address, a link gets activated and is emailed to the administrator’s registered email address. The administration panel will be blocked till the activation link is clicked.

AntiVirus – Through this security plugins, your theme files are scanned for viruses and malware, and it notifies you of any issues it may find. This security checkpoint is completed by manual scanning of the themes. It is suggested that you do not use themes, which contain encoded code – base64. This plugin is important for a basic security check of fresh themes or if your theme files have not been scanned before.

WP Security Scan – An initial WordPress security scan has to be run and your database prefix can be changed if required. Various checks are performed on your WordPress site to see if you have – the current version of WordPress, the WordPress version hidden, database error reporting can be turned off, the WP ID META tag can be removed and the default admin user can be removed.

WordPress File Monitor Plus – All the files in your WordPress site are monitored with the WordPress File Monitor Plus. If files are changed, removed and added you will get an email providing all the details of the changes. The importance of WordPress File Monitor Plus is that you are notified in case your file system changes. This allows quick cleaning of hacking attempts, as you will be aware of exactly what files have been altered and the exact time the hacking occurred.

Let us know what you think