Ask Wordfence Episode 1: Setting Up Minimum Viable WordPress Security
Last week we emailed a small group of our customers asking them to contribute questions for a series of videos we will be running. We received questions from many of you, so thank you very much for participating!
Today we are publishing Episode 1 of “Ask Wordfence,” where we discuss one of the questions we received: how to set up minimum viable security for WordPress.
You can watch the episode here on the blog, or find it on YouTube.com. Remember to hit “subscribe” on the video on YouTube if you would like to view the rest of the videos in the series.
As always, I welcome your comments below.
Video Transcription
Hi there, my name is Mark Maunder I’m the founder and CEO of Wordfence and today we’re starting something a little different. Last week we sent out a survey to see some of our customers asking them to send us questions that they’d like us to answer on video. So this week we’re starting off with episode 1 where I’m going to answer one of the questions we received and we’re gonna start up today with a question from Victor in New York who asks:
“What would you consider minimum viable security for a wordpress website?”
Thanks Victor that’s a really great question and it’s going to take me a few minutes to answer it because there are a few steps in the process of securing your WordPress website. So without further ado let’s just dive straight in.
Step 1: Choose a good WordPress hosting provider to ensure that you have good account isolation.
The first thing I do is I’d make sure that I’m using a reputable host because it’s very important that you have isolation between accounts on a shared hosting provider. If a host doesn’t provide good isolation between accounts, what that means is if an attacker compromises one account on a shared server they can also access other accounts on that same server and you get the kind of cross contamination. So it’s very important that you choose a hosting provider that knows how to correctly configure their permissions on their servers so that you don’t have cross-contamination if one of the accounts is hacked on that server.
It’s very rare to see a hosting provider that does not have good account isolation but we do see it about every month or two. It’s usually newer hosting providers and smaller hosting providers as well. That doesn’t mean you shouldn’t choose a small host. There a lot of really really great small hosting providers out there. Just make sure that they’ve been in business for a little while so they’ve ironed out all the bugs and of course that they have a good reputation.
Step 2: Install the newest versions of WordPress core and the theme and plugins you need. Only install what you need and use a reliable source.
The next thing one needs to do is of course install WordPress core. And you always want to choose the newest version of WordPress core when you’re installing WordPress because the older versions have no known vulnerabilities. And if you install an older version it’ll almost certainly get hacked because attackers will exploit those vulnerabilities. So always install the newest version of core available at wordpress.org.
Of course then you need to install your plugins and your themes. You’ll usually just have one theme and you’ll have multiple plugins, let’s say 5 plugins. Always get those plugins and that theme from a reputable source. Get them from wordpress.org or your plugins and your themes from a good reputable commercial provider because there’s something called a nulled plugin or a nulled theme. What that is is an attacker downloads a reputable plug-in and they put their own malicious code in it and then they throw it up on their own website which looks like a legitimate site but actually it’s not. When you download the plug-in from there you’re getting code that’s already been hacked and your system is then compromised and you’ve got a real mess on your hands. So make sure you get your plugins and your themes from a reputable source.
Step 3: Keep everything updated. That includes WordPress core, your plugins and your themes.
Then of course you have to keep everything up to date. Security is not a single event you don’t go in and just secure a website or a system you actually have to have a routine, let’s say a weekly routine. So every few days or every week go in and make sure that everything is up-to-date that everything’s secure if you’ve got Wordfence installed it of course it’ll send you emails letting you know you’ve got a theme or a plugin that’s out of date or if core needs to be updated and all. It’ll send you all sorts of other helpful alerts related to security so make sure you keep an eye on those alerts and actually respond to them.
Step 4: Use strong passwords and don’t reuse them. Use a password manager like 1Password if you need to.
The next thing that one should do if you’re setting up minimum viable security is you need strong passwords. That means that your passwords need to be complex. If you’re setting up an administrator account on WordPress we recommend that you have a password length of at least 12 characters and that you choose from lowercase letters uppercase letters numbers and symbols. That way you’ll have a password that’s complex enough so it’s very difficult for an attacker to crack your password if they happen to download the hash of your password.
Also use unique passwords across all of the services that you use. The reason you should do this is because if one of those systems is compromised, the first thing the attacker does is download the user accounts database and try to use those accounts to log into other services and compromise those too. So use unique passwords across all of the services that you use. I know that’s a lot to ask and it’s a real pain and it’s very very easy to remember one short password and use that same password across all of the systems. But this is really important. One of the tricks you can use is use a password manager, like one password, to manage your passwords. The password manager will generate a password for you that’s very complex, long and has multiple characters in it. And then of course it’ll store it in a very easy-to-use database that you can then access at some point.
If you really really don’t want to use a password manager you can also use a formula that you memorize and use to uniquely generate a complex password in your head for each service that you use. That’s one of the systems that I’ve used in the past and it gives you a way to have unique passwords across all systems. If your passwords complex enough then you’re in pretty good shape
Step 5: Enable two-factor authentication. Wordfence provides this to our Premium customers.
The other thing you want to set up for minimum viable security on WordPress is two-factor authentication. Two-factor authentication is a way to ensure that if your password is compromised there’s a kind of a another layer of defense that that prevents the attacker from getting into the system if they don’t have your cell phone. You have two factors set up with your cell phone then they can’t access the system even though they’ve got your password. This is one of the things in information security that we refer to as a layered approach to security. So you don’t just have a really strong password that’s unique across all systems. You also have two factor authentication setup so that there’s kind of multiple layers of defense that you have to help you stay secure.
One of the other things you want to do is delete unused accounts. And before I forget Wordfence actually provides two-factor authentication, so you can use Wordfence for two-factor authentication.
Step 6: Delete Unused Accounts. Enforce the “Principle of Least Privilege”. Only grant the minimum access required.
The other thing you want to do is delete your unused accounts so don’t have a whole bunch of accounts lying around on your your WordPress website. Only have the accounts that you’re actually going to use. So only administrator accounts that you’re actually going to use and the other all the other accounts should be used. If you have old accounts on the system that aren’t used anymore make sure you delete them or disable them.
This is part of something in information security we call the principle of least privilege. You only provide access to people who actually need access to a system and when you do provide access you want to give them the the minimum access level that you can get away with that still allows them to do their job.
So don’t, for example, create a bunch of administrator accounts for people who are just contributing content to your website. Instead create a lower level account so that they’ve only got the access that they need. That way you don’t have all these other administrator accounts that you then need to secure. So again that’s called the principle of least privilege and it’s a really effective strategy that’s used within information security outside of the WordPress space.
Step 7: Don’t use default account names. Rename the ‘admin’ account to something else.
Don’t use default account names. Rename your admin account to something else and if you have any other obvious account names that have administrator privileges you might want to consider renaming them. This is something else as well that just gives you another one of those layers that I mentioned where if an attacker is trying to guess the password for a particular account they have a hard time time figuring out what the username is because it’s no longer just admin.
Step 8: Configure backups for your WordPress site. Use backups that are ‘rolling’ and ‘segregated’.
Now another thing that’s critically important when you’re securing your WordPress site is backups. If your site is badly hacked and damaged beyond repair you’re going to want to be able to restore it somehow. So either get backups from your hosting provider or use a service like UpdraftPlus. Full backups now the kind of backups e1 are what we call rolling segregated backups. That means that the backups are rolling so you get a backup every day or every few days and you can actually go back in time to a point in time and restore your site when it was still in working order.
So for example if your site is hacked on a Monday and you only discover it on a Thursday if you only have a backup from Wednesday because every day your backups are overwritten well that’s the site was hacked at that point already so you’re up the creek and you can’t repair your site. So you need to have backups that go further back in time that you can use to restore your site.
Now I said rolling segregated backups. Segregated means that your backups are also separate from your website if you have your back if your site’s backed up and the backup file is actually on your site the hacker can come in and hack your site and destroy the backup as well so you no longer have a backup so the backup needs to be segregated so that’s why we say you need rolling segregated backups for your WordPress website
Step 9: Leave automatic updates enabled.
For WordPress automatic updates should be enabled for core. They’re enabled by default and what that means is that for minor versions of WordPress, which often includes security releases, your site will be automatically upgraded to that security release. That’s enabled by default so you shouldn’t have to do anything to enable that, just don’t go and disable it. It’s very very important that you you leave that enabled.
Step 10: Install a WordPress Firewall like Wordfence, for protection against emerging threats.
One of the most important things when it comes to securing your site and having minimum viable security is to have a firewall installed. There’s a very specific reason you have to have a firewall. You can take all of the other steps that I’ve mentioned where you’re keeping everything up-to-date and so on, but sometimes what happens is a vulnerability gets out into the wild that is exploitable that means that a hacker out there knows of a way to exploit a plug-in or a theme or even WordPress core that allows them to gain access. Sometimes it takes developers some time to fix that vulnerability and actually release the the fix to their customers. And during that time you’re vulnerable and you don’t have anything that you can upgrade to to protect yourself and so that’s where the firewall comes in.
Wordfence is an excellent firewall. It’s the most popular firewall for WordPress and it has generic protection in there against cross-site scripting, against sql injection and a variety of other attacks. That will protect against certain zero-day attacks and protect you during that window while a developer is working hopefully as quickly as they can to get a security fix out and when the fix is actually released so it’s critically important that you have a firewall installed.
Of course Wordfence Premium gets real-time updates so as soon as we hear about a new vulnerability or one gets reported to us or our researchers discover one we immediately release a fire will rule in real-time and protect you during that time that the developer is working very quickly to get that patch out there.
Step 11: Install a malware scan Wordfence includes the most popular malware scan for WordPress. Free!
The other thing you need of course is a malware scan. The malware scan is your last line of defense if your site is somehow hacked even though you’ve been keeping everything up to date and it somehow manages to get past your firewall. The malware scan will detect that there’s malware on your system or that something’s gone wrong and will let you know so you can come in and very very quickly react and use one of those rolling segregated backups that I mentioned to restore your site and get back into good shape.
Well that’s about it we have a really helpful checklist yet in our learning Center that you can use and it has many of the items that I’ve mentioned on there. I’ll include that URL in the notes that go with the video and if you want to learn more about WordPress security just visit wordfence.com/blog for our blog and or /learn for our learning center which includes a lot of a really great content on WordPress security both advanced and beginner topics.
Thanks very much, I hope you enjoyed episode 1. Have a wonderful day. Bye.
Comments
10:05 am
For some reason, I keep getting these files uploaded onto my site:
/wp-cli.yml
/uploads/wp-content/mu-plugins (as a folder with the following file)
/uploads/wp-content/mu-plugins/sso.php
Both these are installed at the same time. Here's a snippet for the wp-cli.yml file:
"
apache_modules:
- mod_rewrite
"
It'd be nice if you guys could also recognize this type of site invasion, in your next update.
Thanks!
10:31 am
Hello Paul! We'd love to help you with this issue, but we're unable to offer support via blog comments. If you're a Premium customer, please do send in a support ticket by logging in to your Wordfence.com account and clicking "SUPPORT" in the main menu. If you use the free version of the plugin, our support team is ready to help and discuss this with you in the WordPress support forums, as well. Thanks!
10:14 am
Thanks so much for your helping me understand these issues to keep my clients' WordPress sites safe! Love your product and use it for all our clients.
10:25 am
Hi Mark
THANK YOU - as always - stellar information!
One minor omission: you said you would include checklist link in the notes - I don't see it in the notes and it is an excellent checklist:
https://www.wordfence.com/learn/wordpress-security-checklist/
10:28 am
Mark...enjoyed putting a name with a face in this new video series. Well done. While some of your blog topics covered in the recent past would be hard to explain in a video, I do like the idea of WordFence creating "Security U" (Security University), in which you create a series of higher-level instructional videos on website security. Google has done a pretty good job with video instruction on Tag Manager, Data Studio, etc. With WordFence being the expert on website security, a video series on these cyber-threats would be really beneficial to those of us who want to dive deeper into security-related issues.
Thanks again for all your efforts in both words and video. I'm sure all of us in the WordPress/WordFence community appreciate it.
10:34 am
Great video! This helps confirm that we offer the best strategy to our clients.
10:39 am
Thank you. Nice and concise. Great info.
10:46 am
Thanks so much. This is great information and I will be using it right away.
11:01 am
Very informative thank you. I would also change the author slug for all accounts as it seems to created with the same name as the account login and this is publicly visible information
11:08 am
I'm going to share this as it's really easy for beginners to grasp and hits all the main important points. Love how you guys do great investigative reporting and helpful tutorials like this, in addition to your great free plugin. Sign of good company culture.
Thanks.
11:18 am
Mandatory viewing this for all WordPress users. Great presentation Mark. Well noted on the fact some hosting companies do not offer good insulation between accounts on shared packages.
11:45 am
Video #1 great -underlines what we or rather I need to do across my sites on Shared Hosting
Although only one is SSL - which you didn't mention on the next #Video perhaps
11:55 am
Nice work! I'd like to add one comment/question. Being that NIST no longer recommends SMS based auth for MFA because of many known SMS issues--- is there a plan for Wordfence to support Google Authenticator, Authly/Duo or any physical token options like YubiKey or others?
TIA
12:04 pm
Hi Joseph, we do support Google Authenticator for 2FA. Check out this help article for details.
2:07 pm
Great response!
3:52 pm
Great video and congrats on the launch of this series! This is definitely another useful way for us all to absorb the ongoing information that is needed to ensure the utmost security with WordPress and in general. Thank you and your team as always for your valuable tips and insight!
8:42 pm
Is there a transcript?
I have no doubt that there is some great and vital information here that I want to see. I'm not interested in watching a video - I want to see a transcript or read the info in a blog post.
5:01 pm
Hi Jim, a video transcription has been added to the post.
9:15 pm
Stuff you guys publish keeps getting better and better. Very useful, and I really appreciate the effort you deposit in publishing these articles and videos.
All hats off :)
10:11 pm
To: Jim Martin, I do support the idea of a regular security video series by wordfence. There is already a great resource, though. It‘s a podcast named „Security Now“, available for free on iTunes, and on twit.tv. I recommend it to everyone I know.
1:11 am
Please consider making it an audio podcast as well, so that we can subscribe and auto-download new episodes from now on!
6:59 am
Great info! Thank you so much for taking the time share this important information!
7:20 am
Great start to a new series.
7:36 am
That was great thank you very much. The video is a great way of sharing information. Keep up the good work :)
9:10 am
Great info, thanks!
4:10 pm
Thank you for this video!
These are the good practices that every WordPress user should to know, because the safety and integrity of a website depends primarily on these fundamental recommendations.
10:45 am
Great info - thanks!
7:16 am
Excellent video. Thanks so much for making such a complex topic clear.