What is required to build secure WordPress websites and how to ensure they stay secure.
There are a number of considerations that need to be taken into account when first developing a secure WordPress site, however a good starting point is deciding which themes and plugins to use. When doing so it is important to consider the following:
- Is it the right tool for the job?
- Is it high quality?
- Is it actively being developed and is it likely to continue to be actively developed in the future?
- Is it safe?
We have previously discussed supply chain attacks and specifically the examples of “Pipdig” and the various plugins controlled by Mason Soiza. These are just two examples however there are many other similar examples that have not been made public as widely. In both cases, the plugins were seemingly owned and developed by legitimate, ethical organisations. This highlights the difficulty in choosing safe and secure components. More obviously risky are “nulled” plugins and themes discussed previously, where paid-for components are pirated and provided for free on malicious sites.
There are three main categories of plugins – Open-Source, Freemium and Premium
Open-Source – As mentioned previously, there are over 54,000 Open-Source plugins available in the WordPress repository. The advantage of using these plugins is they come with the support of the WordPress community. There are teams of people confirming that the plugins and themes in the repository are maintained and secure. Should there be any issues with any of these components they can be removed from the repository either temporarily or permanently.
Freemium – This class of plugin offers basic services for free while charging a fee for advanced or special features. They can also be included within the WordPress repository providing that additional support and safeguards. Examples of this kind of plugin include Yoast SEO, Smush, Updraft Plus and Wordfence.
Premium – This type of plugin is not available in the WordPress repository and only available after being purchased from the author, often on services like ThemeForest.net and CodeCanyon.com. Whilst they can often be marketed professionally, as they are not Open-Source with the backing of a large community, they are sometimes problematic. There is also less scrutiny over the quality and security of the code. As such, not all paid plugins are bad but the due diligence is on the administrator of the site, no help from the community.
Of course, there are also nulled plugins and themes discussed previously, which are premium components, pirated with malware, backdoors or spam links often added in.
Researching Plugins and Themes for secure WordPress Sites
There are a number of different ways in which components can be researched to determine whether they might be a safe and secure choice for a WordPress site. These would include:
Google – The following are useful search phrases to help ascertain whether a component might be secure:
- [component name] hacked or vulnerability
- [component name] broke, broken
- [component name] slow site, performance
- [component name] support
WordPress.org support forums – Salient questions to ask would be whether it has been updated, has it been tested and is it actively supported – for example, are support questions being responded to in a timely manner.
Reviews can be helpful, although it is important to look at this in context. The component may have 5-star reviews, but how many reviews does it have overall? If it has 5 stars from only one review then this is less helpful. It is important to read a range of reviews from 1 star to 5 stars to gain a better picture on the quality of the plugin.
The Changelog – Read through the changelog for the component to get a better idea on whether vulnerabilities are being disclosed and fixed and a general picture on how actively the component is being maintained. If there is no changelog to analyse, this should be a warning to potential users.
WPVulnDB is also a useful resource to provide a picture of whether there have been issues with components in the past and whether they have been resolved successfully. If the component is listed, this does not necessarily mean it should be discounted, so long as it can be confirmed that the latest versions are no longer vulnerable.
Best Practices when Implementing a WordPress site
Create a replica of the site to implement any changes on first – a development or staging site. There are various plugins that can help with this process and duplicate the site very easily. New components should not be tested on production websites as there can be unforeseen side-effects that can be difficult to resolve.
Components that are not being used should be removed from a site. Even if those components are not active, their presence on a site can still introduce vulnerabilities to a system.
Components should be kept updated. Again, this should be carried out on a development / test site first before being moved to production, as software updates can sometimes have unintended consequences.
Component use should be reviewed periodically to determine whether they are still required and that they are still being actively maintained and are secure.
Logging – It is particularly important to ensure that logging is enabled and that log rotation is implemented for a secure WordPress implementation. This can help resolve development or functionality issues with the site, but is also crucial in helping determine how a site has been compromised in the event of an attack. There should be at least 30 days of logs available, ideally considerably more depending on the disk space available.
Backups – On-site and off-site backups are essential in helping maintain the availability of any website. On-site backups located in the hosting account can allow for rapid recovery of a website in the event of an attack or an accidental deletion of data or alteration of code. Backups should also be taken to a separate location from the hosting account so in the event of a catastrophic failure on the server, there is still a good backup to restore back to. These backups should include a copy of the site files as well as a database dump. There are various plugins available to help with this, and many hosting providers will offer some form of backup system.
Security plugins – It goes without saying that this report highlights the importance of using some sort of security plugin, ideally with some sort of Web Application Firewall in place to help protect the site from attack.