SOP For WordPress Security

The goal of the page is to inform users who manage a WordPress site about general security best practices both in terms of environment-level items, such as file permissions, as well as application-level items, such as setting up proper user roles, so they have a better foundation for security than setting up WordPress somewhere with no additional configuration.

The most important thing to do for WordPress security is to keep WordPress itself and all installed plugins and themes up to date. It is also encouraged for users to choose themes and plugins that are actively receiving updates.

Security for WordPress websites is necessary to:

  • Protect sensitive data.
  • Prevent hacking and malware.

Hardening WordPress - Staging and Production

  • Disable File Editing
  • Rename the administrative account – When creating an administrative account, avoid easily guessed terms such as admin or webmaster as usernames because they are typically subject to attacks first.
  • Change the table_prefix.
  • Pattern needs to be defined
  • Limit Login Attempts
  • PHP Hardening ( Sucuri Plugin )
  • Custom wp-admin URL
  • Remove WordPress Version

Implement Git Process

Branches

  • Staging 
  • Production

Need to check Paid user plans

  • GitHub Desktop
  • SourceTreee
  • Smartgit

Git folder security via disabling path access and etc

Regular Software Updates

  • Update WordPress core, themes, and plugins regularly to patch vulnerabilities.
  • Enable automatic updates whenever possible for critical security patches.
  • PHP update 
  • Server related updates

Strong Password Policies

  • Enforce the use of unique strong passwords for all accounts.
  • Enable two-factor authentication (2FA) for an added layer of security.
    • Staging 
    • Production 
    • Email Forwarder

Secure Hosting Environment

  • Choose a reputable hosting provider with robust security measures.
  • Use HTTPS protocol to encrypt data transmission.
  • Implement a Web Application Firewall (WAF) to filter malicious traffic.
    • Standard needs to be prepared with System Admin

Limit Access Controls

  • Assign appropriate user roles with minimal privileges.
  • Remove inactive users and regularly review user permissions.
  • Change default usernames (e.g., ‘admin’) to prevent brute force attacks.

File and Directory Permissions

  • Set proper file permissions to restrict unauthorized access.
    • Directories – 755
    • Files – 644
  • Disable directory listing to prevent sensitive information exposure.
  • Regularly audit file permissions and ownership.

Backup Procedures

  • Perform regular backups of the WordPress database and files.
  • Store backups securely offsite or in a separate server.
  • Test backup restoration procedures periodically.

Security Plugins and Tools

  • Install reputable security plugins to enhance website security.
    •  Wordfence security plugin
  • Utilize malware scanning tools to detect and remove malicious code.
  • Implement security headers to protect against common attacks like XSS and CSRF.

Monitoring and Logging

  • Monitor website activity for suspicious behavior or anomalies.
  • Enable logging and review logs for signs of security incidents.
  • Set up alerts for unauthorized access attempts or unusual activities.

Secure Authentication

Server Related

  • External Database
  • Secure Hosting

Checklist

Environment-Level Security

Secure Hosting Environment

  • Choose a reputable hosting provider with robust security measures.
  • Use HTTPS protocol to encrypt data transmission.
  • Implement a Web Application Firewall (WAF) to filter malicious traffic.
  • Regularly update the PHP version and server-related software.
  • Implement Git process:
    • Create branches for staging and production.
    • Use GitHub Desktop, SourceTree, or SmartGit.
    • Secure Git folders by disabling path access.

Backup Procedures

  • Perform regular backups of the WordPress database and files(Updraft)
  • Store backups securely offsite or on a separate server for shared hosting, for managed wordpress, they are managing the backup by their own.
  • Test backup restoration procedures.

File and Directory Permissions

  • Set proper file permissions:
    • Directories: 755
    • Files: 644
  • Disable directory listing to prevent sensitive information exposure.
  • Audit file permissions and ownership.

Software Updates

  • Update WordPress core, themes, and plugins to patch vulnerabilities.
  • Enable automatic updates whenever possible for critical security patches*

Application-Level Security

Hardening WordPress

  • Disable file editing in the WordPress dashboard.
  • Rename the administrative account to something less predictable than “admin” or “webmaster.”
  • Change the table_prefix in the database.
  • Database Security: Secure the database by restricting access only to trusted IPs.
  • Enforce Auto Logout: Automatically log out inactive users to reduce session hijacking risks.
  • Implement a custom wp-admin URL.
  • Remove WordPress version information from the site.
  • Limit login attempts.
  • Implement PHP hardening using plugins like Wordfence.

Strong Password Policies

  • Enforce the use of unique, strong passwords for all accounts.
  • Enable two-factor authentication (2FA) for an added layer of security.

Limit Access Controls

  • Assign appropriate user roles with minimal privileges.
  • Remove inactive users and regularly review user permissions.
  • Change default usernames (e.g., ‘admin’) to prevent brute force attacks.

Secure Authentication

  • Implement SSL/TLS certificates for secure authentication.
  • Use secure authentication keys and salts in wp-config.php.

Security Plugins and Tools

  • Install the reputable security plugin Wordfence to enhance website security.
  • Utilize malware scanning tools to detect and remove malicious code.
  • Implement security headers to protect against common attacks like XSS and CSRF.

Monitoring and Logging

  • Monitor website activity for suspicious behavior or anomalies.
  • Enable logging and review logs for signs of security incidents.
  • Set up alerts for unauthorized access attempts or unusual activities.

Access Control

  • Restrict Access by IP: Limit wp-admin access by IP.
  • Disable WordPress REST API for Unauthorized Users: Limit REST API access to authenticated users only.