I find it easy to obsess over WP security practices, and to get lost in minutia – things like changing database table prefixes and obfuscating my admin user name – good practices but with little practical security value. Here is my list of the top seven eight essential WP security measures, in rough order of importance. All these measures can be implemented free of charge.
Rambling thoughts about WordPress
Security
Keys and Salts
WordPress uses a cookie to keep track of my login state. While the technical details are a bit out of my comfort zone, if an attacker gets his or her hands on or forges my admin authentication cookie, he or she could take over my admin role and cause a great deal of mischief.
I can easily make my authentication cookie much more secure using keys and salts stored in my wp-config.php file. Google can easily find details and instructions in a number of articles, including All You Need To Know On the WordPress Unique Authentication Keys and Salts.
Passwords
The importance of a strong admin password seems well known – if not universally practiced – by most WP users. It seems less well known that the strong password rule applies equally to every account associated with administering my WP site. This includes my cPanel account, SFTP, Cloudflare, email, web host, and domain registrar. If I lock down my WP admin account but someone hacks into my cPanel, for example – game over.
There are various methods of generating a strong password, including …
Cloudflare Security Settings
In another post I cover Cloudflare page rules for login security. This post discusses miscellaneous Cloudflare security settings. Cloudflare, even at the free tier, offers a plethora of speed and security settings that seem daunting at first. Most of them work fine using the default setting, and I can adjust settings at my own pace as I am able to make time to learn and optimize.
WP Backups
My #1 most important WP security and maintenance practice: Always have an up-to-date backup, stored off my site. If I irreparably mess up my site, or it gets hacked in spite of my precautions, I can delete everything and restore from backup. If my host provider doesn’t love me anymore and locks me out, or goes bankrupt and disappears, I can restore to a new host provider.
My Wordfence quibble
As I said in another post, I believe the very popular Wordfence Security plugin to be an excellent security solution for most WP users. Even if Wordfence isn’t the right solution for you, I recommend subscribing to their excellent email list, for timely and informative updates on WP security issues.
My Wordfence quibble: I installed and it and tried it out for awhile, decided in spite of its ample merits it is not for me, deactivated it. I promptly received an email from the Wordfence mother ship, alerting me in somewhat inflammatory language that Wordfence had been deactivated from my site by – my secret admin user name! I keep my admin user name private, and use a public nickname – a minor but sensible security precaution, I think. Wordfence not only harvested my secret admin user name, it reported my admin name to the mother ship, presumably stored it, shared it with – who knows? – and sent it to me in a plain text email. I have no way to know what other private information, if any, Wordfence stole.
Custom security plugin
When researching WP security, I come across a number of suggested additions to my child theme’s functions.php file. Examples include code to disable login hints, and to remove WordPress version information from metadata. These are helpful suggestions, but … is the functions.php file really the best place for these changes? My child theme should address theme-related changes, not general security issues. If I put these changes into functions.php, then at some point switch to a new theme, the changes would be lost.
Better to implement these changes in a custom WP security plugin.
6G Firewall
There are a number of comprehensive security solutions available for WP, notably including the very popular Wordfence Security plugin. I have a Wordfence quibble, which I whine about in another post, but to the best of my knowledge, Wordfence is an excellent choice for most WP users. My preference though is for light, fast, specific solutions as opposed to a single, relatively heavy, Swiss-army-knife style tool.
One such light, fast, specific solution is the 6G Firewall from Perishable Press.
403 Text String
If my site gets attacked, it could serve up a lot of 403-Forbidden error pages, which would use a lot of resources, slowing my site or even bringing it down. For 404-Not Found errors, I want to serve a friendly helpful page that fits in with the look and feel of my site. Legitimate visitors should rarely if ever encounter a 403-Forbidden error though, so I prefer to politely limit resource use to the extent practical. My solution is a custom 403 text string, using the following line at the beginning of my .htaccess file:
ErrorDocument 403 "403: Sorry, not permitted."
Cloudflare page rules for login security
Cloudflare page rules deserve to be much more widely known and used as a highly effective component of a layered brute force login defense. The Cloudflare free tier gives me three page rules, which is enough – just barely – for both login security and blazing site speed. Login security takes up two of the three rules, but does double duty by also bypassing the Cloudflare cache for the admin area. My Cloudflare page rules for login security block bad bots at the Cloudflare level, so they never even get to my site’s server, login screen, or admin area. A storm of brute force login bots – even if unsuccessful at logging in – could slow my site or bring down my site by tying up resources. These rules move all that resource burden off my site and onto Cloudflare.
