Given the number of breaches and the hype around that, we feel like it’s time to discuss about Security and WordPress. Securing your website is a huge responsibility, and it’s not that easy if you’re new to WordPress.
In this article, we will discuss about security in WordPress as a whole, and we will then narrow it down to Woffice – our prominent Intranet/Extranet theme – to give you more details on how we handle the security within our development.
Security basics in WordPress
WordPress is a huge and very famous open-source CMS (Content Management System), therefore, we can rely on a big community and trustworthy people to maintain, patch and update it.
However, there are a few things we need to be aware of – and a few steps you need to follow along in order to secure your WordPress website. Please note that this is only basic recommendations, we don’t pretend to provide you a perfect configuration for your specific website.
We then recommend you to do the following:
- Ensure that all your users use a long and complex password (WordPress provide password suggestion).
- Install a security plugin such as WordFence or iThemes Security – which will allow to configure the following:
- Change your WordPress admin URL.
- Prevent brut force connection.
- Limit the number of login tentatives and prevent spam (please not that this is more efficient than using a Captcha).
- And much more..
- Discourage your users to store their password on their computer or in the browser, but rather use a Vault (LastPass for instance).
- Use only trusted and updated/maintained plugins.
- Buy an SSL certificate and use it (your website will then be in https://).
Advanced security tips
Besides those basic settings, we are now going to dive deeper into the configuration by trying our hand at WordPress files – nothing too fussy though.
Have the core, the theme and all the plugins updated is really imporant bla bla bla. Turn WordPress automatic updates in the wp-config.php file (there are plugins to achieve that, but it’s more straightforward using the code)
* Automatic updates
define( 'WP_AUTO_UPDATE_CORE', true );
One example worths noting is the “Panama Papers” breach, which has most likely been caused by an non-updated plugin security leak. More details can be found in this article.
Database table prefix
Make sure that your WordPress database tables are not using the default wp_ prefix (this is defined in the wp-config.php)
And add more clarification about the fact that it’s chosen during the installation and how it can be changed
Advanced restrictions in your .htaccess file
In your .htaccess file, add the following
# blocking access to the wp-config file
deny from all
# blocking access to the htaccess file
deny from all
# Block the include-only files
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
Besides, this, we urge you to restrict the uploading of coded files: .php, .py, .exe, etc.
We also entice you to use auto backups for your website to have them running regularly.
A complete list can be found on the codex: https://codex.wordpress.org/Hardening_WordPress
Security and Woffice
We will now detail the security in Woffice and how we, as the developer, strive to provide you the most secure theme possible.
Along our journey to provide you this theme, we used the following best practices:
- Commented and clean code
- Escaped values (using escaping values)
- Usage of token for the asynchronous requests
- REST API restrictions
We also provide you the following settings to ensure the security:
- Role Permission
- Auto-update feature for theme updates, including security patches : we are currently at our 2.5.3 Woffice version, which means we release 88 updates
- Manual User Approval plugin bundled
- Recaptcha on registration
- Private website – ie. all pages protected and restricted by default – or ability to open only specific pages
I hope that tis article has been helpful and that will get the most out of it. WordPress is a wonderful open-source used on a substantial number of websites (30% of the web) – therefore, it also brings a lot of attention and that’s why we need to be so picky with our configuration.
If you have any recommendation or comment, feel free to reach out using the comment form below, or our email address contact[at]alka-web.com.
If you enjoy hearing from us and learning about web-related content, please feel free to subscribe to our newsletter: http://eepurl.com/cTQ5gP
It’s your call – we can simply urge you to join and stress the fact that we won’t spam you, we hate spammers.