11 Top WordPress Security Concerns & How WP Engine Takes Care of Them For You
Security is a major concern for sites of all shapes and sizes. According to Google’s 2016 research, the number of hacked sites rose over 30% in 2016 compared to 2015. Ensuring your site is protected from attackers is paramount to your site’s uptime and your brand’s integrity. At WP Engine we do a lot behind the scenes to ensure your site is safe and secure!
VULNERABLE SITE CODE
Between WordPress core, plugins, and themes, there’s a lot of site code to keep track of. What happens when a vulnerability is discovered? How do you know if sites are affected and how do you update them? Easy.
WP Engine does automatic WordPress updates. We automatically update sites to the latest secure patched branch when WordPress releases them. WP Engine monitors shared and private vulnerability feeds to ensure the platform is hardened against new vulnerabilities.
UNAUTHORIZED DISK WRITES
What if a plugin with vulnerable code is installed? That plugin might try to write files to the server, which may be vulnerable to attackers. If exploited, this could continue in a vicious cycle until your site completely unusable. Not with WP Engine.
WP Engine limits disk write capabilities. That means only authorized users can write files to the server, limiting the extent of the damage.
Some users may be aware that the XMLRPC.php file on your WordPress site exists to help remote apps make WordPress posts. Unfortunately, some attackers know about this file and try to exploit it by making fake POST requests to this service. That means attackers could be trying to hack into your site using this file. We’ve got you covered.
WP Engine blocks XMLRPC attacks. WP Engine automatically detects malicious requests trying to take advantage of XMLRPC misconfigurations.
Best practice when creating a WordPress site is to manage all separate users for your WordPress sites. This is a “containment” strategy which states that, should one database become compromised, the others are not at risk. But managing many usernames and passwords and salts and keys can be confusing and frustrating! We take care of it.
WP Engine maintains separate databases and users for all sites. We maintain all the security aspects of users, passwords, and salts to make it easy for you. Your WP Engine site is automatically connected to the correct database, as is your WP Engine User Portal.
UNAUTHORIZED CONFIGURATION CHANGES
Some of the most important settings on your site are controlled by a select few configuration files. Those files should never be accessible or even worse, editable, to the outside world. It may be concerning to think about how to control who can access these sensitive files. With us, there’s no need to worry.
WP Engine protects your site’s configuration files and uploads. We automatically place server-level protections for your configuration files for WordPress and the server itself, as well as your site’s uploads folder.
Site managers often have the headache of ensuring all users on their sites are using secure passwords. Making sure users choose secure and unique usernames and passwords can be a chore in and of itself. We make it easy.
WP Engine requires all Administrators, Authors, and Editors to use strong passwords. While Subscribers and Contributors don’t have this requirement, this means anyone who has the ability to publish content on your site must have a strong password.
ENCRYPTION OF USER DATA
You might also be concerned about the data users enter when they’re on your site. Whether your users are filling out a form, building a profile, commenting, or entering their personal details in checkout, you have to be sure that data is secure. We’re here for you.
WP Engine offers free Let’s Encrypt SSL Certificates. SSL is a layer of encryption that sits in front of your site and ensures the user data entered on your pages is not vulnerable to anyone who might be listening in.
FILE TRANSFER ENCRYPTION
You may also wonder what protection is in place when transferring files to and from the server. If those files are not encrypted, it could allow anyone “listening” on your network access to those private site files. Your files are safe with us.
WP Engine forces secure file transfers. We use Secure File Transfer Protocol (SFTP) for all local connections to your websites. That means your data is encrypted both when uploading and downloading content to and from your site.
BRUTE FORCE LOGIN ATTEMPTS
When an attacker tries to “brute force” your site, this means they repeatedly try username and password combinations until they find one that works. You may think that this method would take ages to break into your site, but you’d be wrong. A bot using brute force methods can try thousands of combinations in a matter of seconds. That prospect can be pretty scary to consider, but don’t stress.
WP Engine blocks brute force login attempts. Our system identifies when a login attempt is not coming from a real user and returns an empty response.
WP Engine blocks misbehaving bots. We identify and block bad behavior so you don’t have to.
What if your site contained a vulnerability in its code and was hacked, defaced, or worse? In the event of the unthinkable, it’s good to know what your options are. If you haven’t been making regular backups of your site, it’s too late. So we do it for you.
WP Engine makes nightly backups of your site. You can restore part or all of your site with a single click in your User Portal. Not only is this good in case of security issues, it’s good practice in general. If an update or a code mistake leaves your site down, restoring to a backup is quick and easy.
BEST PRACTICES FOR SECURITY
Knowing what WP Engine does to keep your site secure is a huge relief for users. But there is no single, simple answer for security. With the freedom to use your own plugins and themes also comes a great responsibility when it comes to security. Security is a partnership WP Engine shares with our customers.
ALWAYS BE UPDATING
By a wide margin, most security vulnerabilities are introduced by poor coding or outdated plugins and themes. As of Q3 2016, Sucuri reported 18% of all hacked WordPress sites were a result of three primary outdated plugins: Gravity Forms, TimThumb, and RevSlider. Each of these plugins has released secure versions at least a year ago which would have prevented infection. It is important to keep on top of all WordPress plugin and theme updates to ensure your site is secure. Additionally, WordPress has a thorough hardening guide with great information spanning security concepts as well as methods to keep your site protected.
ADHERE TO THE “LEAST PRIVILEGE” PRINCIPLE
The “Least Privilege” principle simply states that users and code as well should only be given the access to the assets needed to perform their core function, nothing more. As a WordPress Administrator, your role is to ensure other users are only granted the access level needed to perform their role. As a WordPress Developer, your role is to ensure your code is adhering to WordPress Coding Standards and working properly within the security confines of WordPress itself.
COVER ALL YOUR BASES
The principle of “Defense at Depth” states that the best defense strategy is to ensure protection from as many angles as possible. This concept says that the most thorough defense is a layered approach to security, rather than a one-dimensional approach. Securing your site on multiple layers is key. A multi-layered defense could look like: Securing your logins, staying on top of updates, coding according to best practices, using trusted plugins, and using monitoring, all in combination.
GET YOUR CODE FROM TRUSTED SOURCES
Don’t download plugins or themes from unknown sources. Downloading from the WordPress Plugin Repository or other authentic sources who require the integrity and security of code is extremely important. When you download a plugin or theme, you should also check the interval of updates. Be sure to choose plugins which are regularly maintained and updated by the author. These plugins will be more likely to release timely plugin updates should any vulnerabilities be discovered.
DOUBLE DOWN ON AUTHENTICATION
Securing entry to your site is important. While having a secure username and password combination is certainly a great step, you can take it one step further by using Two-Factor Authentication. Two-Factor Authentication means securing your site by the traditional username and password, and securing with a secondary method. For example, plugins can verify users by having them enter a temporary code sent to their verified device. Services like Duo and Google Authenticator by miniOrange offer extra security by adding this secondary authentication layer on your site.
Uptime monitoring and Integrity monitoring are key ways to ensure that if your site is ever compromised, the effects are as minimal as possible. Knowing there is an issue right away enables your team to take action as quickly as possible. Uptime monitoring services like Pingdom and UptimeRobot will check to see if your site is responding properly at all times. But you may also want to maintain Integrity monitoring. Services like Stream and Sucuri Security are great plugins to use to track file changes and/or WordPress Admin Dashboard activity. Last, external tools like Google Search Console can help with reputation and health monitoring to ensure your site doesn’t end up on any blacklists. Remember the ability to restore your site to a healthy state in one click with backups in the User Portal.
Join the conversation.
There are 2 comments
Can/should Let’s Encrypt certificates be used on staging/development sites? And is that cert transferrrable to a production site?
Thanks for your question.
By default, the staging and development sites will have a WP Engine temporary url such as sitename.wpengine.com. These domains will already be covered by WP Engine’s SSL/TLS. If these temporary urls are used, then Let’s Encrypt will not be needed as these subdomains are already secure over HTTPS.