WordPress Security

If you’ve been paying attention to recent tech news, you’re well aware of the security attacks over the past few weeks. Most notably, there was the massive botnet with over 90,000 IP addresses running systemized attacks on WordPress sites across all hosts. Basically, the botnet is brute forcing its way into WordPress sites with common usernames (like “admin”).

The botnet is not set up to exploit a vulnerability inherent to WordPress Core (those are hard to find these days). It’s exploiting weak passwords and username combinations. WordPress Core is remarkably secure, particularly for an application with more than 70 million installations. With that volume of installations, it makes sense that some of the user-selected usernames and passwords might be a weak link.

With all these issues going on, we think now is a great time to do a series of blog posts on security. We’ll cover some of the foundations of good security, and illustrate how they apply to the end user and to developers. We’ll also hear from some noted WordPress security experts to learn how they approach securing WordPress.

The goal is to educate and have a dialogue about security best practices that are applicable, regardless of whether you are hosted with WP Engine or another provider.

Some of the best practices we’ll cover include the following topics:

  • Staying on top of core updates (using this plugin can help)
  • Being proactive about plugin and theme updates
  • Knowing the code that’s running on your site
  • Enforcing strong passwords – WP Engine does this for our customers
  • Blocking and logging pending attacks – Also done by our systems
  • Separating customer sites via filesystem roots – Shared hosting companies often do not do this
  • Isolating database access – They also may not do this either
  • In-house vulnerability scanning performed quarterly
  • Contracting with 3rd Party providers for remediation as well as auditing

On the topic of recent security attacks, it’s worth noting that WP Engine has seen very little impact from the botnet due to our high additional security measures on all accounts.

Security Measures WP Engine Employs Include:

  • Forcing of strong and secure passwords (this plugin works on the admin and password reset fields)
  • Limit of login attempts  (plugin)
  • By default, we don’t create “admin” usernames on our installs

What else goes into maintaining high security for WordPress?

Well, a lot of things. There’s never any one step to setting up a secure system.

Managed WordPress hosts like WP Engine have been able to learn from hosting demanding, large-scale websites. We’ve been able to pass this experience down to our customers at all account sizes and types. In the coming posts, we’ll share many of these security best practices with you all.