The WordPress Codex states:
Security in WordPress is taken very seriously
This may be the case, but in reality, you yourself have to take some additional measures so that you won’t have a false sense of security.
With the default settings of WordPress and PHP, the minute you host Wordpress and give access to one single non-security-conscientious administrative user, your entire hosting environment should be considered as compromised.
The general problem with WordPress and PHP is that rather than thinking about which few essential features to turn on (whitelisting), you have to think about dozens of insecure features to turn off (blacklisting).
This excellent article (“Common WordPress Malware Infections”) gives you an overview what you’re up against when it comes to protecting WordPress from Malware.
Below are a couple of suggestions that should be undertaken, starting with the most important ones.
Disable WordPress File Editing
WordPress comes with the PHP file editor enabled by default. One of the most important rules of server security is that you never, ever, allow users to execute arbitrary program code. This is just inviting desaster. All it takes is the admin password to be stolen/sniffed/guessed to allow the WordPress PHP code to be injected with PHP malware. Then, if you haven’t taken other restricting measures in PHP.ini (see section below), PHP may now
- Read all readable files on your entire server
- Include /etc/passwd and expose the names of all user accounts publicly
- Read database passwords from wp-config.php of all other WordPress installations and modify or even delete database records
- Read source code of other web applications
- etc.
- Modify writable files
- Inject more malware
- etc.
- Use PHP’s curl functions to make remote requests
- Turns your server into part of a botnet
So amongst the first things to do when hosting WordPress, is to disable file editing capabilities:
define('DISALLOW_FILE_EDIT', true);But that measure assumes that WordPress plus third-party Plugins are secure enough to improve their own security, which one cannot assume, so it is better to…
The “Big Stick”: Remove Write File Permissions
I’ll posit here something that I believe to be self-evident:
It is safer to make WordPress files read-only and thus disallow frequent WordPress (and third-party Plugin) upgrades than it is to allow Wordpress (and third-party Plugins) to self-modify.
Until I learn that this postulate is incorrect, I’ll propose that you make all WordPress files (with the obvious exception of the uploads directory) owned by root, and writable only to root, interpreted by a non-root user. This will leverage the security inherent in the Linux Kernel:
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chown -R root:root .
chown -R www-data:www-data wp-content/uploadsNote that you still can upgrade WordPress from time to time manually. You could even write a shell script for it.
Restrict serving of files
Disable direct access to wp-config.php which contains very sensitive information which would be revealed should the PHP not be processed correctly. In Nginx:
location = /wp-config.php {
deny all;
}
Disable PHP execution in the uploads directory. In Nginx:
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
Restrict PHP
I’ll refer the reader to already written excellent external articles – please do implement the suggestions therein:
25 PHP Security Best Practices
Host WordPress in a Virualization Environment
In addition to all of the above, any kind of publicly exposed web application (not just WordPress) should really be hosted in an isolated environment. Docker seems promising for this purpose. I found the following great external tutorial about generating a LAMP Docker image:
https://codeable.io/wordpress-developers-intro-docker/
https://codeable.io/wordpress-developers-intro-to-docker-part-two/