A definitive checklist to ensure a secure WordPress hosting for your customers
WordPress takes security very seriously. WordPress releases “minor” revisions regularly to address even vulnerabilities reported just hours before. Latest WordPress websites have automatic background updates to prevent any possible exploits.
Even with such a proactive approach towards security, news vines are flush with reports of WordPress sites affected with one vulnerability or another. So, what’s the deal here? How can you ensure a secure WordPress hosting for your customers?
In our role as Outsourced hosting support specialists for web hosts, our key priority is to help them provide a secure hosting environment for WordPress sites, which enables them to retain their customers better.
Checklist for a secure WordPress hosting
Listed here are the common ways in which WordPress sites are hacked.
- Exploiting unpatched WordPress vulnerabilities
- Exploiting unaddressed vulnerabilities in themes and plugins
- Exploiting undetected vulnerabilities in hosting environment
- Using stolen login credentials
Now let’s address each of these issues one by one and look at the solutions available to mitigate them. I’m going to lay off using plugins as much as possible because even security plugins are known to have vulnerabilities.
We’ll employ defense in depth (or multi-layered defense), security by obscurity (denying target information), access restriction and penetration testing in this checklist.
1. Securing WordPress core
As mentioned earlier, WordPress is serious about security, and come bundled with a lot of security options that works out of the box. Along with it, we’ll add a few hosting level security to make your WordPress extra secure.
Use non-standard table prefix
By default WordPress uses “wp_” as a prefix for all tables. Mass SQL injection exploits depend on this prefix to work. So, we change this at installation time to something else, like “mysite_”, as a good hedge against undisclosed exploits.
Put wp-config.php outside document root
Due to vulnerabilities in hosting environment, hackers might be able to download wp-config.php, thereby disclosing the database login details. WordPress by default looks at the parent directory for wp-config.php. So, we move it out of there, for an additional layer of security.
Remove “admin” user
Most brute force attacks just focus on getting the password of “admin” user. We work around this angle of attack by creating another user with administrative privilege and re-assigning all posts of “admin” to the new user and deleting the “admin” user.
[ You don’t have to lose your sleep over hosting security. Our expert hosting support specialists are online 24/7/365 to help you provide secure services. ]
Password protect “wp-admin” directory
Most brute force attacks depend on “wp-admin” folder being readily accessible. We password protect the “wp-admin” directory using .htaccess file, to blunt those attacks and thus provide a two-layer security to the admin interface.
Lock down files and directories
We conduct a detailed inspection in the server for insecure files and folders. Permissions of all files and directories are limited to 644 and 755 respectively. This helps us to shunt many malware upload attempts.
Replace default WordPress security keys
WordPress uses password “salts” to improve encryption in visitor’s cookies. It’s trivial for hackers to determine the default keys shipped with each version. So, we get a different set of keys and replace the old ones in the wp-config.php, as a security measure.
Update WordPress on the release date
Do not wait till later. We upgrade the WordPress as soon as we see the message “WordPress XX.YY is available! Please update now” in the admin panel. Custom themes and plugins in some sites can get messed up with auto-update settings. To ensure zero downtime upgrades, we first test the upgrade in our staging server, before rolling it out into the live.