WordPress is the most popular and open-source content management system (CMS) for building your websites. Since it’s open-source, anyone can contribute to it and there are many themes and plugins available that make it important to know the common security issues around it.
A WordPress site can be vulnerable to exploits due to many reasons. In the following article, we list some of the most common WordPress security issues with solutions and tips on how to address them.
1. Disable Directory Browsing
Directory browsing allows anyone to browse the content of the directories that may be important and can be vulnerable to attacks. If your site is running on a web server like Apache that enables directory browsing by default, then you should disable it.
To disable the directory browsing, you can add the following code in the .htaccess file:
Options -Indexes
WordPress already comes with the .htaccess file. You can find this file in the root of the installation files of WordPress where your domain is mapped to.
After adding the above line, the content of the .htaccess file for a WordPress site will look something like this:
...
</IfModule>
# END WordPress
Options -Indexes
After, the users can no longer browse the directories of your WordPress website.
2. WordPress File Permissions for Better Security
Setting up appropriate file permissions is very crucial for the security of your website.
Your web server may allow writing permission to various files. But, allowing write access to your files can become dangerous, especially in a shared hosting environment. So, this is very important that you set up the correct permissions depending on the platform your website is running on.
In WordPress, only the files and directories except “wp-content” and the .htaccess file should be owned by the user account.
If you do not want to allow direct installation of themes and plugins from your WordPress admin, then you may also change the ownership of “wp-content” to your user account except for the “wp-content/uploads” that should be writable by the webserver for uploading the media files in WordPress.
Files / Directories Permissions
If you have shell access to your server, then you may use the following commands to set up the file permissions for WordPress:
For the directories:
> sudo find /path/to/your/wordpress/ -type d -exec chmod 755 {} \;
For the files:
> sudo find /path/to/your/wordpress/ -type f -exec chmod 644 {} \;
Files / Directories Ownership
Changing the ownership to your user account:
> sudo chown exampleuser:exampleuser -R /path/to/your/wordpress
Changing the ownership to the “www-data” user which is your web server:
> sudo chown www-data:www-data -R /path/to/your/wordpress/wp-content
> sudo chown www-data:www-data /path/to/your/wordpress/.htaccess
3. Spam Protection and Login Security Issues
After you publish a post, you may notice that there are many spam comments on that post. Most of these spam comments may come from automated bots crawling websites on the internet. In order to prevent this kind of spam, you should use the captcha validation plugin on the comment form.
One plugin to add captcha validation on comment form is Login Security Captcha which is a free plugin to add reCAPTCHA or Cloudflare Turnstile to WordPress standard forms like login form, register form, comment form, and forget password form.
Also, you should limit the number of failed login attempts on the WordPress standard login form. For this, you can check the Login Security Pro plugin that allows configuring the number of failed login attempts and locking out the IP address for a certain duration as set by the administrators.
4. Harden the Security with WordPress Plugins
There are many security plugins for monitoring like a firewall and preventing different kinds of attacks on a website. However, you should only install the necessary plugins for security that have some specific purpose, not all of them at once.
Besides security plugins, you should make sure to install SSL on your WordPress website.
5. Secure Forms with Proper Validation
Any form on your website with input fields can invite attackers if there is no proper validation and sanitization of each input field in the form.
The file input field that allows uploading files should be thoroughly validated and properly sanitized. This is a critical input field that is responsible for many websites being hacked.
Therefore, for any plugin that you use or any custom code that you write for building forms on your website, you should always consider the sanitization and validation of all the input fields that are present in each of those forms.
6. Issues with the WordPress Themes and Plugins
One of the reasons for vulnerabilities in WordPress is due to poorly coded themes and plugins. Some badly coded themes or plugins can cause serious damage to your WordPress site and make it vulnerable to attacks. Therefore, you should carefully select which theme or plugin to install and activate.
Also, you should make sure that the themes or plugins are tested with the latest version of WordPress and PHP.
7. Regular Updates and Backups
Besides taking care of the common WordPress security issues, it is a good practice to regularly update your WordPress to the latest version along with the plugins and themes.
If the update is a major release, then it is also recommended to create a backup of your website before updating. Also, it is a great practice to create regular backups of your WordPress website manually or automatically.