The main concern (as unfounded and misguided as it may be) with adopting WordPress in larger organizations is typically security. Security being a concern is not the problem though. Security should be a concern for any and all web properties. The issue is that there seems to be a disconnect that exists between the knowledge and management of CMS’ and those very security concerns.
Typically, a CTO / tech director is going to believe that they can create a more secure system than an open source CMS. And though this may very well be true, it is not only improbable, but the sheer amount of tech debt that your organization would have to take on to overcome such a monumental task is simply not worth it.
So the question shouldn’t be: “should we do this on our own?”. Rather, the question should be: “if we take on an open-source CMS, how do we manage it to be successful to meet our enterprise security needs?”. In this post, we’ll tackle just this question!
In no particular order, below we’ll list out some of the ways you can use WordPress’ extensibility to harden and secure your web property.
Limit Login Attempts
One of the many, many ways a hacker may try to gain unauthorized access to your web property is through what’s called a brute-force login attempt. To achieve this, a hacker will either run a program allowing them to attempt a large combination of passwords or make educated guesses as to what your password may be.
A great way to slow them down and shut them out is to limit login attempts. Unfortunately, by default WordPress allows users to attempt to login as many times as they would like. This is what we are going to put a stop to by limiting how many attempts each person gets.
There are several ways in which to achieve this and it would be worthy of its own article. Luckily, WPSolver did just that with this helpful article that outlines 5 different ways you can limit login attempts. Take a look through that handy post and try moving forward with the solution that works best for you!
Hyper Text Transfer Protocol (Secure). HTTPS is the successor to plain old HTTP. This one is an easy one to understand. HTTP is the protocol upon which data is sent from a server to your browser. When data is transferred over HTTP it is not encrypted. When data is transferred over HTTPS, it means that all of that website data in encrypted so anyone “listening in” can’t tell which data or datatype is being moved around.
To learn more about SSL and HTTPS and how to set them up on your own web property, take a look at this nifty writeup by wpbeginner.
2 Factor Authentication
2 Factor Authentication is another method of login protection that requires something extra. Simply put, you’ll need not only a username/email and a password, but you’ll also need another “token”. This token could be delivered to your mobile phone via SMS, through a third party app, or even a physical token (in extremely sensitive scenarios).
Some modern multi-factor authentication services also allow for extremely complex, encrypted passwords that have to be accessed through a separate webapp such as 1Password.
There are many “2FA” services out there and a simple Google search for “two factor authentication” will yield tons of information about this very useful security feature.
Alternate login URL
Why spend so much time on password protections when we can make the actual login area more difficult to find?
By moving your login away from the default /wp-admin/ to something like /ourbiz_login_2373882y327747/ and hiding this page from search engines, you can make sure that most login attempts are from people inside your business.
Mediate internal threats
To be blunt, there a only a few types of “hacks” that you can really focus on:
- Social engineering
- Mass attacks
- Targeted logins
- Internal breach
Social engineering is by far the most common. This typically involves a phone call or some type of manual communications with your company. Social engineering involves gaining trust of an employee to receive very specific information for a very specific purpose.
Mass attacks, such as the all-famous DDos (distributed denial of service) attack is a difficult one to stop. A DDos occurs when an individual or a group of individuals use software to make thousands of requests per second to your URL. Doing this will crash your site.
We spoke briefly about targeted logins already so let’s get to internal breaches. An internal breach occurs when someone inside your business works alone or with collaborators to steal important information from your company. When it comes to internal breaches, unfortunately there isn’t too much you can do. Some things that will help are:
- Keeping an in-depth activity log for all of your employees (check out WP Audit Log
- Extensively train yourself on user roles and permissions to ONLY allow the proper level of access for each and every single person that needs access to your CMS
- Delegate ownership and governance over your CMS Security to a specific team within your business.
While we don’t have time to cover all of the threats to your web property, this article’s’ recommendations will give you a very solid foundation in which you can grow and add more protocols over time.
Whenever you’re in doubt about the security of your software, data, CMS, etc. be sure to contact a professional. Putting these types of things off simply aren’t worth it in the enterprise.