WordPress has been the Small Business web platform of choice for many years now. It has a rather simple user interface, along with tons of free themes and modules to do pretty much anything your SMB website could ever need to do. I’ve set up my fair share of WordPress sites…and a few others’ shares as well!

Of course, my interest here is in securing WordPress! I was unable to find any real comprehensive guide on how to secure a WordPress site. So, when I’m asked about securing WordPress, I usually do a good search or just recommend a module or two. Unfortunately, that’s really not the full story. Wordpress is a web application. And, while modern web applications may seem simple, they’re actually quite complex. There’s an entire “stack” of hardware and software that you need to secure…not just a simple web application.

So, I decided that I would take the time and write-up a comprehensive technical guide on Securing WordPress. This document will continue to evolve over time as technologies evolve. If you have any feedback on this report (updates, suggestions, etc), I’d love to hear them

Report Contents

• WordPress technical description
• Understanding the Risks
• Website Hosting
• Local Hosting
• Remote Hosting
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Hosting Recommendation
• Web Application Architecture
• Three-Tiered Architecture
• Web Proxy Server
• Resolving Proxied IP Addresses
• Web Application Firewall
• Plugins and Themes
• User Management
• Least Privilege Model
• Rename Administrator User
• Password Complexity
• Two-Factor Authentication (2FA)
• WordPress Software Security
• Software Updates
• File Security
• File Permissions
• Securing wp-admin
• Securing wp-includes
• Securing wp-config
• Disallow File Editing
• Security Software Products
• Backups
• Logging & Monitoring
• A Quick Recipe
• A Compliance Control Framework