At IU, what are best practices for maintaining a secure WordPress site?

On Webserve, PHP 7.1 will become the default version in spring 2018; however, PHP 5.6 will still be available until it is retired at the end of December 2018. As of Jan 18, Webtest servers are already using PHP 7.1. For help specifying which version of PHP to use, see PHP server-side scripting language.

If you are running a WordPress installation at Indiana University, the following guidelines can help you substantially improve the security of your site, especially if you are setting up a fresh installation:

  • Keep your WordPress installation and plug-ins updated: It is critical to apply all core, plug-in, and theme updates issued by WordPress. Many of them include important security improvements. You'll see a message at the top of your Dashboard whenever a new update is available. If you seldom log into your WordPress administrator account, consider installing the WP Updates Notifier plug-in, which monitors your installation for updates, and emails you when they are available. For tips about the update process, see Updating WordPress in the WordPress Codex.
  • Use the IU CAS plug-in for authentication: Use the IU Central Authentication Service (CAS) plug-in developed by UITS Enterprise Web Tech Services to handle authentication to your WordPress site. Unlike the standard WordPress password protection, the IU CAS plug-in helps ensure that only users affiliated with IU can log into your site. For directions, see On Webserve, how do I use CAS for my WordPress blog?
  • Perform regular backups of your database: If you are a user of the Legacy MySQL for Webserve service, you are responsible for performing and maintaining your own backups. You should perform and maintain regular database backups so you can restore your site's data if something happens to your WordPress site. You can set up a MySQL backup script with a scheduled crontab to automatically back up your database and save it to a folder on your Webserve account; see Backing up your Legacy MySQL for Webserve database.
  • Be careful when assigning a database administrator to your WordPress site: Having a WordPress account with "root" permissions on your databases is a security risk. Only MySQL users with reduced privileges granted should be allowed to connect to your database from your WordPress site. For more, see Legacy MySQL for Webserve privileges.
  • Request frequent vulnerability scans from UISO: The University Information Security Office (UISO) provides a Web Application Vulnerability Scanner to help you discover any vulnerabilities affecting your site. How often you request scans depends on several factors, such as site traffic and the sensitivity of your data. For more, see Vulnerability Scanners.
  • Give users only the Capabilities they need: WordPress has multiple user Roles, each with its own set of Capabilities. To keep user accounts from making unwanted changes to your site's content and settings, you should be careful to assign Roles that grant only the Capabilities users need to do their jobs. Before assigning Roles, see In WordPress, what are Roles and Capabilities?
  • Use your administrator account only when you need to perform administrative tasks: When you create a new WordPress site, an Administrator account with all Capabilities is automatically generated. Using this account to perform common, non-administrative tasks leaves you vulnerable to security risks and exploits. Practice the principle of least privilege by creating and using an alternate account with a Role, such as Editor, that has fewer Capabilities. Consequently, if a hacker ever cracks your account, that person won't be able to do much damage, because the Editor Role does not allow the user to edit any settings. For more, see Roles and Capabilities in the WordPress Codex.
  • Move your configuration settings file: The configuration settings file (wp-config.php) contains the information WordPress needs to access your database; it is stored by default in your site's root directory. Moving this file up one level from its default location helps prevent hackers from finding and accessing it. You can move this file up one directory from the root level, and WordPress will still be able to find it.
  • Change the WordPress table prefix: By default, WordPress adds the wp_ prefix to all of your database table names when you set up your site. Changing this prefix makes it difficult to guess your database table names, and consequently can help stop a hacker from damaging your site with an SQL injection attack. To change the table prefix during setup, in your wp_config.php file, below the database information, change the $table_prefix variable. For example:
    $table_prefix= 'iub_'; // Only numbers, letters, and underscores please!
  • Use secret keys: Setting up secret keys will greatly enhance the security of your site by adding random elements to passwords, making them much stronger and nearly impossible to guess. To set up secret keys, go to the WordPress secret key generator, copy the resulting four lines of text, and then paste it into your wp-config.php file, below the database information. Implementing these on your site will invalidate all current WordPress cookies, so any users on your site will need to log in again afterward.
  • Lock down your Dashboard: You can use a .htaccess file to create a "whitelist" that specifies which IP addresses are allowed to access your Administration Dashboard. Use the following code to create the .htaccess file, and then save it to your site's root directory (replace with a trusted IP address):
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    #IP address to Whitelist
    allow from

    You can add multiple allow from lines to accommodate additional trusted IP addresses.

Following these recommendations should substantially improve the security of your WordPress site. Additionally, you should make sure your users know they should not share their usernames and passwords. Also, encourage your users to change their passwords frequently.

For more about securing your WordPress site, see Hardening WordPress on the WordPress Codex. For more about computer security in general, see Tips for staying safe online.

Some of these tips come were derived from Top 5 WordPress Security Tips You Most Likely Don't Follow.

This is document bdbb in the Knowledge Base.
Last modified on 2017-07-26 13:26:17.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.