Keeping WordPress secure

RimuWordpressAccording to Wikipedia, "WordPress is the most popular blogging system in use on the Web, at more than 60 million websites."  It's also the most commonly installed blogging system on our customers' servers, and we use it to run the blog you're reading right now.

One factor that has contributed to WordPress 's popularity is its ease of installation.  And because it is so popular many themes, extensions and other add-ons are available, documentation and help resources abound, and an ecosystem of support companies has grown up around it.  These provide a positive feedback loop, helping to reinforce its popularity.

But as well as being easy to install and popular, it is also the most commonly exploited system we host.  That's because its popularity has led to increased interest from hackers, and also because the install defaults are not as secure as they could be.  If a hacker can leverage these weaknesses to crack a password for your site, they will often use it to send spam or distribute exploits designed to hack into other computers.  Even without cracking a password, many wordpress sites can be used to attack other sites.  If your WordPress system gets exploited you'll have the unenviable task of cleaning that up, made a bit easier thanks to Liz's restore wordpress script.

Secure WordPress in 5 easy steps

So if you're thinking of hosting a WordPress site, or you already do, how can you reduce your chances of getting hacked?  WordPress's official advice is at, (which I found on their main page hidden under a "Contribute to Development" heading.)  Here, I list what we have found to be some of the key steps to reduce your risk.

  1. Use strong passwords for WordPress accounts, particularly for the admin account.  From our Preventing Brute Force SSH Attacks page, "Strong passwords generally use a combination of upper and lower-case characters, numbers, and non-alphanumeric characters."
  2. Keeping up with the Joneses. The most important thing is to make sure you're on the latest version and that automatic updates of minor versions are enabled.  Use Liz's upgrade script for the upgrade, and minor version updates will be enabled by default after that unless you've deliberately disabled it.  You still need to check from time to time in case a new major version has come out.
  3. Protect wp-login.php against brute force attacks. Attackers scan WordPress sites, sending hundreds of login request, probing for common username/password combinations.  While good passwords on all your WordPress accounts will likely prevent them from breaking in, these attacks can overload your site and degrade performance for your users.  You can drastically reduce the drain on resources by putting wp-login.php behind Apache's Basic Auth.
  4. Protect xmlrpc.php from attack.  Recently we've seen customers overloaded by a flood of requests to xmlrpc.php.  This is a more recent trend, with more sites and administrators becoming wise to attacks against login.php and putting in place protections against it, attackers are switching to xmlrpc.php instead. Xmlrpc.php also offers several advantages to attackers, and it's becoming just as important for administrators to protect as wp-login.php was.  To do that, you need to either disable it completely or protect it with a firewall.  Read more below.
  5. Install a Web Application Firewall (WAF). A WAF is a system that inspects requests coming in to your website and blocks requests that it thinks are malicious.

What's up with xmlrpc.php?

Xmlrpc.php is a way for other sites or other programs such as apps on your smartphone to interact with your wordpress site.  They still need the appropriate password, but once they have that, they can administer and post to your site automatically without going through the regular web pages.

As well as avoiding the restrictions that might be in place for wp-login.php, xmlrpc.php allows attackers to amplify their brute force attacks.  They can check hundreds of passwords in a single attempt, compared with login.php, which only checks one at a time. xmlrpc.php also enables attackers to user your website to attack other websites.

Disable xmlrpc.php...

If you're not using a mobile app to manage your site, or integration with other sites, or plugins like Jetpack, you can disable xmlrpc.php altogether.  Do that by installing a plugin.  You should check whether the plugin disables xmlrpc completely (which is the safest bet,) or just some functions (like the pingback function which is sometimes used to attack other sites), and install whichever one you prefer.  It's likely some plugins might not work correctly after that, but plain wordpress sites should be fine.

...and/or install a WAF

If you can't, or don't want to disable xmlrpc, you should make sure it is protected by a firewall (a.k.a. web application firewall, or WAF).  A WAF will look at the traffic coming into your website, and try to identify and block malicious requests.  Like most security measures, it's not a panacea because it won't always get it right, but a good WAF will foil most attempts to compromise your site so it's worthwhile.  It is a good idea to use a WAF regardless of whether you disable xmlrpc.

I'm going to mention four popular WAF products with different approaches.  Each has it's strengths and weaknesses.  It's also possible to use more than one of these approaches at the same time.  Although I'm mentioning these four products, many others are also available and might meet your needs better.

  1. Wordfence.  A free plugin that blocks attacks against WordPress.  Easy to install.  Being specific to WordPress means it won't protect non-wordpress sites on your server, but it does cover some attacks that other approaches won't.  It includes networking features that share information between sites; so it can learn from and protect against new attacks that first appear on other sites.   Those features come at a cost though - the extra work will put more load on your server and may even slow your site down.
  2. Jetpack. A free plugin from automatic, the makers of WordPress.  Jetpack does a ton of stuff including stats, social media integration and additional appearance features.  It also includes similar security features to Wordfence, and importantly it will automatically update your plugins.  It requires a free account on; in turn this allows you to manage multiple wordpress installs on different servers from your account at
  3. ModSecurity.  A free module for your web server application, that blocks common attacks against all websites on your server, not just WordPress ones.  It checks a static list of attack patterns that you configure.  It won't be aware of attacks against other websites, and may miss some wordpress-specific attacks.  It can be set up to automatically update its rules.  A big downside is that it needs to be configured before it can be used, and the configuration is complex.
  4. An outsourced solution, such as Cloudflare Pro.  Cloudflare is a pay per month service that filters website traffic before it reaches your server.  It uses its large customer base to detect new forms of attack and attackers, and prevents these attacks from affecting other customers.  It is simple to configure and takes load off your server by deflecting attacks and caching content.

WordPress provides a great platform for publishing on the web.  By following the security advice on this page, you can be ahead of most wordpress users in security terms, and drastically reduce the chances of your site getting compromised; something we commonly see.  A small amount of preventative maintenance could end up saving you hours of work and pain from a compromise of your site.

As always, if you need assistance with any of this, or if you just prefer to have someone else take care of it, we can help you out.  Just put in a ticket at

This entry was posted in HOWTO, Rimuhosting, Security and tagged , , , , . Bookmark the permalink.

Comments are closed.