Skip to main content

WordPress Security Best Practices

· 4 min read
Mahmudur Rahman
Mahmudur Rahman
Founder of EpicLabs23

WordPress sites are often targeted by attackers, especially on shared hosting environments. To ensure the security of the WordPress managed hosting offering in your shared hosting solution, here are best practices and recommendations for protecting the hosted WordPress sites:

1. Server-Level Security

a. Isolated Hosting Environment

  • Use Docker containers or similar virtualization techniques to isolate each WordPress site, ensuring that a compromised site cannot affect others.
  • Set up container-level resource limits to prevent abuse.

b. Web Application Firewall (WAF)

  • Deploy a WAF like Cloudflare, ModSecurity, or a similar solution at the server level to block common WordPress threats (e.g., SQL injection, XSS, brute force).
  • Ensure the WAF is configured with WordPress-specific rules.

c. Regular OS and Software Updates

  • Keep the hosting environment (e.g., OS, PHP, MySQL/PostgreSQL, web servers like Nginx/Apache) up to date with the latest security patches.

d. Secure PHP Configuration

  • Disable dangerous PHP functions like exec, system, shell_exec, and passthru.
  • Restrict PHP scripts to specific directories using open_basedir.

e. Malware Scanning

  • Integrate malware scanning tools (e.g., Imunify360, ClamAV, or custom scripts) to scan WordPress files and detect malicious code.

2. WordPress-Level Security

a. Core, Plugin, and Theme Updates

  • Enforce automatic updates for WordPress core, plugins, and themes.
  • Offer managed updates to ensure compatibility testing before pushing updates.

b. Use Secure Plugins and Themes

  • Allow only pre-approved and reputable plugins and themes in the hosting environment.
  • Conduct vulnerability scanning on plugins and themes.

c. Login Protection

  • Enforce strong passwords and implement two-factor authentication (2FA).
  • Limit login attempts to mitigate brute force attacks.
  • Use CAPTCHA on the login page.

d. Disable XML-RPC

  • Disable xmlrpc.php if not needed (used by older APIs and some mobile apps), as it's a common attack vector.

e. File and Directory Permissions

  • Set proper file permissions (e.g., 755 for directories, 644 for files) and disable editing files from the WordPress admin dashboard.

f. Disable Unused Features

  • Disable WordPress REST API endpoints not in use.
  • Restrict directory browsing.

3. Security Plugins

Provide a pre-installed set of trusted WordPress security plugins to customers, such as:

  • Wordfence: Real-time threat protection, firewall, and malware scanner.
  • Sucuri: Provides auditing, malware scanning, and security hardening.
  • iThemes Security: Offers multiple hardening features and 2FA.

4. Backups

  • Automated Backups: Offer daily automated backups for files and databases with offsite storage options.
  • Retention Policies: Allow customers to retain backups for a configurable number of days.
  • Enable one-click restore functionality for users to quickly recover from a compromise.

5. SSL/TLS Enforcement

  • Provide free SSL certificates through Let’s Encrypt and enforce HTTPS for all WordPress sites.
  • Implement HTTP/2 or HTTP/3 for better performance and security.

6. Monitoring and Alerts

  • Monitor traffic patterns and detect anomalies (e.g., DDoS or brute force attacks).
  • Send security alerts to customers when unusual activities are detected (e.g., multiple failed logins, file changes).

7. User Education

Educate your customers on best practices, such as:

  • Avoiding nulled (pirated) plugins or themes.
  • Regularly changing passwords.
  • Recognizing phishing attempts.

8. Account-Level Security

  • Use isolated databases and FTP accounts for each WordPress site.
  • Disable password-based SSH and require SSH key-based authentication for account access.

9. Advanced Features

a. Application Sandboxing

  • Deploy WordPress sandboxes for testing updates or plugins before they are applied to the live environment.

b. Intrusion Detection System (IDS)

  • Implement an IDS to detect suspicious activities like unauthorized file modifications.

c. DDoS Protection

  • Use anti-DDoS services like Cloudflare or AWS Shield to prevent downtime caused by volumetric attacks.

d. Vulnerability Patching

  • Scan the environment regularly with tools like WPScan for known vulnerabilities in WordPress installations and plugins.

10. Managed Service Features

Offer managed services as part of the hosting plan:

  • Proactive Security Monitoring: Include scanning and hardening services.
  • Manual Malware Removal: Provide cleanup services in case of a compromise.
  • 24/7 Support: Offer expert support for security incidents.

By implementing these measures, you can significantly reduce the chances of hosted WordPress sites being compromised and provide a secure managed hosting experience to your customers.