Best Practices for WordPress Site Security on Linux Webservers

At last count, W3Techs reported that 43.1% of all websites operating on the Internet today rely on the WordPress CMS. And of those, an overwhelming majority run on Linux servers. That immense popularity makes Linux servers running WordPress a prime target of hackers and other bad actors. As a result, such servers face an estimated 90,000 attacks every minute, every day.

For that reason, owners and operators of WordPress-powered websites have plenty to worry about when it comes to maintaining security. They must guard against known and unknown vulnerabilities in WordPress, manage a host of third-party plugins, and remain vigilant against configuration errors that hackers could use against them. The good news is that some well-established best practices can help them do that, which we'll discuss in depth here.

Why Is WordPress Security Critically Important?

WordPress security is critical for any individual or business relying on a WordPress website. However, most beginners only prioritize security sometimes when they start a WordPress blog. This is a big problem because a hacked website can harm the reputation of its owner, not to mention interfere with the site's intended purpose. For businesses using WordPress to sell their products, this can even lead to severe revenue losses, too.

Worse still, ransomware is a persistent threat to WordPress websites. Once an attacker infects a targeted site, they can encrypt its files and demand payment to return control of them to the site's owner. And in some cases, the attacker won't even have a decryption key to turn over at all, instead absconding with the site owner's money and leaving the site crippled.

What Are Common WordPress Vulnerabilities?

Protecting a WordPress site from the most common threats must begin by understanding some common WordPress vulnerabilities that hackers exploit. The following are the most common WordPress vulnerabilities that may lurk within a typical WordPress installation.

Outdated Software

The most common vulnerability you'll find in WordPress websites is outdated software. This may include the use of an outdated WordPress version, as well as the use of outdated plugins inside the CMS. You need to update a WordPress installation and its plugins to ensure your site is secure from software flaws that newer versions don't have. Worse still, many of those flaws become common knowledge to hackers once developers issue a software update, placing outdated sites at even greater risk. Despite the risk, over 21% of known WordPress websites still use older, unsupported versions of the CMS.

Weak Passwords

Weak passwords are also a persistent vulnerability for WordPress websites. Hackers exploit weak passwords by targeting administrator accounts that can grant them complete control of a WordPress site. From there, nothing stops them from wreaking havoc and making whatever changes they wish.

Shared Hosting

Although shared hosting is popular for WordPress website owners, it has significant security vulnerabilities. If an attacker manages to execute a privilege escalation attack on the underlying server, they gain unfettered access to every WordPress website it hosts, too.

Lack of Server Hardening

Another common vulnerability present in WordPress websites is a lack of server hardening. The default installation of the WordPress CMS leaves various features turned on for the convenience of the site's owner. However, some of those features, such as the built-in file editor, the hotlinking function, PHP execution, and directory browsing, can be powerful weapons in the hands of an attacker. Using those functions, an attacker could execute malicious code, conduct a cross-site scripting attack, or enable a denial-of-service attack.

Incorrect File Permissions

Misconfigured file permissions are another common vulnerability found in WordPress websites. Generally speaking, the underlying wp-content and wp-admin folders that house most of a WordPress site's files should have restricted file permissions, including a restriction on who can write to them. However, plenty of novice admins change those default permissions while trying to troubleshoot configuration issues and fail to change them back, creating a major vulnerability.

Essential WordPress Security Tips & Best Practices for Linux Users

To combat the vulnerabilities enumerated above, owners and operators of WordPress Websites need to follow the established WordPress security best practices to the letter. Here's what they are and some other tips on keeping WordPress sites secure.

Regular Software Updates & Patch Management

The most important way to keep a WordPress website secure is to update the CMS to the latest version and enable auto-updates for the future. Plus, it's equally important to keep all installed plugins up to date, too. This means checking with plugin developers regularly or installing software that can check for new plugin versions and make the necessary updates for you.

Install & Configure a Firewall

Installing a firewall is another excellent way to keep a WordPress website secure. WordPress-specific firewall software can monitor incoming and outgoing data for signs of malicious activity. Plus, many can halt DDoS attacks in progress and block vulnerability scans that alert hackers to exploitable site vulnerabilities.

We recommend focusing on WordPress plugins to keep the process of adding a firewall as simple as possible. Using add-ons will be the most straightforward option.

WordPress Firewall Rules to adhere to when configuring your firewall can be found here.

Scan for Malware & Security Threats

It's also good to perform periodic scans of your WordPress website to detect any malware or security threats that may have slipped by your site's defenses. Various tools can scan WordPress sites for such things, and many of the best ones are totally free, too.

Secure WordPress Usernames & Passwords

Defining and enforcing a secure password policy is another best practice for securing a WordPress website. At a minimum, the policy should insist on passwords of at least 20 characters, which include letters, numbers, symbols, and a mix of capital and lowercase letters. Installing a two-factor security plugin that adds a time-limited one-time password to every login into the WordPress front-end or back-end is also advisable.

Set Up Off-Site Backups

Maintaining complete and current offsite backups of a WordPress website is a critical bulwark against malware intrusions and ransomware attacks. Having multiple backup versions of a WordPress website spanning a reasonable amount of time is important. This allows you to restore a version of your WordPress website before malware or ransomware infiltration. Plus, having the backup copies offsite eliminates any chance that a successful server-side attack will compromise them, too.

Limit Login Attempts

Limiting login attempts is another best practice for guarding a WordPress website against brute-force password attacks. To do it, you can configure your website to lock a user account after a reasonable number of login attempts. You can also set it to ban connections from the IP address associated with the failed login attempts. While these measures alone won't stop a hacker in their tracks, they will significantly slow their efforts to harm your site.

Secure File Permissions & Ownership

As previously mentioned, it's important to set the proper file permissions and ownership for the files associated with a WordPress website. Most WordPress folders should be 755, and most individual files should be 644. Of course, there are always exceptions to those generalities, so it's important to follow all relevant WordPress and plugin documentation and to check trustworthy guides on the subject.

Use an Uptime Monitor

Uptime monitors can be a useful security tool because they can alert you to a problem with your WordPress site as soon as it happens. When there's any possibility of a malicious intrusion, every second counts. An uptime monitor could warn to block an attack in progress or at least blunt its damage.

Add ReCAPTCHA in WordPress Login

In addition to the aforementioned two-factor authentication, it's also advisable to add ReCAPTCHA functionality to your WordPress site's login pages and user forms. Various plugins make this easy, and installing one can safeguard your site against botnets, spam, and attacks from sketchy shared IP addresses.

Conduct Security Audits & Penetration Testing

Since no WordPress security scheme will ever be perfect, conducting regular security audits is an excellent way to ensure your site complies with the previously covered security best practices. It is also good to perform penetration testing to ensure your security measures work as intended.

Implement Robust Monitoring & Logging Practices

Finally, every WordPress website should include robust monitoring and logging. The logs generated by the WordPress installation and any plugins can be treasure troves of useful data. For example, your site logs may reveal intrusion attempts by hackers and even clue you into specific vulnerabilities they may be looking to exploit. Various plugins will aggregate your logs into a single interface and even send you alerts based on predefined preferences.

Final Thoughts on WordPress Security on Linux Servers

At the end of the day, WordPress, running on one Linux variant or another, is and will continue to be the backbone of the Internet. However, it's incumbent upon every WordPress website owner to do their part to keep their sites safe from exploitation. Armed with knowledge of the most common vulnerabilities and the best practices to mitigate them, it is easier than you may think. With a bit of effort and vigilance, running a secure WordPress website is well within reach of even a beginner web admin.