How we approach security on our own WordPress website

Security is a fundamental part of web development and is always a key consideration in our approach to developing and maintaining sites at ClarityDX. It’s near the top of the list for most of our enterprise clients.

Our own site is a great example of the numerous different security features that can be implemented on a website. This article will look at how we approached different areas of security and what actions have been taken to ensure the site is secure.

WP Engine

The site is hosted with our hosting partner WP Engine, who offer a number of useful security measures for any site hosted with them. These measures include:

• A proprietary firewall which helps direct good, bad and malicious traffic
• Blocking user enumeration
• Brute force login attack prevention
• Forcing all WordPress users to set a secure password

Hosting with WP Engine also has the added benefit of automatic daily backups for all site environments such as production and staging. Any site can be reverted to one of these daily backups at the single click of a button.

Cloudflare

The site utilises the Cloudflare CDN to improve site performance for users around the globe. Using the Cloudflare CDN also offers security benefits such as safeguarding against DDoS attacks and improving security certification. We also implement a number of firewall rules through Cloudflare.

User account management

Diligent user account management has ensured that only active users on the site have access to the CMS, and those active users have their minimum required permissions.

Users with administrator permissions have total control over everything in the CMS so it is advisable that only users who need this control are granted it. Having a higher number of administrators can increase site vulnerabilities. For instance, a user who is unfamiliar with the inner workings of WordPress should not have access to site configuration and settings as this poses the risk that they may unknowingly alter something critical to the running of the site.

REST API disabled

A lot of content set in WordPress is publicly available by default via WordPress’ REST API. While the majority of this may be intended for the public domain, it is always a good idea to prevent public access to this if it is not required

By default, user data – such as WordPress usernames – are available via the API, this is a slight vulnerability as it can allow attackers to easily discover all usernames and use them to try brute force attacks on the WordPress login page.

We use the Disable REST API plugin to disable API access to non-logged in users.

Security headers

A number of useful HTTP security headers are used on the site to remove various miscellaneous vulnerabilities. These have been built into the theme by our development team. The security headers used on the site include:

• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy
• Content-Security-Policy & X-Content-Security-Policy

The Content-Security-Policy & X-Content-Security-Policy headers require some continuous  management as they block unrecognised sources for images, stylesheets, JavaScript files and iframes so need to be updated whenever a new addition is made to the website.

You can see how your site currently performs in terms of security headers using this tool.

Plugins

We’re very selective about the types of plugins we use on our site, making sure we limit the number where possible. We also have criteria we look for such as code quality, reviews, last updated etc before we will utilise a new WordPress plugin. This is important when delivering WordPress into the enterprise safely and securely.

HTTPS

The site uses HTTPS, as do most sites on the web in 2021. HyperText Transfer Protocol Secure is an updated version of the plain HTTP and offers encrypted communication of data between a web server and a browser. This makes it possible to safely transfer sensitive data such as login credentials or credit card information back and forth between a browser and server.

HTTPS is very much the de facto transfer protocol for all sites on the web now, with Google marking sites in their search results which do not use HTTPS.

In order to set up HTTPS an SSL certificate needs to be obtained and placed on the server alongside the site.