WordPress is one of the most popular content management systems (CMS) in the world. It is used by millions of websites, from small blogs to large corporate sites.

Having such a large footprint, makes WordPress a favorite target of attackers. That's why it is important to take the necessary steps to secure and harden a WordPress site, to ensure that it remains compliant with industry regulations and standards.

Governments and enterprise alike are increasingly turning to WordPress to power their websites. As such, it is important to ensure that these sites are properly secured. This guide will provide an overview of the steps you need to take to deploy a secure WordPress site.

Hackers can exploit vulnerabilities in WordPress to gain access to sensitive data, such as customer information or financial records. They can also use WordPress to launch malicious attacks, such as distributed denial of service (DDoS) attacks, or to spread malware.

WordPress is an open source content management system (CMS), which means anyone can download and use it for free. The core code is maintained by a volunteer community, but it also has thousands of plugins and themes that are developed by third-parties who may or may not prioritize security.

For all of its strengths, the WordPress software supply chain is a major vulnerability. Hackers can embed malicious code in WordPress themes, plugins, and other third-party code to gain access to sites. To mitigate this risk, it is important to have a defined process for checking and validating code before it is installed on a production site.

This guide will walk you through the steps necessary to deploy WordPress sites to the cloud leveraging best practices and meeting compliance and security requirements. It includes recommendations for authentication and authorization, access control, logging and auditing, patch management, and more.

Luckily, NIST has complied a comprehensive set of security and compliance recommendations for web applications. Following these guidelines can help ensure your WordPress sites are as secure as possible, and free from malicious code or attacks.

By following NIST's recommendations, you'll be able to create a secure environment for your WordPress site that prioritizes security.

What Are NIST's Security Rules?

These rules cover a range of resources and systems ranging from the WordPress plugins you use to the user management and branching policies of GitHub repositories related to the site.

The National Institute of Standards and Technology (NIST) has established a set of security rules for securing applications. The term application refers to any software or system used to store, process, or transmit data. In case of a WordPress site, this includes:

  • Web Server. This is the server hosting your site, typically Nginx and PHP-FPM.
  • Database Server. Configuration of MySQL, backup policy and TLS/SSL connectivity requirements
  • Operating System. From the server OS to the Docker image dependency layers.
  • Cloud Infrastructure. This includes firewalls, load balancers, VPNs, and CDNs.
  • WordPress Theme and Plugins. Analysis of the security features and best practices within the WordPress theme and plugins used on your site.
  • WordPress Core. Verify security patches and configuration settings are properly applied to the WordPress core files.
  • Third-Party APIs. Any third-party APIs used by your site must be properly configured and secured.
  • Networking. SSL/TLS certificates and firewalls are all important elements of network security that should receive attention when securing any WordPress site.

The good news is that by following the NIST rules you really do secure your systems and organization. This can help protect against data breaches, ransomware attacks, and other malicious activities. It also ensures that customer and employee data is kept safe.

NIST Crashcourse

NIST is a non-regulatory agency of the US Department of Commerce. It promotes innovation and industrial competitiveness by creating standards, guidelines, and tools to help organizations protect their information systems and the data they contain.

  • A control is any security measure or countermeasure taken to protect an information system.
  • Implementation is your use of the control to protect the system.
  • A requirement is an item that must be implemented in order to meet a security standard.

NIST 800-53 is one of the many standards it provides. It contains a set of security and privacy controls that organizations can use to help protect their information systems and the data they contain. These controls are divided into 18 distinct pillars, which are further subdivided into categories and subcategories to help organizations better manage the security of their information systems.

To make life easier, we've grouped them into four sections so you can easily find the controls that apply to your organization:

  1. Access and Authentication: Users have the right access levels and authentication methods to access the WordPress, GitHub, AWS and other systems.
  2. Monitoring and Auditing: Logs of user activities are regularly reviewed to identify any suspicious
  3. System and Software Acquisition: Systems and software required to run the WordPress are sourced and configured correctly.
  4. Security and Configuration Management: Ensuring the WordPress is configured with the right security settings, plugins are kept up-to-date, and backups are regularly taken.
  5. Incident Response and Protection: Developing processes and plans to respond to security threats and incidents, as well as developing strategies to protect the WordPress environment.

By following these best practices, organizations can ensure their information systems are secure and compliant with security regulations.

1. Access and Authentication

This control requires organizations to implement security measures to protect remote access to information systems. In the context of WordPress in the cloud, this control is relevant because remote access to the WordPress instance should be secured to prevent unauthorized access.

This section provides guidance on authentication, authorization, and access control in order to properly protect data.

Authentication is the process of verifying that a user or system is who they claim to be. Authorization is the process of determining if an authenticated user has permission to access specific resources or perform certain actions. Access control is the process of enforcing policies and procedures which control which users or systems have access to certain data or resources.

  • Use strong passwords that are difficult for attackers to guess or crack and 2FA when possible.
  • Automatically terminate non-privileged user sessions after 15 minutes of idle time and privileged sessions after 30 minutes.
  • Use SSH keys and VPNs to secure remote access to the WordPress instance and take care of where keys are stored.
  • Utilize a web application firewall to protect against malicious traffic and suspicious activity.
  • Monitor authentication attempts to detect suspicious behavior.
  • Audit user access periodically to ensure only authorized personnel can access the system.

WordPress natively handles user groups, password resets and many other security aspects. Take advantage of this and configure the system to use secure settings for all users, groups and roles.

Worth noting that DNS is not explicitly mentioned in the 800-53 catalog of security controls. However, DNS is an important component of many information systems, and it is often necessary to secure DNS to ensure the confidentiality, integrity, and availability of information systems.

Example Implementation Statement

Access control setup to restrict access to only trusted IP addresses, GitHub repository control for changes to code, configuration and to access runtime environments, WordPress uses SSL/TLS to connect to MySQL resource on GCP, MySQL is setup with strict access controls and regular audits to detect any unauthorized changes, Access to GitHub repository is secured with 2fa.

This covers: AC-17, AC-19, CA-8

2. System and Software Acquisition (Software Supply Chain)

Software security is the process of protecting software from potential threats. To ensure proper software security, consider implementing the following measures:

  • Implement a secure patch management process to ensure all WordPress core files and plugins are kept up-to-date. Use NVD - Results to check for updates.
  • Use secure coding practices when developing custom plugins or themes for your site, require Pull Requests for changes
  • If using Docker Images, verify that the images are from a trusted source, and scan them for vulnerabilities.
  • Monitor third-party APIs/libraries and update your applications regularly with the latest versions.
  • Ensure that any 3rd-party code repositories are secure and regularly monitored for any malicious activity.

When it comes to Docker images, while they are not explicitly mentioned in the 800-53 security controls catalog, several controls are relevant. For instance, the "Transmission Confidentiality and Integrity" control (SC-8) requires that sensitive data, including container images, be protected by using TLS version 1.2 or newer.

This underscores the importance of protecting container images during transmission. Additionally, the "Least Privilege" control (AC-6) requires that users be granted only the minimum access necessary to perform their assigned tasks, in order to limit access to container images only to those who need it.

Finally, the "Least Functionality" control (CM-7) requires that information systems be configured to provide only essential capabilities, emphasizing the importance of minimizing the attack surface of container images by removing unnecessary software and functionality.

Example Implementation Statement

Using WordPress 5.9 with whitelisted plugins or custom developed plugins according to best practices, Uses Docker to run application on Google Cloud Platform in Kubernetes pod with hardened image, AWS WAF and CloudFront used for DDoS protection, NewRelic APM logs all request headers to ensure no unauthorized URL requests are made, TLS 1.2 and HTTP Strict Transport Security (HSTS) enabled on all web servers and load balancers.

See best practices for minimizing the attack surface of container images

This covers: MD-6

3. Security and Configuration Management

Ensuring the WordPress is configured with the right security settings, plugins are kept up-to-date, and backups are regularly taken. This control requires organizations to protect the confidentiality, integrity, and availability of systems and data through secure configuration management.

In the context of WordPress in the cloud, this control is relevant because it is important to ensure the WordPress environment is securely configured.

To meet this control, organizations should consider the following steps:

  • Ensure WordPress is updated to the latest version.
  • Use strong passwords and two-factor authentication whenever possible
  • Configure plugins and themes to use the latest security features available
  • Regularly review access permissions and user roles to ensure only authorized users have access to sensitive data
  • Use a web application firewall to protect against malicious requests and attacks
  • Monitor server log and other system logs to detect suspicious activity
  • Use secure coding practices when developing plugins and themes
  • Implement monitoring and alerting for security events.
  • Use GitHub and Terraform to secure your code and settings.

Example Implementation Statement

WordPress Admin activity logged using Simple History with alerts and notifications sent to sys admins., Automated deployment scripts triggered from concourse CI jobs for quick rollouts and rollbacks., WordPress is configured using `auth_cookie_expiration` filter setting admin cookie expiration to (8) minutes., WordPress sites have automated mechanisms for managing user accounts including user registration, user roles, and password reset., GCP uses Google Workspace for access control, and all user activity is monitored., SSL certificates are configured for all hosted web services to ensure data integrity and security.

This covers: CM-3, CM-7, CA-2, CA-7, SI-4, SI-7, IR-4, IR-8, PM-7.

4. Incident Response and Protection

This control requires organizations to protect audit information from unauthorized access, modification, and deletion. In the context of WordPress in the cloud, this control is relevant because audit logs generated by WordPress should be protected to ensure their integrity and availability.

  • Enable audit logging for all user activities on your site, including login attempts and changes to settings.
  • Monitor audit logs regularly to detect any suspicious activity .
  • Ensure only authorised personnel have access to audit logs.
  • Ensure that backups are regularly taken and stored in an encrypted format.
  • Use a log analysis tool to detect any suspicious activity and respond quickly to any threats.

Use third-party provider like New Relic to prevent and monitor unauthorised access to your WordPress site or use a security plugin like Wordfence to scan your site for any malicious code and block potential threats.

If deploying a highly-available cluster of stateless WordPress sites, check out Fairwinds Insights for monitoring your application and infrastructure health.

Example Implementation Statement

Uses GitHub for source control with Pull Request approvals for all changes., No updates are allowed to production environment without going through Pull Request process., Infrastructure is built using Terraform and monitored and changes require Pull Request approval., GitHub dependency graph used to monitor project dependencies for any vulnerable libraries., All web traffic is securely routed through a network of virtual private cloud networks (VPCs).

This covers: SC-7, SI-4, SI-7, CA-7, CA-9, IR-4, IR-8, PM-7

Balancing Scope and Security

For instance, if a WordPress site is hosted on AWS, then all cloud infrastructure should be part of the scope such as EC2 instances, S3 buckets, and databases. Security measures then need to be implemented within these boundaries as well; they include server hardening (patching OS and applications, turning off unnecessary services, setting up access control policies), scanning for any security vulnerabilities/misconfigurations, implementing DDoS protection, etc.

This does not mean that you are responsible for securing the entirety of the internet that inadvertently interacts with your WordPress deployments, but it does mean that you and your team must stay vigilant to any new threats that may arise from third-party services you are using as well as changes in your software supply chain.

Ultimately, security must be treated as an ongoing process rather than just a one-time event. Organizations should continually review their systems and processes to ensure they are following the latest security standards.

What Are the Benefits of Securing Your WordPress Site?

Securing your WordPress site has a number of benefits, including:

  • Improved security. By following security best practices, you can rest assured that your site will be protected from potential threats.
  • Increased trust. If your site is properly secured, users will feel more confident in sharing their information with you. This can lead to increased sales and revenue for your business.
  • Enhanced reputation. When users can trust that their data is safe on your site, they are more likely to recommend your business to others.

Finally, adhering to these standards can also protect you from legal risks, since many laws require companies and organizations maintain secure systems. If your application serves the government, compliance with FedRAMP or StateRAMP is mandatory, and both are based NIST.

Takeaways

For all the above, NIST ultimately wants you to develop security incident plans including reporting requirements, establish a secure supply-chain process and to have highly automated systems with minimal attack surfaces.

  • Follow NIST rules to ensure WordPress site is secure, such as web server and database configuration, SSL/TLS certificates, firewalls, and user management.
  • Benefits of securing the website include improved security, increased trust and enhanced reputation.
  • Controlling access and authentication by using strong passwords, automatically terminating sessions after certain idle time, SSH keys & VPNs , web application firewall, monitoring authentication attempts and auditing user access.
  • System and Software Acquisition by implementing a secure patch management process for WordPress core files & plugins; using secure coding practices when developing custom plugins/themes; verifying trusted sources for Docker Images; monitoring 3rd-party API/library updates.
  • Security & configuration management for ensuring WordPress is configured with right settings; plugins are kept up-to-date; backups are taken.
  • Incident response & protection by enabling audit logging for user activities; monitoring log; taking encrypted backups; using log analysis tool & third-party services like New Relic to prevent unauthorized access.
  • DNS security must also be considered when securing information systems.
  • All components should be acknowledged as part of an ongoing security process rather than just a one-time event.

The key takeaway is that security should be built into the DevSecOps pipeline from the very beginning of the project. This will give you a greater chance at success in terms of building robust applications and reducing risk.