The Complete Checklist for WordPress Security Leaders

Automattic, the parent company to WPScan, hosts many of the biggest websites on the web, and security is one of our highest priorities. What follows is our checklist for security leaders. 

Best Practices for Your WordPress Website

• Remember to keep plugins and themes up to date. 
• Keep plugins and themes to a minimum.
• Keep privileged access to a minimum.
• Install a reputable security plugin.
• Use encrypted communications with encrypted HTTPS and a trusted TLS certificate.
• Disallow file editing with the disallow_file_edit constant.
• Keep informed about the latest security issues affecting WordPress.
• Keep backups and test that they are working.
• Scan your sites’ plugins and themes for vulnerabilities with WPScan or Jetpack Protect. 
• Be aware of two-factor authorization (2FA) security risks. 

Essential Tips for WordPress Plugin Security

• Validate and sanitize user input with sanitize_*() functions.
• Escape data before being output with esc_*() functions.
• Always use $WPDb->Prepare() for SQL queries.
• Check user capabilities with current_user_can().
• Add CSRF nonces to forms and validate them server-side.
• Use HTTPS links when hard-coding URLs.
• Validate data before passing it to update_option[] or do_action[].
• Regularly test your plugin for security issues.
• Ensure that security researchers are able to contact you. 

General Password Hygiene

• Never give your password, passphrase, or passcode to anyone else, no matter how nicely they ask or their familial or romantic status.
• No two passwords should ever be the same – even if they are “throwaway” passwords.
• To manage most passwords, you should use a password manager. 1Password and LastPass are two we recommend. LastPass has some cool features, but 1Password has an infinitely better design.
• For the few passwords that you need to remember (OS X, your password manager, etc.), use long passphrases: at least four words (chosen randomly), with a few special characters, spaces, uppercase/lowercase, etc. One example: Copy indicate 48 Trap bright. If you want to be extra safe, increase the number of symbols, numbers, and capital letters: Copy indicate 48 Trap (#) bright. Just don’t make it so inconvenient that you’ll later get frustrated and change it to something that’s too simple.
• For passwords stored in a password manager, generate them with the maximum length, and include numbers/symbols. For example, =pXFR>9qEzP%7PaQR6r9Z)R76LcWKztAa3;pD9BRpmB6sXu8,pWT=sy%b&pbV]xe. Since the password manager fills them in for you, it’s just as convenient as a shorter, less-random password, but exponentially stronger.
• Passwords and passphrases should not be constructed from known phrases. For example, Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1. is a bad password even though it has varying capitalization, punctuation, spaces, and excellent length. That password was cracked in minutes because it was a known fictional phrase from the H.P. Lovecraft short story The Call of Cthulhu. Avoid all known phrases, as these are likely to be on or will be on a password-cracking word list.
• Do not store the 1Password file in Dropbox or any other online service unless you have enabled two-step authentication for that service and your 1Password file has a very strong master password. The safest thing to do is to make a local backup in case your computer is damaged or lost, but we understand that syncing to multiple devices is very handy.
• Do not store any passwords in a Google Doc or other online service, even if you have enabled two-step authentication. Again, use a password manager to secure your passwords.

Web Security Guidelines

• Enable two-factor authentication (2FA) in every place that supports it.
  • Never use SMS-based 2FA, unless it’s the only option. Whenever possible, use an app to generate one-time passwords.
  • Here are some setup guides for a few sites: Apple, Facebook, Twitter, Dropbox, GitHub, LastPass, Box, Gmail, Yahoo, GoDaddy, LinkedIn, Dreamhost, Namecheap, and Microsoft/Live.com.
  • For a more comprehensive list of sites supporting two-factor authentication, see Two-Factor Auth List, and enable two-factor authentication on every single one that you use.
• For a self-hosted WordPress site, you can use the Google Authenticator or Duo Security plugin.
• Do not store your two-factor recovery codes online or in your password manager. Print them and put them in a safe place in your house instead.
• Review your Gmail filters and application passwords for anything you don’t recognize. Now is a good time to remove any of these you aren’t actively using and configure suspicious login activity notifications to be sent to you via SMS.

Computer Security Recommendations

• Set a system passphrase (at least four random words, and a few numbers/symbols) on your computer — even if it is a desktop, and you live by yourself. Make sure the password is required to wake from sleep or from the screensaver.
• Never leave your laptop unlocked and unattended. Always lock the screen before you walk away. Have the screensaver turn on in 15 minutes or less. You can configure a shortcut to enable the screensaver, which you should do whenever you walk away from your computer.
• Encrypt your hard drive. You can use FileVault on OS X, and BitLocker or VeraCrypt on Windows. VeraCrypt could show an error – Windows not installed on the drive from which it boots, in which case you could follow this tutorial – How to Remove the Windows “System Reserved” Partition. The easier route would be to buy Windows 10 Pro, if you do not have it already, and use BitLocker. Microsoft Surface devices and some other brands are also encrypted by default. On Linux systems, encryption is usually offered when you install your system, but if you’ve already installed then you will probably need to re-install it.
• Make sure your backups are encrypted. Here’s how on OS X Time Machine.
• Install and run antivirus software with the latest virus definitions. Microsoft Security Essentials is good for Windows 7 (it’s built into Windows 8 and up under the name Windows Defender) and for OS X we recommend Avira, ClamXAV, or Sophos (in that order). All are free!
  • While you should run antivirus software, we recommend you don’t use their browser extensions due to concerns raised about these extensions compromising browser security and some privacy implications.
• Turn on your firewall.

• Consider running a “reverse firewall” like Little Snitch; it’s noisy at first, but then gets quieter as you set up your rules.
• After you have set up two-factor for your Apple account, you should turn on Find My Mac to allow your device to be remotely locked and wiped if the need ever arises.
• Make sure your home router firmware is current, and you aren’t using the default password. Also, review any port forwarding settings to make sure they are all needed and expected. Remove anything you aren’t currently using. Upgrading your router firmware may delete your connection setting, so have those settings ready to avoid downtime. (We have seen hacked routers, which means they can capture your traffic.)
• Be careful when using wireless keyboards and mice, because they have a history of being vulnerable to various attacks. Check to make sure your devices are using strong encryption (like Bluetooth or AES), and don’t have any known vulnerabilities. To be extra safe, it’s probably best to avoid using them in any environment where an attacker could potentially intercept the wireless signals, like a coffee shop, co-working space, or conference.
• If you plan to co-work or work in public spaces, we recommend a privacy screen as a best practice to prevent others from seeing sensitive information on your screen.

Guidelines for Phones and Tablets

• For unlocking your device, either use a fingerprint login, an 8-digit PIN, or a strong password. Don’t use a pattern.
• If on Android, encrypt your device. iOS turns on “Data Protection” automatically when you set a passcode, which isn’t great but it’s better than nothing.
• You can use Google Authenticator, Duo Security, Authy, or FreeOTP (which is FOSS) to scan your two-factor codes.
• SMS is very insecure, so use a messaging app with end-to-end encryption instead, and encourage your contacts to as well.
  • Signal is the gold standard and can replace the default SMS app. Wire and Threema are also good.
  • WhatsApp and FB Messenger are problematic, but still much better than SMS.
  • If you want to dig deep, or secure messaging is critical for you, be aware that there’s a lot of complexity.
• Add a PIN to your cell carrier account to protect against SIM swapping.
• Use iCloud’s Find My Phone on iOS. On Android use Google’s Android Device Manager and its app, Cerberus anti theft or Lookout.
• Consider scanning your two-factor codes into two devices, like a phone and a tablet.
• iOS: Having it erase your device after 10 passcode fails is up to you, but we generally don’t recommend it as sometimes pockets or kids can set this off.
• iOS: Encrypt your to-computer backups.

Phew. That’s it. Did we miss anything? Please leave a comment with any other WordPress security advice.