WordPress security best practices for enterprise

A secure website builds trust with users and protects your brand reputation and sensitive data. In this guide, we share security practices for engineering and publishing teams, ensuring your WordPress site stays robust against both known and emerging threats.

Security best practices for engineering teams

Engineering teams are the backbone of a secure WordPress environment. Integrating essential security measures into your development workflow and infrastructure ensures your website remains robust and protected against threats.

1.1 Infrastructure and hosting security

In this section, we will discuss the Infrastructure and hosting security checklist, including Enterprise-grade hosting selection, Server hardening, and Network security.

Enterprise-grade hosting selection

• Dedicated environment: Implement isolated hosting environments for production, staging, and development environments. This will allow you to test the changes and catch any issues before pushing them to the production environment. 
• Managed security services: If you are hosting the website on your server or going with a managed hosting provider, consider having these features as a foundation for a secure server:
  • Web Application Firewalls (WAF)
  • DDoS protection
  • Intrusion detection systems
  • Regular server hardening

Server hardening

• Operating system security: Keep updating the server with security patches at regular intervals.
• PHP configuration: Configure your server with these PHP settings for additional security.
  • Restrict the use of dangerous functions that can execute external commands (e.g., exec, shell_exec, system).
  • Set appropriate memory limits and execution times.
  • If required, enable open_basedir restrictions to prevent PHP scripts from accessing files outside the allowed directories.
• Web server configuration:
  • Implement proper HTTP security headers to send specific headers to enhance security by preventing attacks like cross-site scripting (XSS), clickjacking, and data injection.
  • Disable directory listing and enforce a 403 forbidden error by configuring Apache or Nginx servers. 
  • Prevent information disclosure in error messages, but make sure to log them for retrieval when debugging.

Network security

• Implement network segmentation by isolating your database servers from your web servers—an industry-recognized best practice for enhancing security.
• For accounts with administrative rights, implement IP-based restrictions or keep rotating the passwords at regular intervals.
• Configure advanced firewall configurations for known malicious patterns and keep refining them when new patterns are noticed.
• Implement rate limiting to prevent brute force or DDoS attacks.

1.2 Secure development practices

In this section, we will cover Secure development practices, including Code security standards, Secure data handling, and other best practices.

Code security standards

• When developing something, make sure to adhere to WordPress coding standards for consistent and secure code.
• While writing code and collecting data, follow the security standards and compliance requirements depending on the audience your website targets and the data it collects.
• Add peer code reviews in the development workflow to prevent any vulnerabilities going to production by having a fresh set of eyes take a look at the code. 

Secure data handling

• Input validation and sanitization:
  • Use WordPress sanitization functions to sanitize any content before putting it into the database. (sanitize_text_field, sanitize_email, etc.)
  • Use context-specific validation rules.
  • Example:

// Sanitize and validate user input.

$user_email = sanitize_email( $_POST['email'] );

if ( ! is_email( $user_email ) ) {
    return new WP_Error( 'invalid_email', 'Invalid email address' );
} 

• Escaping output:
  • Always escape data before output to prevent XSS attacks.
  • Use context-specific escaping functions like (esc_html, esc_url, esc_attr, etc.)
  • Example:

<a 
    href="<?php echo esc_url( $url ); ?>"
    title="<?php echo esc_attr( $title ); ?>"
>
    <?php echo esc_html( $link_text ); ?>
</a>

• Database queries:
  • To do the direct database queries, use the $wpdb object with the prepared statements.
  • Use proper capability checks before performing the database operations.
  • Example:

global $wpdb;

$results = $wpdb->get_results(
    $wpdb->prepare(
        "SELECT * FROM $wpdb->posts WHERE post_author = %d AND post_status = %s",
        $user_id,
        'publish'
    )
);

Authentication and authorization

• Do capability checks
  • Always check the user permissions before performing any actions.
  • Example:

if ( ! current_user_can('edit_posts') ) {
    return new WP_Error(
        'forbidden',
        'You do not have permission to edit posts'
    );
} 

• Use Nonces to secure from submissions
  • Generate and verify nonces for all form submissions.
  • Example:

// Generate nonce field.
wp_nonce_field( 'save_post_data', 'post_security' );

// Verify nonce.
if (
    ! isset( $_POST['post_security'] ) ||
    ! wp_verify_nonce( $_POST['post_security'], 'save_post_data' )
) {
    die( 'Security check failed' );
}

• API authentication security:
  • Implement proper authentication for REST API endpoints
  • Apply rate limiting to API endpoints

Custom plugin and theme development

• Security-first architecture:
  • Apply the principle of least privilege to your classes and methods, restricting access instead of exposing everything publicly.
  • Use the WordPress hooks system effectively, ensuring the functionality can be extended when required.
  • Minimize usage of global variables unless specifically required.
• Third-party integration security:
  • Audit external API dependencies and packages.
  • Store the API tokens securely in wp-config.php or use environment variables to prevent exposure in the database or codebase.
  • Validate all data received from external services.

1.3 WordPress core and extensibility security

In this section, we will discuss WordPress core security, covering Configuration best practices, Plugin and theme management, and Security constants.

WordPress configuration security

• Secure wp-config.php:
  • Update salts in `wp-config.php` with newly generated salts rather than the default ones provided by your hosting or fresh WordPress installation. Use WordPress’s Salt Generator to generate fresh salts.
  • Set appropriate file permissions (preferably 400 or 440)
  • Move file outside web root when possible
• Security-focused constants:

// Disable file editing in admin
define('DISALLOW_FILE_EDIT', true);

// Disable plugin/theme installation
define('DISALLOW_FILE_MODS', true);

// Force SSL in admin.
define('FORCE_SSL_ADMIN', true);

// Disable WordPress auto-updates.
define('AUTOMATIC_UPDATER_DISABLED', true);

// Custom database prefix (for new installations).
$table_prefix = 'custom_prefix_'; 

Third-party plugin and theme management

• Establish a formal review process for all third-party plugins and themes.
• Keep your WordPress core, themes, and plugins up to date to take advantage of the latest features and security enhancements.
• Test the themes and plugins on the staging or development environments before deploying to production. Follow the same process when updating them as well.
• Keep track of recent vulnerabilities reported by users from sources like Patchstack and WPScan.

1.4 Incident Response

In this section, we will focus on Incident Response, covering Threat detection, Isolation, and Recovery strategies.

Identify, isolate, and exterminate

• Identify the nature of the incident, like unauthorized access, file changes, or traffic spikes on the server.
• Based on the nature of the incident Isolate or pinpoint the issue and take actions accordingly like these.
  • File changes to core, plugins, or the theme: Revert to the original version with file backups or update to the latest version.
  • Unauthorized access: Change the passwords to all user accounts and servers.
  • Traffic spikes: If you see sudden spikes in traffic coming from specific IP addresses, block them.
  • Database: If the database is compromised, restore it from the latest clean backup.
• Set up real-time monitoring tools to detect repeated threats and errors on the website.
• Utilize CloudFlare’s Always Online feature (Free Tier) to serve cached versions of static pages during incidents.
• Implement failover systems and redundancy
  • Secondary DNS servers
  • Backup hosting environments
  • Alternative domain access points

1.5 Backup and disaster recovery

Here, we will discuss Backup and disaster recovery strategies, including Automated backups and secure storage.

• Automate your database backups to suit your site’s activity. For an ecommerce site with continuous updates, use incremental backups to capture changes efficiently. For blogs or less-active sites, regular scheduled backups will do the job.
• Encrypt and store backups in a different, secure location. This makes it easy to retrieve the backup in case the server is compromised and prevents unauthorized access.
• To ensure complete recovery, include full backups of both the database and files. And regularly check whether the backup automation setup is working as expected.
• Take backups before any major changes to ensure a smooth recovery if something goes wrong.

Security best practices for publishing teams and users

While engineering teams lay the security groundwork, everyday actions by WordPress users can either reinforce or undermine these measures. Content teams, editors, and administrators must adopt essential security practices to safeguard your site.

2.1 User account security

In this section, we will discuss User account security, including Authentication, Session management, and Role-based access controls.

Strong authentication practices

• Password management:
  • Require complex passwords.
  • Implement password expiration policies that are appropriate for your organization and motivate users to change their passwords regularly.
  • Consider implementing a password manager solution.
  • Consider multi-factor authentication (MFA) or IP-based access for administrative accounts.
• User session management:
  • Implement automatic logout after periods of inactivity
  • Limit concurrent sessions per user

Access control best practices

• Role-based access control:
  • For each role, assign the minimum necessary privileges.
  • Consider implementing custom roles to tailor publishing workflows and enforce granular user access control.
  • Limit vendor access to necessary systems only.
• User provisioning and de-provisioning:
  • Establish formal processes for account creation.
  • Regularly remove accounts that are no longer needed or when team members no longer require access.
  • Ensure each user has a unique account, so issues can be traced back to the individual responsible. Avoid shared accounts to maintain clear accountability.

2.2 Content security

In this section, we will cover Content security best practices, including Publishing workflows, Media upload security, and Data protection.

Secure publishing workflows

• Content validation:
  • Implement content review processes before publication.
  • Validate external links and embedded content.
• Media upload security:
  • Restrict allowed file types and appropriate size limits for uploads.

Data protection

• Sensitive content handling:
  • Establish clear guidelines for handling sensitive information.
  • Train users and authors to recognize and properly classify data, ensuring that sensitive information is never published.
• Form and user data:
  • Use secure forms with proper validation on the fields.
  • Ensure compliance with relevant privacy regulations.

Conclusion

In an enterprise environment, WordPress security is both a technical and human endeavor. By adopting these best practices, you can significantly reduce security risks while keeping your publishing workflow efficient.

Remember, security isn’t a one-off task—it’s an ongoing commitment. Regular scans, policy updates, and continuous training are essential to safeguarding your WordPress environment.

Additional Resources

• WordPress Security Team Documentation
• OWASP Top Ten Project
• WPScan Vulnerability Database
• Security recommendations for all users