WordPress is one of the most popular Content Management Systems (CMSs) globally, powering more than half of websites that use CMSs we know. Unfortunately, being an incredibly convenient, user-friendly, and robust solution doesn’t automatically translate to being completely secure.
With cybercrime on the rise, it’s more important than ever to take careful, proactive, and preventative measures to protect our websites. To do that, it helps to understand which security features are absent from WordPress by default and what we can do to substitute alternatives.
In this post, we’ll discuss some of the security features that aren’t built into WordPress, and the options for adding them to your site. Let’s get started!
An Overview of WordPress Security
WordPress is one of the most widely-used CMSs on the planet, and with good reason. However, with so many websites using the software, it also becomes a common target for hackers.
Cybercriminals can use many different types of attacks to infiltrate your site. For example, some of the most popular include:
- Cross-Site Scripting (XSS)
- Structured Query Language (SQL) Injection
This is just to name a few. What’s more, a wide variety of factors can make a WordPress website insecure.
WordPress is generally proactive about identifying and addressing security issues. However, the developers can’t safeguard every site, especially when it comes to third-party tools and user behavior. For example, outdated themes and plugins often introduce security vulnerabilities, as can using old versions of PHP.
5 Security Features We Wish Were Included in WordPress
As we continue to identify and implement the best ways to minimize threats, it’s essential to acknowledge that WordPress doesn’t come with everything to keep us safe. Learning which security features it currently lacks, such as the following five examples, is the first step toward finding alternate solutions.
1. Built-In Audit Logs
When you’re running a WordPress site, a lot is going on at once. Audit logs (also known as ‘activity logs’ or ‘activity trails’) help you identify who makes changes to your site and when.
You can use this type of log to keep a record of activity on your website. Having this information helps you keep an eye on your site and makes it easier to identify when something goes awry.
Unfortunately, WordPress does not currently offer a feature for this purpose. Instead, you can use a plugin such as WP Activity Log from WP White Security:
An audit plugin can help you keep a record of events on your website, including all user changes. This can be particularly useful when multiple users contribute to your site.
2. Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) is one of the best ways to prevent brute-force attacks. It adds an additional layer of protection to your WordPress login screen by requiring two identity verification methods.
However, WordPress has not yet built this security feature into its platform. Part of the reason is that achieving it with the core platform alone is difficult because, as George Stephanis pointed out, methods such as verification via text messages would require external Application Programming Interfaces (APIs).
One solution you can use in the absence of a built-in WordPress 2FA is the Two-Factor plugin Stephanis developed:
This will enable 2FA using time-based, one-time passwords, which are accessed using Google Authenticator. It also enables email and backup verification codes.
3. Cryptographic Signed Plugins
Starting with WordPress 5.2, WordPress began using signature verifications for Core updates. This involves checking your header and files for signing keys (developed by the WordPress.org team) that verify that the site is valid.
WordPress will soft-fail if the signature isn’t valid, although future releases will include a hard fail. Ultimately, the purpose of this check is to prevent hackers from interfering with the update server by tricking the automatic update system into downloading invalid code.
This is a lot more difficult to do now than it once was. That’s because hackers now would need to steal the signing keys from WordPress’ Core developers.
However, this cryptographic signing currently only applies to Core updates. Moving forwards, we would like to see the plugin ecosystem also have signed packages and updates, as they’re a major source of security vulnerabilities.
In the meantime, it’s essential to be vigilant about vetting the plugins you use before installing them, and making sure to consistently update them. If you need a proactive reminder, WPSec can help; we’ll send you push notifications any time an update is needed.
4. Brute Force Protection and CAPTCHAs
Brute-force attacks are a significant threat to WordPress sites. This is when a hacker repeatedly tries to crack your password through excessive attempts at different letter and number combinations.
There are a couple ways to prevent this, though not all are built-in WordPress security features. One is to make sure you’re using strong passwords. This means making them as complex as possible, which you can do using the WordPress Generate Password tool on your User page.
Another is to limit login attempts. Implementing 2FA is a solid start. However, it’s also a smart idea to use Completely Automated Turing test to tell Computers and Humans Apart (CAPTCHAS) to add an additional layer of security to your login and registration forms:
The easiest option is to use a plugin such as Advanced noCaptcha & invisible Captcha. It will enable you to choose any type of CAPTCHA to add to your WordPress forms, including your login page.
5. An SSL Certificate Helper
Secure Sockets Layer (SSL) certificates are necessary for establishing an encrypted connection between your site’s server and the user’s browser. Failing to install one on your site can not only put your data at risk, but can also hurt your Search Engine Optimization (SEO) since Google penalizes sites without one.
Obtaining and installing an SSL certificate is not overly complicated. Most site owners can download one through their hosting provider, usually with a one-click setup.
However, to make this process even easier (and, in turn, prevalent), we think it would help if WordPress included a feature to help users install a free SSL certificate if their sites currently lack one. Let’s Encrypt already offers free certificates, but reducing the number of steps required to acquire and activate one could help many people, especially those who are not tech-savvy or are pressed for time.
With so many security threats plaguing the internet today, it’s never been so important to protect our websites. Unfortunately, although WordPress is a reliable and powerful CMS, it’s never completely safe. This is why it’s essential to identify which protections it lacks and seek ways to make up for them.
As we discussed in this article, there are five security features we wish WordPress had:
- Built-in audit logs for tracking user activity.
- Two-Factor Authentication (2FA) to add a layer of security to logins.
- Cryptographic signed plugins, similar to what’s been introduced for Core updates.
- Brute force protection and CAPTCHAS for further limiting login attempts.
- An SSL certificate helper that would make it easy for WordPress users to install a certificate with one click.
Do you have any questions about adding alternative solutions to secure your WordPress site? Let us know in the comments section below!