According to Wikipedia:
”WordPress is used by around 64.8% of websites globally that makes up around 41.4% of 10 million websites.”
Apart from the fact – WordPress is a hugely popular CMS but it is also highly vulnerable as well. And, realistically, hackers benefit from vulnerabilities to manipulate WordPress websites. Generally, a website security gets compromised when you fall into these traps:
- Free Plugins or Themes
- Blind Trust
- Improper Internet Security Initiatives
- Organized Cyber Crime
In this blog, we are discussing the quick and short path to WordPress security known as ‘Implementing the principle of least privilege.’ It is the easiest way to remove users and weed out those users who are not privileged to have your WordPress site credentials. So, let’s take a look into the principle of least privilege on a WordPress site.
What are three Best Ways to Use the Principle of Least Privilege into WordPress Websites?
Using the Principle of least privilege for your WordPress website is easy. There are methods that you use:
- Disable The File Editor
- Limit WordPress Files Write Access only to YOU
- Manage your Access Levels
All these methods are quite easy to use, but are a bit tedious. So let’s’ get into it:
1. Disable The File Editor
Using the wp-admin, you can start off implementing the principle of least privileges on WordPress site. But before moving on to disable the file editor, we should understand a few essential things:
- You should not keep your file editor active all the time
- File Editor enables WordPress developers to customize WordPress sites
- Protect your site from harms because major changes in themes and codes are irreversible
- Hackers can destroy your digital reputation by installing malware into plugins and themes of your site.
In order to disable the file editor so that you can use the principle of least privileges, follow these steps:
- Ensure that you’ve a handy text editor at your disposal such as Visual Studio Code, Notepad++
- Search for wp-config.php file location
- Click download to edit the wp-config.php file locally using text editor and when it’s complete, upload again and replace. Another option is to click edit and use the built-in editor.
- Look for wp-config file for define (‘DISALLOW _FILE_EDIT’, and set it as ‘True’
- In case, if you’re unable to find the line, type (‘DISALLOW_FILE_EDIT’, true); and paste it in the bottom and click Save
- Now check the results. Especially, look for appearance and plugins and ensure editor links should not be clickable.
2. Limit WordPress Files Write Access only to YOU
If you want to experience the success of POLP(Principle of Least Privileges) on your WordPress site, reduce the number of access by a great margin. Because the rule of minimalism says, “Clutter is the enemy of clarity – Julia Cameron.” Therefore, you should restrict privilege access levels of the WordPress to yourself – website owner or WordPress developer. In order to do so, you need to change the WordPress File Permissions.
How to Change the WordPress File Permissions?
- Go to the root-folder called public_html through the cPanel or FTP. Here, you will right-click on each file-&-folder and select change permission
- Here, you will see three types of identities: a- user (you), b- group (coworkers on your site), and c-the world (public access) along with three permissions; i- Read, ii- Write, and iii-Execute.
- Here, each action has an assigned point value:
- Read = 4
- Write = 2
- Execute = 1
- Here, each action has an assigned point value:
Look below for a couple of examples to better understand how to change the WordPress file permissions:
- This is an example from WordPress of 755:
- When you’re in FTP or cPanel interface, it will look like this:
Did you notice something? Guess what? 777 is the number that adds up to complete public access.
Important Note: We shouldn’t leave any file in a 777. Don’t keep settings open and settings should not be higher than a 767.
From a technical standpoint, it’s fraught with danger to leave confidential files and folders in 777 including critical folders such as wp-content, wp-admin, wp-includes, and htaccess. Let’s say, you attempt to assign a 777 to a child folder, unfortunately, the parent is assigned to something such as 666; consequently, Boom!! It will not work at all.
Quick-Fix: update the parent folder to 777 to change the child folder. Once you’ve made changes, return the access back from 777.
And in case, if a hacker even tries to access your WordPress files via a shared server, your permissions are already set to public or world, which won’t allow him to infiltrate into your WordPress site.
3. Manage your Access Levels
Organizing access levels should be of high-priority for WordPress website managers, WordPress developers and enterprises. Certainly, managing access levels offers lots of benefits i.e., business agility, incessant collaboration, better storage, automation, and improved data security.
Generally, a company with little or no management of access levels tends to fall victim to privilege creep. TechTarget (An American company offering data-driven marketing services to B2B technology vendors.) describes privilege creep as “slow but steady piling of access rights beyond a need of website manager(s).” Consequently, privilege creep can pose a security-related risk.
Therefore, it becomes indispensable to manage access levels to strengthen security and secrecy of a WordPress site. So, don’t forget to apply the following tips and make your site safe-and-secure:
Deactivate unnecessary accounts
When your employee leaves or someone is not a part of your WordPress site anymore then deactivate their accounts right away. This way, you can overcome privilege creep but will also have an extra storage space.
Do the audit of existing users
Your WP account should be like a profit and loss statement. So, if you come to know that there are inactive users, delete them right away. For instance, if you get to know that a particular user publishes a post sporadically you can assign her a profile of generic ‘Staff’ for her publication-related work.
Make and maintain an access-level spreadsheet for employees
It is the right way to keep the record of access. You have names and designations of employees and you can filter easily who uses a particular account frequently and who doesn’t. For example, a temporary WordPress developer stops working for you because her project has come to an end. So, you should delete her account to avoid unnecessary access permissions.
Ending It - Implementation of Principle Of Least Privileges on WordPress
In this blog, we have talked in detail about the principle of least privilege from different angles. And, we emphasized on following three practical tips to implement the principle of least privileges for maximum benefits:
- Disable The File Editor
- Limit WordPress Files Write Access only to YOU
- Manage your Access Levels
Well, but, don’t end it here. Keep working and keep securing your site. And, if you are looking for a more professional antidote to beef up your WordPress site security, reach out to us at WP-Bridge and avail quick solutions to keep your WordPress site healthy and safe.