WordPress Application Security – Part 2

wpsec2This is the second article on WordPress application security.  In Part 1, we explained the three legs of the classic security triad: Confidentiality, Integrity and Availability.  We looked at addressing Confidentiality while using WordPress as your application framework. In this article, we will continue our discussion with the other two legs, Integrity and Availability in the same context.


Integrity means that the data and application stay “intact” – no malware, no data corruption, no accidental loss of data.

WordPress site integrity is typically compromised in one of two ways: 1) A “brute force” administrative login or 2) An injection attack.  The WordPress core is solid, with a lot of eyeballs on it. All the plugins, themes and even your own code add  potential injection attack vectors.

Generally Hardening Your Site

Before building a WordPress based app, you should be familiar with the canonical information from WordPress about web site hardening. Generally it covers the areas that are the most vulnerable, including servers, your databases, your computer and WordPress itself.   It also explains how to set up your site to mitigate the impact of a successful attack.

Defending Against Brute Force Attacks

The vast majority of brute force attacks, originate with bots using the username “Admin” or “Administrator”  and a dictionary based set of passwords [reference].  By choosing a unique username and requiring users with Administrator access to have strong passwords, you’ll defend against most brute force attacks.  Many security plugins will enforce strong passwords.

Using Plugins

There are several “all-in-one solutions” that perform a lot of security tasks. Most of them have specific strategies to defend against brute force attacks.  None of them are “the best” because all security plugins need to interact with all the other code and plugins on your site, and there will inevitably be conflicts.   If you Google “Top WordPress Security Plugins”,you’re going to get a lot of the same “Top 10”. I recommend that during application development, you try several different plugins and use the one that works best for you with the rest of your application. WordFence and All In One  will be on nearly every top ten list.

One of the more popular security plugins is “iThemes Security”, which was previously known “Better WP Security”.  There have been substantial changes since the plugin was acquired by iThemes. Before counting on the plugin’s previous reputation, you might want to read this security blog before installing it.

Rather than using a broad-based security solution, you may want to use something like Login Security Solution which defends specifically against brute force attacks and nothing else. In application development, this may be better because it does exactly one thing – defends against the most common type of attack.  That may leave more resources available to you for your application.

There are various plugins to protect your login and registration screens, including various captcha systems, many of which are quite good.  One of my favorites is Anti-Captcha . It works by using JavaScript to insert a custom “nonce” (number used once). Very simple, very clever, very un-intrusive.

 Your Own  Application Integrity

As you are designing your web app, remember that web input doesn’t necessarily come from the screens and query strings you intend.  Malicious ‘bots will put odd things in the query strings, and try to fake input for injection or cross site scripting attacks.

One of the things that makes WordPress a good candidate for building secure web applications is its built in data validation and sanitation functions. These provide you with a consistent, effective and well tested library of routines to mitigate these types of attacks. They also help you keep your application safe from user errors.  The codex explains about validating, sanitizing and escaping user data as well as validating and sanitizing output to keep your application data intact.


Often, when speaking of web application availability the onus is put on the server and network team. Obviously, if you can’t get to the server, then you can’t get to the program. However, once the user has access to the server, the onus is back on the application developer to design for availability.

 Database and Application Backup

If the application or server fails catastrophically, or a privileged user destroys (intentionally, or unintentionally) application data,  the only way to assure availability is to recover from backup.  Which means you need to make a backup in the first place.

There are three major factors you want to consider, when backing up your data:

  1. Backup Frequency.  How often do you want to back up your data?  Depending on the nature of your application, you may want to back it up every day or even every hour.  If you data doesn’t change much, once a week may be more than enough.
  2. Backup Location.  Where does the back up go?  Many of these backup plugins will email them to you for storage on your local hard drive.  Others will back your data up to a cloud storage provider like Google Drive or Amazon S3.
  3. Retention Policy.  How long do you plan to keep the backup?  Working backups need not be kept a long time, as “old” data may be nearly useless.  However, historical or archived data may need to be kept indefinitely .

There are hundreds  of WordPress plugins that will automatically backup your data.  Once you know your data backup plans, you can choose an appropriate backup plugin.

Asset Management

By “asset” I am referring to non-textual content (video, audio, graphics).  Program assets such as audio, video and graphics can be large. If there are very many of them, they can seriously slow down an application to the point where it is inaccessible.   One way to mitigate this is to use “Lazy Loading”.  Lazy Loading is software design technique to defer initialization of an object until is needed. Used properly, it can significantly increase the speed of a program.  Sometimes this is called “background” loading.

If your application is media rich, I recommend that you familiarize yourself with the Codex media function references . These functions provide a standard method of Asset Management to allow you to defer initialization of your rich media until it is needed.

Again, an advantage of using WordPress for application development is that there are over a hundred plugins for the lazy loading of your rich media assets.


Caching refers to storing frequently used information someplace you can get to it more quickly.  Generally, it takes more time to look something up on another web server than it does to look it up in your local database. It’s generally quicker to access something from the local file system than it is to access it from the database, and it’s quicker still to access something from memory than from the local file system.

The WordPress Cache Object provides a standard caching mechanism you can use to enhance the availability of your application’s data. Depending on the nature of your application, you may be able to use one of the hundreds of caching plugins available at WordPress.org.

Competing Requirements

When evaluating techniques, libraries and plugins you will need to balance competing requirements. In Part 1, we talked about Confidentiality as the first leg of the CIA security triad.  This can be in direct competition with Availability.  If something is “perfectly” confidential, it’s available to nobody, and if it’s available to everybody, it’s not confidential.

When designing for availability be sure to keep confidentiality in mind.  Database backups will have confidential data in them, so they need to be stored with the same concern for confidentiality as the actual database.  Confidential assets need to be staged in secure locations so they are not accessed through “side channels” .  Caching needs to not leave confidential information “lying around” in readily accessible temporary files.

Helping you balance these competing needs is where the open source nature of the WordPress community shines.  You and others can examine any plugins you are considering using and see exactly what is in them and discuss it openly with the rest of the community to help you make the right decisions for your application.

Security is, of course, an integral part of modern software design. In the next article we will examine an overall software design strategy using WordPress as the application framework.

Leave A Comment?

You must be logged in to post a comment.