CIS benchmarks for WordPress: What it means and where to start

7 CIS-based security practices to apply to WordPress

Here’s how to use CIS guidance to harden the server stack that powers your WordPress site. We’ll go layer by layer, starting with the operating system.

1. Harden your Linux server

Most WordPress hosting is built on a Linux-based operating system like Ubuntu, CentOS, or Debian. You can apply these Linux-focused security practices:

• Disable unused services: Turn off anything your server doesn’t need—like FTP, Bluetooth, or SNMP—to reduce your attack surface.
• Set up a firewall: Use ufw (Uncomplicated Firewall) to only allow traffic on ports you need—usually 80 (HTTP), 443 (HTTPS), and 22 (SSH).
• Enable automatic security updates: Keeps your system patched against known vulnerabilities. On Ubuntu, this can be done with unattended-upgrades.
• Install Fail2Ban: Protects against brute-force login attempts by banning IPs that fail too many times.

2. Secure your PHP settings

PHP is the programming language WordPress runs on. Improper PHP configuration can leave you vulnerable.

• Disable dangerous functions: Edit php.ini and disable risky commands like exec, shell_exec, system, and passthru.
• Hide PHP version info: Set expose_php = Off so attackers don’t see which PHP version you’re running.
• Limit file access: Use the open_basedir directive to restrict what folders PHP can read or write to.

To apply these changes:

1. Open your php.ini file (location varies by OS).
2. Make edits as needed.
3. Restart your web server to apply the changes.

3. Lock down MySQL or MariaDB

Your WordPress site stores all its content in a MySQL-compatible database. Here’s how to make that safer:

• Remove anonymous users: Run mysql_secure_installation to delete default users and set a root password.
• Disallow remote root login: Only allow root access from localhost.
• Use strong passwords: For the WordPress database user, always use a long, random password.
• Limit user privileges: The WordPress database user should only have permissions it absolutely needs (usually SELECT, INSERT, UPDATE, DELETE).

4. Harden Apache or NGINX

Your web server software (Apache or NGINX) controls how traffic reaches your WordPress site. Harden it by:

• Disabling directory listing: Prevents visitors from seeing the contents of folders without index files.
• Restricting HTTP methods: Limit allowed methods to GET, POST, and maybe HEAD—deny things like TRACE, PUT, and DELETE.
• Adding a Web Application Firewall (WAF): Use mod_security for Apache or NAXSI for NGINX to block malicious requests.

Most of these can be set in your web server’s main config file or in .htaccess.

5. Configure strong file permissions

CIS recommends minimizing file access wherever possible.

• Set folders to 755 and files to 644: This gives the server the access it needs without overexposing anything.
• Lock down wp-config.php: This file contains your database credentials. Use chmod 600 wp-config.php to limit access.
• Deny write access to .htaccess and .htpasswd if you use them.

You can set permissions from your terminal or via an FTP client.

6. Enforce HTTPS and use secure headers

Encrypting traffic and securing browser behavior helps protect users.

• Install an SSL certificate: Let’s Encrypt is free and widely supported.
• Redirect HTTP to HTTPS: Force all traffic to use encryption.
• Add headers for extra security:
  
  • Strict-Transport-Security (HSTS): Tells browsers to only use HTTPS.
  • X-Frame-Options: Prevents clickjacking.
  • X-Content-Type-Options: Stops MIME-sniffing.

You can add these headers in your .htaccess file (Apache) or nginx.conf (NGINX).

7. Monitor and log everything

Logging helps you detect and respond to suspicious activity.

• Enable access and error logs: On Apache or NGINX, logs are usually in /var/log/apache2/ or /var/log/nginx/.
• Use WordPress activity log plugins:
  • WP Activity Log
  • Stream
• Watch for file changes: Tools like Wordfence can alert you when files are altered.