Approaching a web application’s security is as much about mindset as it is about the tools and configurations you deploy. It’s why security professionals always talk about people → process → technology. Unfortunately, in many incident response cases the former components are often nonexistent.
Let’s get focused using WordPress—the world’s most popular CMS and a frequent target. This is our approach to securing WordPress for enterprise. You’ll notice it isn’t “enable everything”; it’s about the three key things most compromises rely on.
Simplifying Security with Focus
Scope drives success. Our strategy uses a simple framework:
| Tenet | Description |
|---|---|
| Access | Limit access across the stack to known, trusted sources. |
| Files | Control what files exist, what’s modified, and what’s introduced. |
| Movement | Limit blast radius; prevent lateral movement after a breach. |
Focusing here dramatically reduces noise and aligns defenses with real attacker requirements.
Step 1. Access
Access is >50% of the battle. Educate users that not everyone needs access—and definitely not admin access. Think in two planes:
| Focus Area | Description |
|---|---|
| Application |
WordPress admin lives at /wp-admin and /wp-login.php.Defenses:
|
| Server |
Ditch FTP/Telnet; use SSH/SFTP only. Defenses:
|
Strong, unique passwords with a manager are a must—but assume some users will still choose “password”. The controls above offset that risk. We also like IP allowlisting for its impact-to-effort ratio. Try visiting noc.org/wp-admin to see our browser authentication.
Example (restrict admin/login by IP in .htaccess):
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^234\.234\.234\.234$
RewriteRule ^(.*)$ - [R=403,L]Step 2. Files
Attackers add or change files to persist or monetize access. We treat files as three buckets: new, manipulated, executed.
| Type | Goal |
|---|---|
| New | No new files without explicit approval. |
| Manipulated | No core/theme/plugin edits without approval. |
| Executed | Block unnecessary execution paths. |
We remove writability to core by using a dedicated owner (not the web user) and only flipping write during updates:
# add a dedicated user for the site
adduser noc
chown noc:noc /var/www/noc.org
chown -R noc:noc /var/www/noc.org/*
Keep only /wp-content/uploads/ writable by the web user:
chown www-data:www-data /var/www/noc.org/wp-content/uploads/And disable PHP execution in uploads:
<Files *.php>
Deny from all
</Files>Step 3. Movement
Limit lateral movement. Even if a foothold is achieved, functional isolation prevents spreading. Where feasible, prefer 1:1 app-to-server (modern infra makes this attainable). Chroot/FPM isolation helps but still requires diligence against privilege escalation.
WordPress Security, Simplified
Most successful attacks trace to access control or vulnerable software—both addressed here. Add a WAF to filter malicious requests at the edge and buy patching time without production risk.
NOC — Authoritative DNS, CDN & WAF
Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.
See Plans