3 Ways To Implement The Principle Of Least Privilege On Your WordPress Site

The principle of least privilege (POLP) states that a subject should be given only those privileges needed for it to complete its task. Because people are prone to error and vulnerable to manipulation, the fewer people with access, the better.

The majority of hacks use the vulnerabilities of human nature as their crowbar into websites.

Examples of these scenarios:

  1. Trust: Trusting a social engineering scheme via phone and revealing credentials, or falling for a targeted phishing email and downloading its attachment that is infected with malware
  2. Deal Seeker: Downloading a free premium theme or plugin that is injected with malware to avoid paying the full price.
  3. Laziness: People look for the path of least resistance. This means it is against our nature to create strong passwords, and a 2020 PCMag survey found that 35% of people never change their passwords at all.
  4. Revenge: According to the 2020 Verizon Data Breach Investigations Report (VDBR), 30% of all data breaches involved internal actors and 55% involved organized crime.

There are so many possible permutations of risk and motivation that lead to security compromise. The shortest path to a secure WordPress site is simply through removing as many users as possible and being privilege-picky with the ones you keep.

This article will take a look at three ways to put the Principle of Least Privilege into action on your WordPress site. So what can you do?

1 – Set WordPress file write access to only you!

In accordance with POLP, cut back on access wherever possible. As Napoléon Bonaparte once said, “If you want something done, do it yourself.” We agree. Restrict the write privilege access level of the WordPress files to just yourself, the site owner.

Here’s how to change the WordPress file permissions:

Navigate through cPanel or FTP to a root-level folder called public_html
Right-click on each folder and file and select change permissions

You will see three types of identities – user (you), group (coworkers on your website) and the world (public access), and 3 permissions, read, write and execute.
Each action is assigned a point value.
Read = 4
Write = 2
Execute = 1

Here is an example from WordPress of a 755 and a 666:

WordPress File Permissions Example

In the FTP or cPanel interface it will look a little more like this :

Change File Attributes

Note that the number that adds up to complete public access is 777. We do not recommend that you leave any file in a 777. In fact, there are some files that the owner should not have write access to other than the moment they need to make a change, but the setting should not stay open and even that setting would never be higher than a 767. It’s dangerous folders to leave in 777. Critical folders to pay special attention to for permissions include wp-content, wp-includes, wp-admin, and htaccess.

If you try to give a 777 to a child folder, but the parent is set to something less like 666, this will not work. You will need to first update the parent folder to 777 to make the change to the child folder. Once you are done with the change needed, remember to return the access back from 777.

If a hacker can access your WordPress files through a shared server, and your permissions are set to public or world, then there is nothing left to do but pray they are white hat!

2 – Disable the file editor

The file editor in the wp-admin dashboard is the perfect place to know just enough to be dangerous. The editor is so powerful, it can be a liability to keep active. While developers may use this when building customizations to the site, it’s not something that website owners need to keep active.

You can always turn it back on if there is a reason to use it – but it’s easy to overshoot and make major changes to a website’s code and themes that are hard to reverse. Not only can you accidentally break your site, but leaving this tool active makes it easy for hackers to install malware into plugins and themes and ruin your site. WordPress will also try to warn you the first time when you click on it, and even suggest alternatives:

For the Plugin Editor:

WordPress Warning

For the Appearance Editor:

 

 

WordPress warning

How to disable the file editor:

  1. First, make sure you have a text editor handy. There are great free and open-source options like Visual Studio Code, Notepad ++, Atom, Bluefish, and Brackets.
  2. Navigate to the wp-config.php file location
  3. Select download so you can edit the wp-config.php file locally with your text editor and when done, reupload and replace, OR select edit and use the built-in editor.
  4. Search the wp-config file for define(‘DISALLOW_FILE_EDIT’, and set it to true
  5. If you can’t find the line, copy it here define(‘DISALLOW_FILE_EDIT’, true ); and paste it in towards the bottom
  6. Click Save
  7. Check the results. The editor links should no longer be clickable under appearance and plugins

3 – Organize your access levels

Conclusion

The principle of least privilege makes sense. It makes employees more productive and more focused by only giving them access to what they need to do their jobs. It reduces the threat surface for cybersecurity attacks and hacks, and it makes data access easier to track in case of audits. Start with these three principles for your WordPress site but don’t let it end there. Contemplate how to expand the POLP philosophy into other areas of your company’s operations to improve security and integrity organization-wide.

Remember, less is always more!

We’d love to hear from you. What are your top tips for using the Principle of Least Privilege on WordPress or otherwise?

Allison Bondi

Allison Bondi is a marketing specialist for Sucuri. She joined the company in 2021. Allison's professional experience includes 10 years working for SaaS and Telecom companies on content strategy and development, customer experience, and thought leadership. When Allison isn't writing you can find her in her garden or brewing kombucha.

1 Comment

  1. Aarush

    Hey thank you for these tips! Do share more of such related content.

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!