Adds Leo Pate, application security consultant at nVisium: “Any plug-ins or templates used within WordPress should be from reputable sources and be kept up to date.”
What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.
It’s critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.
In addition to keeping software up to date, “don’t run the WordPress server’s services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3,” he advises. “The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency.”