The principle of least privilege (POLP) states that a subject should be given only those privileges needed for it to complete its task. Because people are prone to error and vulnerable to manipulation, the fewer people with access, the better.
The majority of hacks use the vulnerabilities of human nature as their crowbar into websites.
Examples of these scenarios:
- Trust: Trusting a social engineering scheme via phone and revealing credentials, or falling for a targeted phishing email and downloading its attachment that is infected with malware
- Deal Seeker: Downloading a free premium theme or plugin that is injected with malware to avoid paying the full price.
- Laziness: People look for the path of least resistance. This means it is against our nature to create strong passwords, and a 2020 PCMag survey found that 35% of people never change their passwords at all.
- Revenge: According to the 2020 Verizon Data Breach Investigations Report (VDBR), 30% of all data breaches involved internal actors and 55% involved organized crime.
There are so many possible permutations of risk and motivation that lead to security compromise. The shortest path to a secure WordPress site is simply through removing as many users as possible and being privilege-picky with the ones you keep.
This article will take a look at three ways to put the Principle of Least Privilege into action on your WordPress site. So what can you do?
1 – Set WordPress file write access to only you!
In accordance with POLP, cut back on access wherever possible. As Napoléon Bonaparte once said, “If you want something done, do it yourself.” We agree. Restrict the write privilege access level of the WordPress files to just yourself, the site owner.
Here’s how to change the WordPress file permissions:
Navigate through cPanel or FTP to a root-level folder called public_html
Right-click on each folder and file and select change permissions
You will see three types of identities – user (you), group (coworkers on your website) and the world (public access), and 3 permissions, read, write and execute.
Each action is assigned a point value.
Read = 4
Write = 2
Execute = 1
Here is an example from WordPress of a 755 and a 666:
In the FTP or cPanel interface it will look a little more like this :
Note that the number that adds up to complete public access is 777. We do not recommend that you leave any file in a 777. In fact, there are some files that the owner should not have write access to other than the moment they need to make a change, but the setting should not stay open and even that setting would never be higher than a 767. It’s dangerous folders to leave in 777. Critical folders to
[…]
This article was written by Allison Bondi and originally published on ManageWP.