WordPress Security
Protecting WordPress from Insider Threats
Not all threats come from outside. Learn how to protect your WordPress site from internal risks including disgruntled employees, accidental data exposure, and privilege abuse.
S
Sarah Chen
8 min read
1,369 views
While external attacks get the most attention, insider threats—whether malicious or accidental—pose significant risks to WordPress sites. Employees, contractors, and former staff with access can cause serious damage. Building defenses against internal risks is essential.
Types of Insider Threats
- Malicious insiders - Intentional harm by current staff
- Accidental exposure - Unintentional data leaks
- Departed employees - Former staff with lingering access
- Compromised credentials - Staff accounts taken over
- Third-party access - Contractors and vendors
Principle of Least Privilege
Role-Based Access Control
// Create minimal custom roles
function create_minimal_roles() {
// Content writer - can only draft posts
add_role('content_writer', 'Content Writer', array(
'read' => true,
'edit_posts' => true,
'delete_posts' => false,
'publish_posts' => false
));
// Social media manager - limited to specific areas
add_role('social_manager', 'Social Media Manager', array(
'read' => true,
'edit_posts' => false,
'manage_social_posts' => true
));
// Customer support - no admin access
add_role('support_agent', 'Support Agent', array(
'read' => true,
'view_tickets' => true,
'respond_tickets' => true,
'access_admin' => false
));
}
// Remove unnecessary capabilities from default roles
function restrict_default_roles() {
$editor = get_role('editor');
$editor->remove_cap('unfiltered_html');
$editor->remove_cap('manage_categories');
$author = get_role('author');
$author->remove_cap('publish_posts');
}Restrict Admin Access
// Limit who can access wp-admin
function restrict_admin_access() {
if (is_admin() && !current_user_can('access_admin') && !wp_doing_ajax()) {
wp_redirect(home_url());
exit;
}
}
add_action('admin_init', 'restrict_admin_access');
// Hide admin bar for non-privileged users
function hide_admin_bar_for_users() {
if (!current_user_can('edit_posts')) {
show_admin_bar(false);
}
}
add_action('after_setup_theme', 'hide_admin_bar_for_users');Activity Monitoring
// Log all user actions
function log_user_activity($action, $details = array()) {
global $wpdb;
$log = array(
'user_id' => get_current_user_id(),
'action' => sanitize_text_field($action),
'object_type' => $details['object_type'] ?? '',
'object_id' => $details['object_id'] ?? 0,
'ip_address' => wpfs_get_client_ip(),
'timestamp' => current_time('mysql'),
'details' => wp_json_encode($details)
);
$wpdb->insert($wpdb->prefix . 'user_activity_log', $log);
}
// Track sensitive actions
add_action('profile_update', function($user_id) {
log_user_activity('user_profile_updated', array(
'object_type' => 'user',
'object_id' => $user_id
));
});
add_action('delete_user', function($user_id) {
log_user_activity('user_deleted', array(
'object_type' => 'user',
'object_id' => $user_id
));
});
add_action('added_option', function($option_name) {
if (strpos($option_name, 'password') === false) {
log_user_activity('option_added', array(
'option' => $option_name
));
}
});
// Alert on suspicious patterns
function detect_suspicious_behavior() {
global $wpdb;
// Check for unusual export activity
$exports = $wpdb->get_var($wpdb->prepare(
"SELECT COUNT(*) FROM {$wpdb->prefix}user_activity_log
WHERE action = 'data_export'
AND user_id = %d
AND timestamp > DATE_SUB(NOW(), INTERVAL 1 HOUR)",
get_current_user_id()
));
if ($exports > 5) {
alert_admin('Unusual export activity detected');
}
}Offboarding Procedures
// Immediate access revocation for departing employees
function revoke_user_access($user_id, $reason = 'departed') {
// Change password immediately
wp_set_password(wp_generate_password(32), $user_id);
// Destroy all sessions
$sessions = WP_Session_Tokens::get_instance($user_id);
$sessions->destroy_all();
// Remove all capabilities
$user = new WP_User($user_id);
$user->set_role('subscriber');
$user->remove_all_caps();
// Disable the account
update_user_meta($user_id, 'account_disabled', true);
update_user_meta($user_id, 'disabled_reason', $reason);
update_user_meta($user_id, 'disabled_date', current_time('mysql'));
// Log the action
log_user_activity('account_disabled', array(
'object_type' => 'user',
'object_id' => $user_id,
'reason' => $reason
));
// Notify admins
wp_mail(
get_option('admin_email'),
'User Access Revoked',
'Access has been revoked for user ID: ' . $user_id
);
}
// Prevent disabled accounts from logging in
function prevent_disabled_login($user, $username, $password) {
if (is_wp_error($user)) {
return $user;
}
if (get_user_meta($user->ID, 'account_disabled', true)) {
return new WP_Error(
'account_disabled',
'This account has been disabled.'
);
}
return $user;
}
add_filter('authenticate', 'prevent_disabled_login', 30, 3);Data Loss Prevention
// Prevent bulk data exports without approval
function restrict_data_exports($can_export, $post_type) {
// Only admins can export
if (!current_user_can('manage_options')) {
return false;
}
// Log the export
log_user_activity('data_export', array(
'post_type' => $post_type
));
return $can_export;
}
add_filter('export_args', 'restrict_data_exports', 10, 2);
// Alert on large downloads
function monitor_large_downloads($attachment_id) {
$file_size = filesize(get_attached_file($attachment_id));
if ($file_size > 10 * 1024 * 1024) { // 10MB
log_user_activity('large_file_download', array(
'file_id' => $attachment_id,
'file_size' => $file_size
));
}
}Best Practices
- Regular access reviews
- Immediate offboarding procedures
- Separation of duties
- Activity monitoring and alerting
- Background checks for sensitive roles
- Security awareness training
Conclusion
Insider threats require proactive controls—least privilege access, comprehensive monitoring, and clear offboarding procedures. Build security culture alongside technical controls to minimize internal risks.
S
Written by Sarah Chen
WP Folder Shield Team
