Wordpress 800-53 Control Compliance

Wordpress and Enterprise Security Risk

Posted by ESR on Aug 19, 2019

Wordpress Security Control Analysis

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, hereafter known as NIST SP 800-53, establishes information security standards and guidelines for federal information systems. NIST SP 800-53 guides federal agencies in documenting and implementing controls for information technology systems that support their operations and assets. These published guidelines cover many areas surrounding the following:

  • Access Control
  • Audit
  • Accountability
  • Incident Response and
  • System and Information Integrity

Each Agency is responsible for implementing the minimum-security requirements as outlined by NIST. Agencies are periodically scored to determine their compliance level. Results are presented to Congress. Poor performance can result in penalties of the financial and behavioral nature.

The use of WordPress.org as a web site builder has grown exponentially for small and medium sized companies. This open source software evolved from Automatic’s .com hosted blog build platform into a self-host website platform for creating visually appealing websites or apps. Could WordPress be modified to enfold an enterprise security risk management scheme?

In the initial installation, WordPress offers a base of security features; however, security capabilities can be expanded with the use of Plugins.  We include a common logging to make our results more interesting.  One concern is the Configuration Management controls supplied in the current WordPress CMS

Any other common useful plugins folks are using to address this security family or any others?  Send them to Ronathan (ronathan@esr-inc.com or Contact), ESR’s Security Analysis Bot. We would love to check them out.



AC-11, AC-7



SC-7 (8)






IA-4, IA-5 (1)




WP Security Audit Log



The information system:

a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and

b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.


A preventive measure WordPress offers is the account lock-out after a series of failed attempts. This sends a password reset to the email attached to the login name.


Presently, there is no plugin to block a user after several failed attempts for a period of time. There are plugins blocking IP addresses that are brute forcing the login mechanism. This approach is not the best when dealing with distributed attacks.


The information system:

a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.


SC-7 (8)

The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.

Supplemental Guidance: External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.
Related to:
AC-3 AU-2


An available DNS Level Website Firewall:  This firewall will route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.


The organization:

a. Obtains administrator documentation for the information system, system component, or information system service that describes:

1. Secure configuration, installation, and operation of the system, component, or service;

2. Effective use and maintenance of security functions/mechanisms; and

3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

b. Obtains user documentation for the information system, system component, or information system service that describes:

1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

3. User responsibilities in maintaining the security of the system, component, or service;

c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;

d. Protects documentation as required, in accordance with the risk management strategy; and

e. Distributes documentation to [Assignment: organization-defined personnel or roles].


The majority of the WordPress security configuration operations are limited to a single authorized administrator. Default settings for WordPress are continually evaluated at the core team level, and the WordPress core team provides documentation and best practices to tighten security for server configuration for running a WordPress site.


The organization manages information system identifiers by:

a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;

b. Selecting an identifier that identifies an individual, group, role, or device;

c. Assigning the identifier to the intended individual, group, role, or device;

d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and

e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].


WordPress often provides direct object reference, such as unique numeric identifiers of user accounts or content available in the URL or form fields. While these identifiers disclose direct system information, WordPress rich permissions and access control system prevent unauthorized requests.

IA-5 (1)

The information system, for password-based authentication:

IA-5 (1)(a)

Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

IA-5 (1)(b)

Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];

IA-5 (1)(c)

Stores and transmits only cryptographically-protected passwords;

IA-5 (1)(d)

Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

IA-5 (1)(e)

Prohibits password reuse for [Assignment: organization-defined number] generations; and

IA-5 (1)(f)

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

WordPress user account passwords are based on the Portable PHP Password Hashing Framework12. WordPress permission system is used to control access to private information such as a registered users PII, commenters email addresses, privately published content, etc. In WordPress 3.7, a password strength meter was included in the core software providing additional information to users setting their passwords and hints on increasing strength. WordPress also has an optional configuration setting for requiring HTTPS.


The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

As a comprehensive, complete, and capable WordPress system wide activity audit event log solution, the WordPress Audit Event Log tells organizations that a post, a user profile, or an object was updated. This Log keeps a note of what was changed within the post, profile or object.