Five Steps to WordPress Security (with a Sixth Thrown in for Good Luck)

Editor’s note: This post was written by Andrew May, the owner of a well-established web design agency Mays Digital in London,England. He has many years experience in website design and development and has a passion for writing articles and tutorials related to this industry.

Being an incredibly popular content management system, WordPress is one of the main platforms designers and devs have to work on. It is way ahead of other CMS such as Joomla and Drupal. W3Techs who look at the type of technologies used across the web, have found that more than 60% of the websites where the CMS is known, use WordPress as the underlying technology.

WordPress is also one of the most targeted technologies by hackers, often because of poorly written plug-ins, which allow hackers to exploit software vulnerabilities. For example, the RevSlider plug-in attack of 2014 that used the plug-in as the vector in the SoakSoak hacker attack, resulted in well over 100,000 websites being compromised.

Hackers are really going for it at the minute and the number of general cyber threats are increasing massively, so we need to be aware of what steps we can take to make sure our WordPress website is protected against hackers.

The following areas show where you should concentrate your efforts in protecting your site. These are the places that are most vulnerable and used to exploit WordPress, to either compromise data, or carry out a denial of service attack (DOS).

Here are five steps to WordPress security (and then some).

Area 1: Your admin and other user sign in security

This is a fundamental check box to get right in terms of security. The WordPress login point is well known as an attack vector and brute force attacks are often used against this point of entry. A brute force attack is a remote, automated attack whereby (usually) the wp-login.php file is targeted and many multiple tries at entering username and password is made until, hey bingo, entry is gained.

steps to wordpress security

There are a number of ways you can prevent this happening:

  1. Don’t use obvious usernames, such as ‘admin’
  2. Use a strong password that has special characters and is a reasonable length (this add ‘entropy’ to the password making it harder to guess). However, hackers are really on the ball when it comes to passwords and people tend to use common patterns when creating, even seemingly strong passwords. Security specialists, KoreLogic have an interesting article on this issue.
  3. Use 2nd-factor authentication. That is a credential, entered after you’ve also entered your username and password. 2nd-factor authentication is great for preventing brute force and other types of authentication based attacks. There is a number of plug-ins that let you use various forms of 2nd-factor authentication.  For example the DUO plug-in lets you set up a number of mobile-based authentication methods, such as SMS text codes and passcodes for a DUO mobile app
  4. If you don’t like to use 2nd-factor authentication (and I admit, it can be a pain), then you could use a plug-in that applies Captcha. An example of a Captcha that is fairly simple to use, is a mathematic based Captcha plug-in such as Math Captcha. Captcha also helps to prevent brute force attacks, but it doesn’t prevent more individually targeted attacks.

Area 2: Keeping your plug-ins and WordPress patched

Hackers use vulnerabilities in software to help carry out intrusions on WordPress sites. Plug-ins have the same sorts of vulnerabilities and being aware of issues and making sure that you promptly patch your plug-ins is a crucial part of your WordPress security housekeeping.

WordPress is very susceptible to cross-site scripting (XSS) attacks and many WordPress plug-ins have allowed WordPress to become susceptible to this type of attack. A recent analysis (April 2015) by security researchers, Sucuri, found many of the most popular WordPress plug-ins have are XSS vulnerable. The list of those affected can be found here.

XSS attacks can also be applied using WordPress comments. As well as being able to exploit vulnerabilities in Plug-ins, WordPress sites have the potential for an XSS attack if a hacker puts executable JavaScript in a comment. This JavaScript then gets executed when it gets sent back to the browser – i.e. when the comment subsequently gets displayed, the XSS attack is executed.

There are two ways this can be prevented. The first and least effective way is to protect against this by preventing the JavaScript being sent to the browser by filtering. However, this can fail if a hacker encodes the JavaScript first. In addition, some of these filters can be very badly written and just don’t work. The second and more effective way to prevent XSS attacks is to encode the output to the browser so it goes out in a form that can’t be executed in the browser. The only issue here is that even these can be problematic if you allow HTML comments to be posted. An excellent post by the WordPress team on ‘output escaping’ can be read here.

WordPress itself has recently been found to be vulnerable to XSS attacks as a zero day vulnerability in WordPress 4.2, 4.1.2, 4.1.1. and 3.9.3. Again this attack centered around using comment fields to inject JavaScript. WordPress have recently released a patch to fix this in version 4.2.1 so make sure you’ve got that version.

As well as plug-ins and WordPress patching, also make sure you’re running the latest versions of PHP and any database software too, such as MySQL; if in doubt, patch.

Area 3: Themes and keeping them secure

Themes are another area where attacks can come in. You should always be careful where you get your WordPress theme. Free themes are abundant, but they are also a great way for Hackers to get malicious code into your site, so beware of the origins of a theme, best off sticking to the WordPress recommended themes or creating one yourself.

One other way that hackers can gain control of your site is to by using the plug-in and theme editor to upload either malicious code or their own malware-ridden theme. WordPress has some good advice on how to disable this feature and so prevent this being used as an attack vector.

You can also get plug-ins, which check themes for security robustness, an example being, Theme Check.

When coding you really must practice secure coding techniques and SpyreStudios have an excellent article on secure coding techniques for PHP that help minimize security vulnerabilities from the outset.

Area 4: Preventing Denial of Service Attacks

Denial of service attacks (DOS) result in a website being crashed by a hacker. In 2014, Sucuri, found that 162,000 legitimate WordPress sites had been used in a botnet based, distributed DOS attack (DDOS). The attack utilized the Pingback function in WordPress via an API interface XML-RPC. However, it has proven tricky to disable this feature without severely affecting many other plug-ins such as Jetpack.

You can disable ping-back requests specifically by adding a line shown below to your functions.php file after add_filter:

unset( $ methods[‘’] );

Alternatively, you can use a Web Application Firewall or WAF which can prevent this type of attack as well as others and I’d recommend using one as a fundamental of WordPress security. You can also get plug-ins which specifically disable the pingback in XML-RPC, an example being XML-RPC Pingback.

As an aside, you can find out if your website was part of the DDOS attack using this DDOS scanner.

Area 5: Specific Security Plug-ins and Coding

As we’ve discussed, there are many attack vectors within the WordPress platform that can be exploited by hackers. One of the ways you can help mitigate this is to use a security plug-in. As mentioned previously a WAF is a good starting point for security and an example is Ninja Firewall.

And Finally: Audit, back up and back up again

Getting security right is something that even the experts can’t manage. It’s being realistic, not fatalistic to assume that you may be, at some point, hacked, so backup your data and files regularly. In addition, you should also have some good audit in place, so if things do go badly, then at least you can work out what went wrong so it doesn’t happen again.

There are many good security audit plug-ins that will monitor and alert you of any security issues, an example is WP Security Audit Log.

There are also many backup plug-ins that can be used for WordPress website backups. You’ll need to research which one is right for you. But whichever, do the backups regularly and if you do get hacked, at least you have all of your files and data to rebuild.

Here’s more on WordPress:

Essential WordPress Plugins to Make the Designer’s Life Easier

The post Five Steps to WordPress Security (with a Sixth Thrown in for Good Luck) appeared first on SpyreStudios.