Securing WordPress
has never been more important than ever. Almost Everybody thinks that they are free from attach and not vulnerable. Websites, regardless of size, are attacked all the time. WordPress core is completely secure. Your WordPress site may not be. Insecurities come when you add to it – i.e. plugins, widgets, etc. In this article we’ll cover several ways that websites are attacked and what you can do to secure your site. Fortunately securing WordPress has never been easier.
Common Types of WordPress Attacks
1. Bruteforce attack:
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. On sites we manage we see this quite often. This is a very common type of attack and hackers don’t seem to care about the size or scope of the site.
2. SQL or PHP injection
Basically it’s a code injection technique which works when the user input has an incorrect filter system for string literal escape characters, which are embedded in statements using SQL. SQL injection also exploits security vulnerability when it occurs in the database layer of some applications when user input is weak enough to crack. Attackers can influence the queries that stream to the back-end database when they use SQL injection.
3. Link Injection
One of the most common ways to obtain back links is to inject them into the signature of a forum post. Using known vulnerabilities in web sites, like cross-site scripting and SQL injections, links could be injected into different web sites and masked by the CSS. Link injection is hard to notice since many of the outgoing links are encoded or masked by the software’s legitimate code.
Securing WordPress
Fortunately there are several free and paid plugins to help you in securing WordPress. We use iTheme Security Pro in our maintenance plans and configure it to avoid these and several other vulnerabilities. Here are a few things you can do to secure your site.
1. Keep WordPress core, themes and plugins up to date.
This is the most important thing you can do – and what many sites we see fail to do. Many of the updates to WordPress core, Themes and plugins are related to security. It’s really important to keep your site current and up to date.
2. Run full site Back-ups regularly.
Regular backups are a must and store them on a remote server. If your site isn’t to big you can use dropbox for remote storage. Be sure to back up your entire site including all themes, plugins, directories and data bases.. There are several backup plugins and services that will back your data up. It is also very advisable to ask your host about disk based backups and remember to read the fine print. We use Backup Buddy from iThemes. WordPress has it’s own plugin in JetPack that’s great too. If you are running WordPress Mutisite SnapShot Pro from WPMU works pretty good too.
3. Don’t Use “Admin” as a user name.
The majority of attacks assume people are using the username ‘admin’ due to the fact that early versions of WordPress defaulted to this. If you are still using this username, make a new account, transfer all the posts to that account, and change ‘admin’ to a subscriber (or delete it entirely).
4. Hide your login page.
Hiding the login page (wp-login.php, wp-admin, admin and login) makes it harder to find by automated attacks and making it easier for users unfamiliar with the WordPress platform. We do this with the iThemes Security Pro plugin. There are free plugins that do this, we just haven’t used any to make a recommendation.
5. Limit the number of sign-in attempts.
Plugin use for security can be an afterthought, and relying on something to protect what is already insecure is bad practice. The plugin Limit Login Attempts on the other hand is very useful as it prevents too many failed logins to your site and locks out brute force attacks. It can even log IP’s that are failing to get in.
6. Hide Your Directories
Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your site and serve no purpose to the public once WordPress has been successfully installed.
7. Disallow PHP uploads from remote IP’s
Disable PHP execution in the uploads directory. This will prevent uploading of malicious scripts uploads. We do this with iThemes Security Pro along with protecting system files. Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your site and serve no purpose to the public once WordPress has been successfully installed.
Of course this is only a partial list of things to do in securing WordPress. If you’d like to see a great presentation on WordPress Security by Jesse Friedman at the Boston WordPress Meet up you can see it here.
