WordPress is a dynamic open-source content management system which is used to power millions of websites, web applications, and blogs. It currently powers more than 23% of the top 10 million websites on the Internet.
Is WordPress an insecure platform?
WordPress is a secure platform, but can be made insecure by user activities.
The main things that cause problem with security are:
1. Weak username and password.
2. Plugins and themes with vulnerabilities.
3. Not keeping the software up-to-date. This includes WordPress core files, plugins and themes
Why hackers hack.
1. Break a site they don’t agree with.
2. To steal.
3. To insert malware.
4. Send email from your domain.
5 For SEO purposes.
1. Injection – an attacker can inject code into the system which allows them run commands or access data without proper authorisation.
2. Authentication issues – allowing hackers to access passwords, keys, session tokens, and to assume a user’s identity.
3. Cross-site scripting – when untrusted code is sent to a browser without validation, and allows an attacker to hijack a user’s section, deface the website or redirect visitors to malicious websites.
A WordPress site consists of two main parts:
1. The Database, which stores the website content.
2. The Files, which include WordPress itself, plugins, themes and settings.
Backups can be:
1. Partial Backup – Backup of database only. We can use plugins like WP-DBManager. This plugin automatically backups the database and sends via email on the specified schedule.
2. Complete Backup – Backup of database, themes, plugins etc.. We can use commercial tools like WP-Twin which will create and restore exact mirror images of the website, but it is expensive. There are cheaper and may be free of cost, but we need to check whether it works properly or not.
There are lot of wordpress security plugins:
1. All in One WP Security & Firewall
3. Shield WordPress security
4. Securi Security etc..
Use strong passwords
* WordPress has a password strength indicator to help you gauge how strong a password is.
* Don’t use real words, names, birthdates, etc. Passwords should be totally random.
* Never use the same password for more than one login or site.
* Include 12 characters minimum with letters(upper and lower case), numbers and symbols.
* Use a password manager like Roboform or 1password.
Do Not use the default username Admin. It gives hackers half information the need to gain access to your website. We can include characters with upper and lower case, numbers and symbols in our username too.
Check the URL
Make sure you are signing into your url. Because hackers can redirect our domain to a different domain. While signing into that domain, they can have our username and password.
Disable PHP error reporting
WordPress requires a lot of PHP code to work, and user can add more PHP code in the form of plugins and themes. Sometimes something goes wrong if the PHP code is incompatible with your webserver. You will then get a php error generated, and this can be displayed on screen for all to see if you have error reporting turned on.
This error message includes information that is useful to hackers like server path. Disabling the error reporting will prevent unauthorised eyes from outside.
Add the following code in wp-config.php file to turn error reporting off
Disable file editor
The file editor allows you to edit WordPress files, themes and plugins from the dashboard. If a hacker get access to our dashboard, they can manipulate our website contents.
Add the following code in wp-config.php file to disable file editor
Careful with content of posts and pages.
Adding new users
* In the general settings, make sure “Anyone can register” is turned OFF unless you need this feature. By default it is OFF.
* While adding new users to the WordPress site, we can assign a role for the user. Make sure to assign minimum role possible that they will need.
* Only allow secure passwords with upper and lower case characters, symbols, numbers etc..
* Only use trusted sources. The most trusted source is the WordPress plugins repository.
* Never use a plugin which redirects you to another website.
* Use as few plugins as possible and keep them up to date.
* If you deactivate a plugin, delete it.
* Only use themes from trusted sites like WordPress repository.
* Don’t use themes that add a link in the bottom to any website.
* Always keep plugins up to date and install upgrades as soon as possible.
* Manually approve all the comments that are genuine.
* Use a spam filter.
* Don’t approve comments that have keyword rich text in name field.
* Don’t approve comments with links in the body, unless they are usefull.
Limit login attempts
* One of the hacking techniques that a hacker deploy in the website is the “Brute force” method of attack.Brute force methods use computer software to trying thousands of combinations of usernames and password.
* Limit the login attempts to a reasonable number. Then the user will be locked if they try to access with the wrong login credentials.
* Use plugins like All in One security plugin to limit login attepts.
Two factor authentication will provide a good level of security to the website. When we try to access the website using the username and password(1st authentication), a code will be generated to the registered mobile number, which we need to enter into the form(2nd authentication).
There is a WordPress plugin called “google-authenticator”, which will implement two-factor authentication.
Protect the login page
* The login page is the gateway to the WordPress dashboard.
* There are many methods to protect the login page like only allowing access to your own IP address, moving the login page, renaming the login page etc.
* We can use the All in One security plugin for this purpose.
Database table prefix
* WordPress uses a Mysql database to store the webpage content,user data etc. When we install WordPress, the table names created are identical for different websites.
* By default WordPress uses the prefix “wp_”.
* If we don’t change this prefix, the hackers may take advantage of this.
* We can change the prefix of the database in the WordPress dashboard.
Advanced options ==> Table prefix ==> Change prefix
Wordpress security keys
Security keys are introduced to add better encryption of cookie information stored in a visitor’s computer. These keys are stored in wp-config.php file. Security keys are randomly generated when we install WordPress using an automated installer. These keys provide an extra layer of security to the website and encrypt vital information like passwords.
* XML-RPC is an API(programming interface) that allows developers to interact with WordPress.
* Since WordPress 3.5, XML-RPC has been enabled by default, and disabling it will prevent applications from using the API to interact with WordPress.
* When we disable XML-RPC a lot of WordPress problems will arise since some plugins like jetpack will use XML-RPC.
* We can embed the functionality of disabling XML-RPC by installing security plugins like Akismet.
Check out web host
* Check whether the web host is the latest versions of PHP and MySQL. Updates often include some sort of security measures.
* Make sure to take backups and maintain the server properly. A well maintained server is most likely to resist attacks.
This file contains sensitive information including details on accessing your WordPress database, security keys etc. To protect this file, we can move it to the folder above the WordPress install directory.
An alternative is to put the following code into the .htaccess file.
deny from all
This denies access to the file for everyone.
The files and folders in the web server are recommended to have the following permissions.
* All directories should be 755 (or 750).
* All files should be 644 ( or 640).
* wp-config.php should be 644 (or 600).