WordPress Security
There are many different steps we can take as preventive measures to protect a website, online store or simply a blog.
Is WordPress secure by default?
The first question you might be wondering is, is WordPress itself secure? In general, yes. However, WordPress website owners often experience hacks, crashes, and data leaks. Most often this happens due to the fact that users do not monitor security.
Using an outdated WordPress core, hacked plugins, poor system administration, poor credential management and lack of necessary knowledge – all this reduces the security of a WordPress site.
WordPress, as a CMS, is used by over 35% of all websites and it is no wonder that there are hundreds of thousands of combinations of different, both free and premium themes and plugins, and that vulnerabilities exist and are constantly being discovered.
Vulnerabilities in WordPress
Here is a list of the most common types of vulnerabilities/methods used by attackers targeting WordPress:
Backdoors.
Pharma Hacks.
Brute-force.
Malicious redirects.
Cross-site scripting (XSS).
Denial of service (DoS).
1.Backdoors
Backdoor is a vulnerability that provides attackers with hidden passages that bypass security protocols to gain access to WordPress websites using a non-standard method – wp-admin, SFTP, FTP, and so on. Exploitation of this vulnerability allows hackers to cause damage to hosting servers with subsequent “cross-site” infection – the compromise of several sites hosted on the same server.
Backdoors are often disguised as legitimate WordPress core or theme/plugin files, giving access to both the file system and the database, using weaknesses and errors in outdated (not updated in time) versions.
Prevention and treatment of this type of vulnerability is quite simple. You can check your WordPress site using SiteCheck, which will easily detect this and other backdoors.
2. Pharma Hacks
The “Pharma Hack” exploit is used as a method to insert malicious code into outdated versions of sites and plugins for WordPress, and as a result, meta tags are replaced. In SERP (search engine results) instead of your website, users see advertisements for pharmaceutical companies. The vulnerability is more of a spam threat than traditional malware, but gives search engines enough reason to block a site.
3. Brute-force
Brute-force is, first of all, an attempt at authorization using a brute force method. Scripts are used to try passwords, and if successful, attackers gain access to your site. Limiting the number of possible authorization attempts, two-step authentication, logging, using white and black lists of IP addresses, as well as strong passwords are some of the simplest and most effective ways to prevent this type of attack.
4. Redirect
Redirects are created thanks to backdoors and inject code into site files. On infected entities, the redirect scripts are often located in the .htaccess file, but can also often be found in both WordPress core and theme files (such as index.php). Acting stealthily and directing your traffic to malicious or advertising sites. We’ll cover some ways to prevent them in our WordPress security steps below.
5. Cross-site scripting (XSS)
XSS is a technique in which a script is injected into the body of a website or application. Usually these are JS scripts that work on the side of the end user’s browser without his knowledge and without the knowledge of the site owner. The goal is usually to retrieve cookies or session data, or perhaps even rewrite the HTML on the page.
6. Denial of Service (DoS)
One of the most dangerous vulnerabilities that causes denial of service (Denial of Service or simply DoS) uses errors in the code, simply eating up the RAM of the OS on which the site is running. Millions of websites are attacked day after day, causing a complete server shutdown. In a wide circle, this method is called DDos (Distributed Denial-of-Service).
Even current versions of WordPress cannot fully protect against large DDoS attacks. But at least they will help you avoid getting caught in the crossfire of financial institutions and botnet owners.
How to keep your WordPress site secure.
According to internet statistics, more than 100,000 websites are hacked every day. That’s why it’s important to take some time to familiarize yourself with the following tips on how to best strengthen your WordPress site’s security.
1. Secure hosting for a WordPress site
When it comes to general network security or, as in our case, organizing the protection of a WordPress site, it is important to understand that one of the key factors here is security at the server level.
2. Use PHP 7.4+
PHP is the basis of any WordPress website. It is difficult to overestimate the importance of using the current version! Each major release of PHP is fully supported by the language developers for the next 2 years.
3. Usernames and passwords
One of the best and easiest ways to strengthen the security of your WordPress site is to use a non-standard approach to choosing a username and password.
4. Use the latest version of WordPress core, plugins and your theme
Another way to strengthen the security of your WordPress site is to keep it updated. This includes WordPress core, plugins and themes (both from the WordPress repository and premium). The authors update their creations for a reason, there is a reason for everything. Often updates go hand in hand with bug fixes and general security improvements.
5. Protect your WordPress admin panel
Often, security in WordPress as a “stealth” strategy is suitable for both an online store and a regular website or blog. If you make it harder for hackers to find certain backdoors, you’ll be less likely to be attacked. Locking your WordPress admin panel from logins is a good way to increase your security.
Two ways to do this are to change the default wp-admin login URL and then limit the number of possible login attempts.
6. Take advantage of two-factor authentication
No matter how strong your password is, there is always a risk that someone will discover it. Two-factor authentication is a kind of two-step process in which you need not only a login/password combination, but also something additional. This is usually an SMS, phone call, or time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute force attacks on your WordPress site because it is almost impossible for an attacker to have both your password and your smartphone at the same time.
7. Using HTTPS for encrypted connections - SSL certificate
Perhaps one of the most underrated methods to increase the security of your WordPress site is to install an SSL certificate and run the site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a protocol that allows your browser or web application to connect to a website securely.
8. Protect the wp-config.php file
wp-config.php is the heart and soul of WordPress and is also the most important file on your site when it comes to WordPress security. It contains the database login information and, so punishable, the security keys that provide encryption in the cookies.
9. Hiding the WordPress version
Hiding the WordPress version of your site also covers the topic of WordPress security. The fewer other people who know about your site’s configuration, the better. If they see that you are using an outdated version, then this can be a great signal for attackers. By default, the WordPress version appears in the header of your site’s source code.
10. Using plugins to improve the security of a WordPress site
Of course we have to mention some WordPress security plugins. There are many great developers and companies that offer great solutions to help you better secure your WordPress site.
WordFence
All In One WP Security & Firewall
iThemes Security
Sucuri Security
11. WordPress Database Security
There are several ways to improve the security of your WordPress database. The first is to use a clever database name. Changing your database name to something more obscure helps protect your site by making it more difficult for hackers to identify and access your database details.
The second recommendation is to use a database table prefix other than the default one WordPress recommends. By default, WordPress uses wp_. Changing the prefix to something like m09_xp_ will help significantly secure the WordPress database.
12. Secure connection to the server
Make sure your host takes precautions such as SFTP or SSH. SFTP or Secure File Transfer Protocol (also known as SSH File Transfer Protocol) is a network protocol used to transfer files. This is a more secure method compared to standard FTP.
13. Disable the ability to edit files from the WordPress admin panel
Many WordPress sites have multiple users and administrators at the same time, which can complicate WordPress security. It’s bad practice to give authors or editors admin access, but unfortunately this happens all the time. It’s important to give users the correct roles so they don’t break anything. Therefore, it may be useful to simply disable the “Theme Editor” in WordPress.
Additionally, if your site is compromised, the very first thing attackers can do is try to edit the PHP files or theme using this editor. This is a quick way for them to inject malicious code. Place the following code in your wp-config.php file to enable Front-End editing of files:
define('DISALLOW_FILE_EDIT', true); 14. Backup
Backups are something everyone should do without fail. Most of the recommendations above are safety measures you can take to better protect yourself. But no matter how secure your site is, it can still be hacked, or simply break down.
Conclusion
As you can see, there are many ways to improve WordPress security. Using smart passwords, keeping your core and plugins up to date, and choosing a reliable hosting are just a few that will ensure your WordPress site runs securely. For many of you, your WordPress site is both your business and your income, so it’s important to take some time and implement some of the security best practices mentioned above sooner rather than later.