WordPress Security Fundamentals: Ultimate Guide 2021
The WordPress content management system or (CMS) is one of the most popular web applications on the market. It’s estimated that WordPress powers almost 40% of the internet, up from 30% just a few years ago. The foundation for the content management system’s success is its convenience, simple installation, and vast theme and plugin community. WordPress can be used by someone who has very little knowledge of the ways a web application functions, but it comes at the expense of security. The article covers the following topics:
Ten Easy Steps to WordPress Security
- Recommended Articles
Can WordPress Be Hacked?
Any web application could potentially be hacked, but WordPress is a primary target due to its popularity. The core of WordPress code is generally secure, but vulnerabilities usually stem from third-party themes or plugins. Themes and plugins add code to the WordPress core to provide additional functionality, but it’s precisely this code that could introduce vulnerabilities. Since site owners are usually not security experts, they don’t know how to review code and test third-party plugins for vulnerabilities. Even plugins with millions of downloads can have unknown vulnerabilities, so using only popular plugins and themes does not guarantee security.
Third-party code isn’t the only risk to a WordPress site. If the server or application is misconfigured (e.g., permissive access to critical files or directories), it could lead to a data breach, or an attacker could upload malicious code on the WordPress server to compromise the targeted website or the server itself. Any misconfiguration or vulnerable code leaves WordPress open to compromise, so even with its secure code, WordPress can be hacked.
Because WordPress is such a popular software, it’s common for attackers to use script scanning functions to find and (sometimes) automatically exploit vulnerabilities. Anyone who monitors a WordPress site will report numerous scans from bots and other malicious threats on a daily basis. Here is a list of common threats that could compromise a WordPress site that you should consider when securing your site.
Brute-force attacks on the WordPress blog’s administrator account are very common. If you use a monitoring application that blocks and logs these brute-force authentication bots, you can see that the username “admin” and “administrator” are constantly attacked. You can take precautions and protect from brute-force authentication by using an alternative administrator username. This does not protect from brute-force attacks entirely, but it will block scripts coded to scan for the two most common administrator usernames.
Outdated Core Software
The core code in WordPress is secure until a vulnerability is found. The vulnerability could be introduced in new code added to the WordPress core codebase, or it could be from an unknown vulnerability that existed for a while and was recently discovered.
WordPress developers release new versions all year around. To combat vulnerabilities from outdated core software, update your WordPress software when a new release is available. WordPress also has an automatic update feature that will update the core software whenever a new version is deployed.
Outdated PHP Versions
The PHP programming language has gone through multiple changes since it’s release, and older versions are no longer supported. The official PHP website lists the latest version as 8.0 with security updates supported until 2023, but 7.3 will not receive security updates after December 2021. If you run older versions of PHP, you risk leaving vulnerabilities in the WordPress site with no option to patch them.
Hosting an outdated PHP version is common because whenever the new software is introduced to the site - the new configuration should be tested before it’s installed. Some small changes are made between versions, so installing without testing first could break the site. This complication leads to a delay, which opens a window of opportunity for attackers. When a PHP version is officially deprecated and no longer supported, the WordPress site should be tested and upgraded to the latest supported version as quickly as possible.
Undefined User Roles
When you first set up the WordPress software, you create an administrator account during installation. This account has full control over the application. WordPress has several other roles such as Editor, Writer, and Subscriber. Each role has its own core permissions added to a user account when it’s created.
User permissions should be heavily monitored, and anyone in charge of adding users should use proper directions to assign the right roles to every new account. A role is also given to new users by default. This role should be the one with the most limited permissions and additional permissions added later.
WordPress Outdated Themes and Plugins
Just like the core WordPress codebase must be updated, themes and plugins should also be updated when vulnerabilities are discovered. This requirement puts pressure on developers to patch their software, so the WordPress site owner should only install themes and plugins with an active developer who has not quit supporting the plugin code.
Even popular plugins have vulnerabilities, but most of the developers will continue patching support to attract users. As you search for a plugin or theme, always choose software that has an active developer and frequent updates, especially security updates.
When code passes SQL queries to the backend database, it must be validated to avoid SQL injection. SQL injection attacks take advantage of poorly coded plugins and themes and send malicious statements to the database. These statements allow the attacker to execute queries, delete data, and potentially elevate privileges. The most serious security issue is that attackers can hide malware within the database for reinfection and to maintain a persistent threat.
WordPress site owners rely heavily on developers to validate SQL statements before sending them to the database. For example, developers should use prepared statements rather than building queries using strings and user input. Any user input should be treated as “unsafe” and validated before sending it to the database.
Attackers will write scripts to identify opportunities to upload malicious applications. Successful malware installation can allow an attacker to deface the site, download ransomware to the server, or inject code into WordPress files. Any WordPress site owner unfamiliar with monitoring and detecting malware could leave malicious code running unknowingly and continue to allow the attacker to steal data. A site compromise is stressful for the site owner and requires an expert to find the vulnerability and remediate the issue.
Malware can be uploaded due to various reasons. Permissive access on directories, vulnerabilities in plugin and theme code, or incorrect site configurations are a few examples of security issues that could lead to malware being installed on a WordPress site. Keeping your site updated and covered with activity monitoringcan help stop and detect malware uploads.
Cross-site scripting (XSS) attacks occur when attackers take advantage of poorly designed plugin code that allows attackers to inject their own malicious content into the information exchange between client and server. There are two types of XSS attacks: reflected and persistent. With reflected XSS, an attacker will send malicious code to user input that’s subsequently shown in the user’s browser. For example, if you retrieve input in a text box and send it to the server in a GET query, this input must be validated before displaying it in a browser. If not, an attacker could inject malicious scripts that will run in a user’s browser, which can lead to cookie or access token theft.
Persistent XSS happens when the attacker sends malicious content to a web server, and the application then stores it in the database. The stored malicious content then renders later in a user's browser. This malicious content could also steal cookies or access tokens, redirect users to a malicious site, or steal user data.
Distributed Denial-of-Service (DDoS)
A DDoS does not stem from poor code, but it happens when attackers flood the site with too much traffic, exhausting resources. If a DDoS is not detected quickly, the attack could render the site unusable. A DDoS uses several devices in different geolocations to send a flood of traffic to the server, which can happen seemingly without any warning. The site should be monitored for such an attack so that administrators can act quickly.
A DDoS is distinct from a denial-of-service (DoS). A DoS is also a potential vulnerability in poorly engineered code. Any malicious activity that blocks users from using site functionality is a DoS. Monitoring site activity, errors, and server resources will help detect and quickly stop a DoS.
Some attacks inject keywords, links, and redirects. The goal is to take advantage of site pages ranked highly in search engines and leverage them to boost ranking for an attacker’s site. The “pharma hacks” hide hidden keywords and links for pharmaceutical products in victim pages. Search engines detect the content and rank pages for the keywords and links, but the site owner does not see them.
Conditional redirects take users from pages ranked in search engines and send them to an attacker-controlled site. Users are unaware of the redirect and could entrust the attacker-controlled site with credentials or sensitive information. Conditional redirects will also affect search engine ranking, so site owners might see their pages rank for strange phrases or lose ranking suddenly.
The administrator account is always a target for brute-force attacks. Attackers use common passwords, load them into scripts, and automatically attempt authentication across thousands of WordPress sites. You can stop brute-force attacks by using two-factor authentication (2FA) and assigning cryptographically secure passwords to all accounts, most importantly the administrator. A cryptographically secure password is at least twelve characters, contains uppercase and lowercase letters, and contains at least one number and special character. Read our brute force WordPress article to learn more about the rise of brute force attacks.
How Do I Make My WordPress Site Secure?
As a WordPress site owner, you rely heavily on developers to produce secure code, but you can also take steps to ensure the security of your site. Aside from always keeping your code secure by updating the core WordPress application and your plugins, you can take several additional steps that will lower the risk.
Find a Reliable WordPress Host Provider
Your website should be hosted on a server with hardened security. The host provider’s administrators are responsible for server security, so you can rely on them to configure WordPress properly. Read reviews, search for user feedback, and ask questions to find secure WordPress hosting. Host providers will list several security features afforded to WordPress site owners when they sign up for service, so find a provider that offers security features with hosting.
Be In Control of WordPress Access
Attackers target specific pages that store sensitive information, including site credentials. These pages are: wp-admin, wp-login.php, and xmlrpc.php. Assigning the wrong permissions to these files could allow attackers to steal credentials or inject their own credentials, giving them access to the database and site content.
Even with these files protected, attackers can still obtain credentials leveraging a phishing email, social engineering, or malware. To protect your account credentials, you can take additional measures to ensure that attackers cannot authenticate even if they are able to obtain your WordPress admin
- Use cryptographically strong passwords to avoid brute-force attacks. Passwords should be at least 10 characters and contain numbers, uppercase letters, and special characters. You can use a password vault to store WordPress credentials so that you do not forget them.
- Use two-factor authentication. To authenticate into the WordPress admin panel, an attacker will still need the auth code sent to your smartphone. Two-factor authentication is a strategy to stop unauthenticated access after a phishing attack.
- Limit authentication attempts. You can’t stop bots from attempting authentication, but you can limit the number of attempts to block brute-force attacks. WordPress has plugins that will limit authentication attempts. After the defined number of attempts, the account is locked for a set amount of time.
- Deauthenticate inactive accounts. Leaving idle users active opens the window of opportunity for attackers either from token theft or physical access on the user’s device. If the user authenticates from a public device and forgets to logout, you can use a WordPress plugin to ensure that anyone with physical access or from session hijacking cannot access the admin dashboard.
- Change the default administrator account name or create an alternative administrator account. When WordPress is installed, the administrator account is created. One strategy is to rename this account to an alternative, or you can create an alternative account and disable the main administrator account.
Keep WordPress Up-to-Date
The WordPress developers release updates every year. These updates address various bugs and security issues. You should always back up your WordPress site before updating, but you should update the software as soon as possible, especially if the update secures a known vulnerability.
Don’t forget to update plugins and themes when they become available. Usually, vulnerabilities stem from plugin and theme code, so quickly patching will stop attackers from exploiting issues. The WordPress dashboard displays an alert whenever a plugin or theme has a released update.
Managing updates requires you to review the WordPress dashboard every day, but you can eliminate this overhead by installing Imunify360. Imunify360 will perform a Real-time Virtual Patching so that you never have a data breach due to outdated plugins or core code. It also hardens PHP, includes a web application firewall (WAF), and proactive defense modules that stop and alert you to suspicious behavior.
Ten Easy Steps to WordPress Security
Before you deploy a WordPress site to production, you should follow an action checklist that ensures the security of your site. We put together a checklist to help you get started with your WordPress security.
Backups are a key component in disaster recovery. If you cannot recover from downtime using other methods, backups will recover the system to a previous point in time. Backups are also necessary if your WordPress site falls victim to a ransomware attack. They should be stored in a safe location and tested to ensure that they are not corrupted.
Install Security Plugins
Several types of security plugins could help to stop attacks. These plugins will stop XSS, brute-force attacks on passwords, file traversal, and malicious uploads. Even with these security plugins, it’s still important to monitor your WordPress set to identify attacks.
Use a Web Application Firewall (WAF)
A WAF can stop many of the attacks that leverage vulnerabilities in plugin and theme code. Imunify360’s WAF will stop XSS, malicious PHP scripts, brute-force password attacks, and SQL injection. To combat outdated software vulnerabilities, Imunify360 will also patch your WordPress software and monitor for unauthorized activities.
Install an SSL/HTTPS Certificate
An SSL/TLS certificate will add security to your user connections to stop data eavesdropping. An SSL/TLS certificate is also crucial for search engine ranking, so it should be a priority before you deploy the WordPress set to a production server.
Disable File Editing
The WordPress application has a file editing option that will allow users to change content, including theme items. If an attacker can exploit any vulnerabilities, the content within your site could be compromised with hidden malware, redirects, or third-party links. You should lock down editing so that only the administrator can edit files and theme configurations.
Disable PHP Script Execution
By default, WordPress configures specific directories with write permissions so that users can upload images, plugins, and themes. If an attacker exploits any vulnerabilities in this functionality, the site could be leveraged to host malware or PHP scripts injected into the codebase. To avoid becoming a host for malicious scripts and code, the WordPress site should be configured to disable PHP script execution.
Modify the WordPress Database Table Prefix
When attackers craft their SQL injection scripts, they mostly assume that the targeted site owner uses the default wp_ prefix on all WordPress tables. This prefix can be changed during the installation process. It does not eliminate all SQL injection vulnerabilities, but it stops any script where an attacker assumes that WordPress tables have the default prefix.
Disable Directory Indexing and Browsing
When directories can be browsed, search engines can index the list of readable files, and attackers can view any readable file to gain insight into the way the site is configured and set up. Directory browsing should be disabled, which can be done in the .htaccess file using the following option:
Disable XML-RPC in WordPress
The XML-RPC functionality in WordPress allows you to upload content remotely using a third-party client. Unless you absolutely need to remotely upload content, this functionality should be disabled to reduce the risk of compromise. You can easily disable XML-RPC by using a plugin that allows you to control remote access.
chmod 000 xmlrpc.php
Scan WordPress for Malware Frequently
Although the above steps reduce risk, they don’t completely eliminate it. To keep your website safe, you must scan it for any threats and monitor activity. A monitoring system will detect unusual traffic patterns and activity so that you can detect and eliminate malware. When malware or malicious code is introduced to the system, a good monitoring system will detect and remediate it automatically.
WordPress security is critical for your data protection and website reputation. Because WordPress is so popular, attackers focus their efforts on sites that host the content management system. Imunify360 can simplify the security of your site and let you take a proactive approach to the security of your website and server.
Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.
- 17 ways to improve your cPanel security
- Proactive vs. Reactive Security: 5 Tips for Proactive Cyber Security
- 15 security tips for Linux VPS Hosting
- Top 15 Plesk Server Security Best Practices to Protect Your Website
- Top 10 Web Hosting Security Best Practices
- What Are Your First Three Steps When Securing a Linux Server?
- What are steps to secure a Linux server?
- How to keep your website secure in 2021
- Shared Hosting Security Guide for 2021
- Ultimate Guide for DirectAdmin Security from Security Experts
- Security made easy with Imunify360
- ModSecurity Rules: How to Guide
- What are Antivirus False Positives and What to do about them?