The WordPress content management system or (CMS) is one of the most popular web applications on the market. It’s estimated that WordPress powers almost 43% of the internet, up from 30% just a few years ago. The foundation for the content management system’s success is its convenience, simple installation, and vast theme and plugin community. WordPress can be used by someone who has very little knowledge of the ways a web application functions, but it comes at the expense of security. The article covers the following topics:
Third-party code isn’t the only risk to a WordPress site. If the server or application is misconfigured (e.g., permissive access to critical files or directories), it could lead to a data breach, or an attacker could upload malicious code on the WordPress server to compromise the targeted website or the server itself. Any misconfiguration or vulnerable code leaves WordPress open to compromise, so even with its secure code, WordPress can be hacked.
Because WordPress is such a popular software, it’s common for attackers to use script scanning functions to find and (sometimes) automatically exploit vulnerabilities. Anyone who monitors a WordPress site will report numerous scans from bots and other malicious threats on a daily basis. Here is a list of common threats that could compromise a WordPress site that you should consider when securing your site.
The core code in WordPress is secure until a vulnerability is found. The vulnerability could be introduced in new code added to the WordPress core codebase, or it could be from an unknown vulnerability that existed for a while and was recently discovered.
WordPress developers release new versions all year round. To combat vulnerabilities from outdated core software, update your WordPress software when a new release is available. WordPress also has an automatic update feature to update the core software whenever a new version is deployed.
The PHP programming language has gone through multiple changes since its release, and older versions are no longer supported. The official PHP website lists the latest version as 8.2 with security updates supported until 2025, but 8.0 will not receive security updates after December 2023. If you run older versions of PHP, you risk leaving vulnerabilities in the WordPress site with no option to patch them.
Hosting an outdated PHP version is common because whenever a new software is introduced to the site, the new configuration should be tested before it’s installed. Some small changes are made between versions, so installing without testing first could break the site. This complication leads to a delay, which opens a window of opportunity for attackers. When a PHP version is officially deprecated and no longer supported, the WordPress site should be tested and upgraded to the latest supported version as quickly as possible.
User permissions should be heavily monitored, and anyone in charge of adding users should use proper directions to assign the right roles to every new account. A role is also given to new users by default. This role should have the most limited permissions and additional permissions added later.
Even popular plugins have vulnerabilities, but most developers will continue patching support to attract users. As you search for a plugin or theme, always choose software that has an active developer and frequent updates, especially security updates. It is also crucial that you use reputable sources to download these themes and plugins.
WordPress site owners rely heavily on developers to validate SQL statements before sending them to the database. For example, developers should use prepared statements rather than building queries using strings and user input. Any user input should be treated as “unsafe” and validated before sending it to the database.
Attackers will write scripts to identify opportunities to upload malicious applications. Successful malware installation can allow an attacker to deface the site, download ransomware to the server, or inject code into WordPress files. Any WordPress site owner unfamiliar with monitoring and detecting malware could leave malicious code running unknowingly and continue to allow the attacker to steal data. A site compromise is stressful for the site owner and requires an expert to find the vulnerability and remediate the issue.
Malware can be uploaded due to various reasons. Permissive access on directories, vulnerabilities in a plugin and theme code, or incorrect site configurations are a few examples of security issues that could lead to malware being installed on a WordPress site. Keeping your site updated and covered with activity monitoring can help stop and detect malware uploads.
Persistent XSS happens when the attacker sends malicious content to a web server, and the application then stores it in the database. The stored malicious content then renders later in a user's browser. This malicious content could also steal cookies or access tokens, redirect users to a malicious site, or steal user data.
A DDoS does not stem from poor code, but it happens when attackers flood the site with too much traffic, exhausting resources. If a DDoS is not detected quickly, the attack could render the site unusable. A DDoS uses several devices in different geolocations to send a flood of traffic to the server, which can happen seemingly without any warning. The site should be monitored for such an attack so administrators can act quickly.
A DDoS is distinct from a denial-of-service (DoS). A DoS is also a potential vulnerability in poorly engineered code. Any malicious activity that blocks users from using site functionality is a DoS. Monitoring site activity, errors, and server resources will help detect and quickly stop a DoS.
Conditional redirects take users from pages ranked in search engines and send them to an attacker-controlled site. Users are unaware of the redirect and could entrust the attacker-controlled site with credentials or sensitive information. Conditional redirects will also affect search engine ranking, so site owners might see their pages rank for strange phrases or lose ranking suddenly.
The administrator account is always a target for brute-force attacks. Attackers use common passwords, load them into scripts, and automatically attempt authentication across thousands of WordPress sites. You can stop brute-force attacks by using two-factor authentication (2FA) and assigning cryptographically secure passwords to all accounts, most importantly the administrator. A cryptographically secure password is at least twelve characters, contains uppercase and lowercase letters, and contains at least one number and special character. Read our brute force WordPress article to learn more about the rise of brute force attacks.
Your website should be hosted on a server with hardened security. The host provider’s administrators are responsible for server security, so you can rely on them to configure WordPress properly. Read reviews, search for user feedback, and ask questions to find secure WordPress hosting. Host providers will list several security features afforded to WordPress site owners when they sign up for service, so find a provider that offers security features with hosting.
Attackers target specific pages that store sensitive information, including site credentials. These pages are: wp-admin, wp-login.php, and xmlrpc.php. Assigning the wrong permissions to these files could allow attackers to steal credentials or inject their own credentials, giving them access to the database and site content.
Even with these files protected, attackers can still obtain credentials by leveraging a phishing email, social engineering, or malware. To protect your account credentials, you can take additional measures to ensure that attackers cannot authenticate even if they are able to obtain your WordPress admin
WordPress developers release updates every year. These updates address various bugs and security issues. You should always back up your WordPress site before updating, but you should update the software as soon as possible, especially if the update secures a known vulnerability.
Don’t forget to update plugins and themes when they become available. Usually, vulnerabilities stem from plugin and theme code, so quickly patching will stop attackers from exploiting issues. The WordPress dashboard displays an alert whenever a plugin or theme has a released update.
Managing updates requires you to review the WordPress dashboard every day, but you can eliminate this overhead by installing Imunify360. Imunify360 will perform a Real-time Virtual Patching so that you never have a data breach due to outdated plugins or core code. It also hardens PHP, includes a web application firewall (WAF), and proactive defense modules that stop and alert you to suspicious behavior.
Before you deploy a WordPress site to production, you should follow an action checklist that ensures the security of your site. We put together a checklist to help you get started with your WordPress security.
Backups are a key component in disaster recovery. If you cannot recover from downtime using other methods, backups will recover the system to a previous point in time. Backups are also necessary if your WordPress site falls victim to a ransomware attack. They should be stored in a safe location and tested to ensure that they are not corrupted.
Several types of security plugins could help to stop attacks. These plugins will stop XSS, brute-force attacks on passwords, file traversal, and malicious uploads. Even with these security plugins, it’s still important to monitor your WordPress set to identify attacks.
A WAF can stop many of the attacks that leverage vulnerabilities in plugin and theme code. Imunify360’s WAF will stop XSS, malicious PHP scripts, brute-force password attacks, and SQL injection. To combat outdated software vulnerabilities, Imunify360 will also patch your WordPress software and monitor for unauthorized activities.
4 - Install an SSL/HTTPS Certificate
An SSL/TLS certificate will add security to your user connections to stop data eavesdropping. An SSL/TLS certificate is also crucial for search engine ranking, so it should be a priority before you deploy the WordPress set to a production server.
The WordPress application has a file editing option that will allow users to change content, including theme items. If an attacker can exploit any vulnerabilities, the content within your site could be compromised with hidden malware, redirects, or third-party links. You should lock down editing so that only the administrator can edit files and theme configurations.
By default, WordPress configures specific directories with write permissions so that users can upload images, plugins, and themes. If an attacker exploits any vulnerabilities in this functionality, the site could be leveraged to host malware or PHP scripts injected into the codebase. To avoid becoming a host for malicious scripts and code, the WordPress site should be configured to disable PHP script execution.
Options -Indexes
chmod 000 xmlrpc.php
Take your web hosting security to the next level with Imunify360, a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.