Hi guys.
This time in English, it is the first post that I´m going to write in this foreing language. Yes, I know that I’m Spaniard and I like writing in Spanish but I will do it for two reasons mainly.
The first one because I have promised to my Americans friends (Boyhood, Peter54) I´ll do it. They work with WordPress CMS and suggested me that I could write about security and how we can applicate it in their personal blogs.
Nowadays this kinds of questions are common. Peter and Boyhood were worried about what they can do to protect their wordpress installation, they aren´t experts. They contact with me across the web page form of my personal blog (I remember that you could do the same if you wanted), and suggested that I could write about this kind of issue. I was thinking about it and why is so important WP security although it sounds incredible, WordPress is used by more than 26.4% of the top 10 million websites as of April 2016. WordPress is reportedly the easiest and most popular blogging system in use on the Web, supporting more than 60 million websites. Security is an essential aspect and it deserves to be treated with special interest.
The second one is even more important for me. I can practice my written English, and I am sure that they will correct a lot of mistakes but I promise that I will try to express myself the best way possible, Peter (please doesn’t smile so much). 🙂
So, I would like to classify the security of a wordpress website taking into consideration three factors that I think are essential.
Let’s go, it could be very long, but it’s worth it…
Personal, Server issues, and WordPress configuration techniques.
Because a lot of Internet websites have talking so much of different hints, I think that the best way to classify the security is thinking about this 3 main factors.
1. Personal.
A wordpress installation have different passwords for different purposes, and it vital try to set up a complex password not only for the WP backend panel, but also in Mysql database, FTP (better SFTP) Server and web admin Panel server or VPS.
I know that it’s hard to get you to listen to this basic trick, but it’s critical that you realize that the easier it is for you to remember a password, the easier it will be for automatic brute-access systems of the attackers get it.
WordPress, in its latest versions, incorporates a secure password generator and «suggests» you to use them. This will always be the best option. You can, however, skip this recommendation and put a simple, insecure password, but you would be making the main and most important security mistake of all possible.
Currently it is unnecessary to use easy passwords, since all browsers offer the possibility to remember them for you in your computer. So always use strong passwords, which contain lowercase letters, uppercase letters, numbers, and special characters.
In case of having many registered users you can even force the change of passwords so that they are all safe, including that of the administrators.
Be aware that you don´t have any kind of virus in your personal computer.
Try to install antimalware software and a complete antivirus suite. This is esential.
Your operating system also needs to be updated. Because some king of access to the system by intruders may cause that they intercept communications with our computer and the hosting provider.
2- Server issues.
The protocol SFTP instead FTP.
It is better for you that the connections to your server for file updates should be done through SFTP protocol, instead FTP, assuming your hosting allows it. If they don’t have it, try to consider moving to a host that does. Extra encryption protocol is a valuable safeguard against your login details being intercepted by hackers.
File permissions.
The WordPress configuration file, the wp-config.php file, contains very sensitive information about your server:
Database name, user of the database, password for the database, prefix of database tables.
For this reason it is vital to protect it from outside eyes and, of course, from unwanted modifications.
You can do the following actions:
Move it to a top folder, so if it is located in the path … / public_html / mydomain.com / move it to the folder … / public_html /.
Protect it from writing by changing the permissions to 444.
Add the following rules to the Apache .htaccess file to avoid unwanted access:
<Files wp-config.php> Order allow, deny Deny from all </ Files>
About updates of your server.
It’s very important try to update your server fixes like your version of mysql database, Apache and php bugs.
If you are using a server administration panel, try also to be updated and with the correct configuration options. There are many security holes in the panels and you will need to be aware of them.
Try to Use secure file and folder permissions
By default, WordPress applies read and write permissions to files and folders that can sometimes be modified, either automatically by some plugins, or manually by uploading files yourself from cPanel utilities or even FTP clients.
The default permissions that must have files and folders in WordPress are the following:
Files must be 644
Foders must be 755
If a file or folder has more permissions would be a potential source of vulnerabilities. You will need to change them to the default permissions from the cPanel, Plesk , … or another file manager or your favorite FTP client.
3- WordPress configuration techniques.
Be careful because it is very important. Trying to Change your default user login.
By default we use admin user to enter the WP backend. Its importance to change the nickname of the admin user. One of the first things that the attackers will try to do with their exploit and bots is brute force attacks using default user name.
Update your wordpress installation and plugins too.
Its very important keep your wordpress installation updated (mainly the core files), and even more your plugins. But remember that I will need to create a backup before doing it. It could be happen that some themes don’t work well after updating your site. But keep in mind that it is more secure keep all updated. Many vulnerabilities of your WordPress will happen if your wordpress isn’t updated properly.
Despite the fact that there are very good free themes and of course payment themes too (templatemonster, themeforest, and so on…), its very advisable that your theme have a child theme, that allows update only the main or parent theme files. It is due to our theme couldn’t work properly with the WP theme. And it is possible to have future security fixes and it is better update only your parent theme. Summarizing, I will give you an importance advice, try to use always child themes for improving your WP security.
Try to use only what you need, I ´ve felt in my own skin.
It you are tempted to use many plugins, its better for your security having only the necessaries ones. Try to delete as many inactive plugins, files and themes as you can, including readme files too.
Always remembering this basic principle: the fever plugins, the fever vulnerabilities you will have.
The importance of having backup and security plugins working properly.
I recommend try to use good plugins for backup wordpress database and files. Although your hosting provider could make backups, its better for you have one plugin for database and files backup.
https://es.wordpress.org/plugins/search.php?q=backup
Many of them work saving the data into the cloud.
With this other link we can install plugins related with security
https://es.wordpress.org/plugins/search.php?q=security
you can other the search by popularity.
Prevent directory browsing
To prevent anybody from accessing files in your WP directory by typing the directory path into the browser, place the lines below into the .htaccess file, above # BEGIN WordPress.
Placing a blank index.html file into every directory will have the same effect. However, this is quicker and simpler.
# prevent directory browsing Options -Indexes
Limit the logins attemps
By default, WordPress allows users to enter passwords as many times as they want. Hackers may try to exploit this by using scripts that enter different combinations until your website cracks.
To prevent this, you can limit the number of failed login attempts per user.
For example, you can say after 5 failed attempts, lock the user out temporarily.
If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.
Two common plugins for limiting login attempts are the eponymous Limit Login Attempts plugin and Login Lockdown.
You can more information on
Avoid brute force attacks
https://codex.wordpress.org/Brute_Force_Attacks
Change the prefix of your wordpress database tables.
Please, try to change the wp_ prefix for database tables on a fresh install. The method for existing sites is a little more involved. You will need access to your database through PHPMyAdmin or use a plugin that do it your you.
Protects the uploaded files folder
The uploads folder, located in the path yoursite.com/wp-content/uploads where upload the images and documents that attach to your publications in WordPress, is the most susceptible to attacks. So it is very important to protect it from being run from the same virus or malicious scripts.
WordPress does not allow by default uploading executable files to this folder but there are techniques that hackers use to skip this rule. So we must apply extra protection, expressly defining which file extensions can be uploaded to it.
To do this, we will add the following lines of code to the hidden Apache configuration file .htaccess, located in the folder where you installed WordPress:
<Files ~ ".*\..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch "\.(jpg|jpeg|jpe|gif|png|bmp|tif|tiff|doc|pdf|rtf|xls|numbers|odt|pages|key|zip|rar)$">
Order Deny,Allow
Allow from all
</FilesMatch>
I will give you an example .htaccess configuration file of your WP
# This is an example of a HTACCESS File. It has a lot of features for securing your wordpress installation
# Let's go
# prevent directory browsing
Options -Indexes
# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>
# doesn´’t allow wp-config.php to load. It contains the configuration options for wordpress.
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# IP address restricttions
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# authorised IP address, put your address here
allow from ??.???.???.???
# This 3 lines disable HTTP trace for avoid XST and XSS attack methods.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
# Remember that WordPress is able to edit any code between the BEGIN and END WordPress tags
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# This section protect you against SQL injections only for wordpress (you can see the upper tag label)
# return 403 Forbidden when somebody puts script tags or GLOBALS or _REQUEST stuff in the URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Prevents sploggers from accessing
If for some reason you allow the registrations of users in your WordPress, you must protect yourself against those known as sploggers, users who register on a massive number of websites to try to access their settings, add spam comments or even inject malware.
The definitive solution for this type of users is, of course, not to activate the registration of users (default behavior of WordPress). But for reasons of loyalty or marketing you have the registration enabled you should install the best plugin that exists to detect and eliminate this threat: WangGuard.
Use a reverse proxy like CloudFlare
One measure for securing WordPress is using a CDN service, or Content Delivery Network like CloudFlare, with a very complete free plan and plugins that facilitate its integration with WordPress.
In addition to offering a very powerful cache system, it also incorporates protection measures such as the following:
Obfuscation of emails, avoiding the capture of email addresses displayed on your website.
IP blocking of visitors with behavior suspected of being attackers.
Always online, to display a cached version of your web even when you are suffering an attack.
Other related issues about vulnerabilities (wikipedia)
Many security issues have been uncovered in the software, particularly in 2007, 2008, and 2015. According to Secunia, WordPress in April 2009 had 7 unpatched security advisories (out of 32 total), with a maximum rating of «Less Critical».
In January 2007, many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit. A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.
In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software. In part to mitigate this problem, WordPress made updating the software a much easier, «one click» automated process in version 2.7 (released in December 2008). However, the filesystem security settings required to enable the update process can be an additional risk.
In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress’ security track record, citing problems with the application’s architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems.
In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that 7 of them were vulnerable.
In an effort to promote better security, and to streamline the update experience overall, automatic background updates were introduced in WordPress 3.7.
Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources and thwart probes.
Users can also protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins, editing the site’s .htaccess file to prevent many types of SQL injection attacks and block unauthorized access to sensitive files. It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins. If vulnerabilities are found, they may be exploited to allow hackers to upload their own files (such as a PHP Shell script) that collect sensitive information.
Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers.
In March 2015, it was reported by many security experts and SEOs including Search Engine Land that a SEO plugin for WordPress called Yoast which is used by more than 14 million users worldwide has a vulnerability which can lead to an exploit where hackers can do a Blind SQL injection.
To fix that issue they immediately introduced a newer version 1.7.4 of the same plugin to avoid any disturbance on web because of the security lapse that the plugin had.
WordPress’ minimum PHP version requirement is PHP 5.2, which was released on January 6, 2006, 10 years ago, and which has been unsupported by the PHP Group and not received any security patches since January 6, 2011, 5 years ago.
