Here we go, we’ve set up our WordPress website from scratch and we are live! Users are interacting with the website, signing up for accounts and everything is good! Then that little voice in the back of your mind says those four words –
What about website security?
Side Note: If you haven’t actually set up your WordPress site yet, have no fear, DigiF9 are here! Check out digif9.co.uk/how-to-build-your-new-wordpress-website/ for a detailed guide on getting set up.
Security 101
WordPress is one of the most commonly used platforms for freelancers, start-ups, SMEs and even Enterprise level organisations for a good reason. It is an open-source Content Management System (CMS), built on the PHP programming language and allows you to connect to a backend database with relative ease. With WordPress, you can create a cost effective and powerful website and transform your digital presence. You’ve made the sale, stop selling!
Unfortunately, we don’t live in a perfect world and there are several colourful individuals out there seeking to disrupt, deface or access sensitive information within websites, and as one of the most used tools on the internet, WordPress sites are often targeted by attackers
With open-source software, the most popular benefit comes from the large community of developers, who regularly provide functionality updates, themes and plugins for users to enjoy. However, on the flip side there is a large community of attackers developing and sharing different methods of exploiting WordPress websites.
Early on, the most common areas exploited within WordPress were related to insecure plugins, as well as in the principal website itself (wordpress.org). Since then, WordPress has rigorously worked on improving its security for known vulnerabilities. However, there are still a number of areas that WordPress consumers can focus on, to minimise the risk of their website being compromised.
According to WordFence, there are almost 90,000 attacks launched per minute on WordPress websites, with around 3,972 known WordPress vulnerabilities. Out of this set, 52% are linked to WordPress plugins, 37% due to core WordPress files and 11% down to WordPress themes.
Updates
Don’t lie to me.
We’ve all been there right, we are right in the middle of an important task, game or movie on our device and that annoying message pops up.
YOU NEED TO UPDATE YOUR SOFTWARE.
And rather than stopping what we are doing and following the advice from our device we ignore it and skip the update. Who needs them anyway?
Software updates are a mixture of two common areas – functionality and security. By not updating your software you are potentially missing out on the latest feature release but most importantly the security fixes.
These security fixes are developed in response to vulnerabilities being discovered on that particular version of the software, and the update (patch) prevents an attacker exploiting that vulnerability. By not updating your software you are leaving your system open to attackers and essentially leaving an open goal for them. Come on guys at least put a goalkeeper in there, give your team a chance!
Ensuring that your WordPress site is regularly kept up to date with the latest patches, as well as updating any devices that you use to access your account, such as your mobile device or laptop, is the first step to securing your website that you have worked so hard to get set up.
Zero-Days
Lets count to 5.
1, 2, 3, 4, 5.
Wait we forgot 0!
Zero-days in essence are software vulnerabilities that are currently unknown to the developer, and as such a patch to prevent the vulnerability from being exploited has not yet been created.
As one of the most widely used open-source software on the market, WordPress has a large community of researchers and bug bounty hunters, aiming to identify these Zero-days before an attacker does, in order to help develop a patch to prevent them being exploited. This further reinforces how essential updates are in keeping your site secure.
For curious users who want to know exactly what exploits they are preventing through their updates, check out the Common Vulnerabilities and Exposures (CVE) administered by the MITRE Corporation. These CVEs are widely used by Cyber Security Professionals to prioritise and fix vulnerabilities, identifying what an attacker could accomplish and assigning a severity score to them.
Plugins
Plug and pla… wait a second!
With such a vast community of developers producing plugins for WordPress, it should come as no surprise that the total number of plugins available exceeds 50,000! This is fantastic from a functionality perspective, providing users with many different options for customisation to personalise and enhance their website.
However, from a security perspective it creates an additional layer to your site that needs to be secured. When visiting the plugin page, next to the download button you can identify the plugin version, and the WordPress version that it is compatible with. When selecting a plugin for your website you should always take the following steps to reduce the level of risk associated with them;
- Use plugins that are regularly updated
- Use plugins developed by verified / recommended users
- Ensure that the plugin is essential to what you are trying to achieve
- Check the specific plugin within the CVE database to search for vulnerabilities
Account Security
But that takes too long!
This is often the phrase people come out with when you advise them to secure their accounts with a strong password and a second level of authentication. But guess what – if it’s harder for you to login, it’s harder for an attacker to break in!
A common method of attack used is referred to as brute forcing – which does exactly what it says on the tin. An attacker attempts to break into an account by repeatedly guessing passwords, commonly using software to continually guess different iterations of commonly used passwords. You should also make sure that you do not use the default username of ‘admin’ as this is the most commonly used component of a brute force attack.
By using a strong and hard to guess password you are making this process far more difficult and time consuming for an attacker, and also highlights why it is important to regularly update your password. If someone can crack the Enigma Code, then someone can crack your login password!
You can also utilise plugins, such as Login Lockdown https://wordpress.org/plugins/login-lockdown/. This allows you to limit the amount of login attempts that can be made before the accounts gets locked, preventing brute forcing from taking place.
Which leads us on nicely to the second item – multi-factor authentication or MFA for short. Again, the term accurately sums up what it does (we security folk are simple beings after all), it provides an additional layer of authentication for your account. This could be a text message, a phone call or the recommended option – an authentication code from a mobile application, such as Microsoft or Google Authenticator.
After correctly inputting your password, you will be asked for this second level of authentication, which means in the event that an attacker compromises your password, they are still unable to access your account.
Despite the plugin bashing in the previous section, there are a number of highly useful plugins on WordPress from a security perspective, another of which is the All in One WP Security & Firewall which will provide protection against brute force attacks.
The plugin https://wordpress.org/plugins/wp-2fa/ will also add multi-factor authentication to your account.
Manage Or Disable The Register Page
I want users to register right?
Well yes, but this is a common area that attackers aim to exploit, and so careful attention must be place in the configuration settings. You can determine default settings for users who register on your website, or indeed deactivate it if you do not need users to register for accounts on it.
Within the settings you can determine what level of access a user can have access to, with the following six available roles.
- Super Admin
- Administrator
- Editor
- Author
- Contributor
- Subscriber
Whilst not defining these roles here, you can straight away see that the first five will allow the user some ability to control, change or delete content on your site. So, you want to ensure that the default role is subscriber, to prevent users receiving these privileges by default.
Elevated access rights should only be granted to individuals that you name directly, not as a default setting. You can also choose to disable the functionality completely if you do not have require it for your site.
Backups
Houston, we have a problem!
We all want to live in a perfect world where things work as they are supposed to, however anyone in the cyber industry knows that technology isn’t perfect. You must be prepared for a scenario where your website goes down, is inaccessible, or has been completely deleted.
This could be from an attacker or by purely accidental means, it doesn’t matter. The point is you need to get it back online and minimise downtime. This is where backups come into play.
Think worst case scenario as a student. 9,347 words into a 10,000 word dissertation due in 5 days and then bam the computer dies. Your ‘sympathetic’ supervisor says just use the backup you took. THANK YOU CAPTAIN HINDSIGHT!
Everyone thinks about a backup after the incident happens and thinks why could they not have thought about it before? Don’t be like everyone else, be better than that and make sure you identify a backup solution to your site.
There are several free and paid WordPress plugins that you can use for scheduled and automated backups, but the most important thing is that you save these to a secure and robust location.
The cloud has joined the game.
Using a service like Microsoft OneDrive, Apple iCloud, Dropbox or alike to store your backups allows you to have confidence that if the worst-case scenario does occur, your backup file will be available and ready for use.
Use HTTPS
No one likes an eavesdropper.
HTTPS is a protocol that uses Transport Layer Security (TLS) to enable encrypted data transfer between a website and a user’s browser. Without this encrypted channel, attackers can snoop in on this interaction, potentially accessing sensitive information such as login credentials or payment card information.
That padlock at the top of your browser that lets you know the connection is secure, or the dreaded insecure page most of us will have encountered at some point.
Whilst enabling SSL is important from a security perspective you should also think of it from a user interaction perspective. If users receive an “insecure page” or similar warning when navigating to your website, and in particular for websites that require users to login or provide payment information, they are unlikely to feel safe sharing this sensitive information.
Disable xmlrpc.php
A word with no vowels! It cannot be.
The XML-RPC is a feature that comes with WordPress that provides remote interaction with your website. It was a common and fantastic feature with early adopters of WordPress, with slower internet speeds. It allows users to write content offline, and publish on their website in one go. Back in those prehistoric dial-up days.
However, due to faster internet speeds the function has become redundant for most users, and there are only a small handful of plugins on WordPress, as well as the WordPress mobile application and the JetPack plugin.
With the number of associated vulnerabilities, the response has been to develop a new API on WordPress, and slowly negate the need for it over time. As more and more plugins and sections of WordPress no longer require this feature, the time to disable it and protect your site has come.
There are two primary methods that you can use to disable the XML-RPC feature;
Method 1: Disable the XMLRPC using this plugin:
Disable XML-RPC
Method 2: Change the file’s permission:
You may not wish to use a plugin, and prefer to apply the change manually. To do this you can change the permission of the file to 000. Essentially this means that it will have;
– No Read Rights = 0
– No Write Rights = 0
– No Execution Rights = 0
This means that the file cannot read or edit content on your website, or execute any actions on your site, meaning that the attack surface has been nullified from this particular area.
Conclusion
WordPress is a fantastic piece of open-source software that allows you to transform the digital presence of your company. However, ensuring that it is properly secured and protected from attackers is an essential to staying in business and retaining your customers – no one wants to trust a company that gets hacked all the time.
Whilst the guide provides the key areas to get started with securing your WordPress website, you should always aim to enhance and develop your security over time to stay one (or a few) steps ahead of the attackers.
At DigiF9 we enable our customers to transform their digital presence, through website, mobile and web application development, as well as brand design services. But most importantly we deliver these services with security built in from the offset, due to the vast amount of security experience across our team.
Contact us today to get started on your new and secure website or app! sales@digif9.co.uk
