Tag Archives: Web Hosting

WordPress Security: The Problem, The Solution, And Remedies

In the past couple of years, the number of Internet users and bloggers have increased tremendously. As WordPress is easy to setup and configure, it has become one of the most popular and widely used application for bloggers. Due to this popularity, WordPress is now the favourite hang-out spot of hackers. Every day, some scary report about a major site being hacked or a sensitive database being compromised hits the web, and freaks everyone out.

But why should I take WordPress security so seriously? What are the odds that someone is really going to try to hack me?
Doesn’t it concern you that you might be hosting hidden links to Viagra sites or Google is flagging your site as malware-infected? Hmm. Let’s tell you the gravity of security threat you’re facing. Consider the following:

  • It’s not terribly difficult to determine if a site runs on WordPress or not.
  • If a site runs on WordPress, appending the domain with wp-login.php will almost always take you to the login page (even if it’s not linked anywhere on the site).
  • Because ‘admin’ is the default first user name, most WordPress-powered sites use it and that user name has full administrator access.
  • Thus, for most WordPress websites, the security of the entire site is literally only as strong as the admin password.

A little frightening, no? Let’s try to scare you a little bit more. Every day, there are almost 50,000-180,000 unauthorized login attempts on the wordpress hosted sites. The vast majority of these are hackers using brute force techniques(trying millions of combinations of usernames & passwords) to get into websites and wreak havoc. It is possible,perhaps even probable, that a hacker halfway across the globe is trying to hack into your site at this very moment.

Now that you realize how vulnerable your website is, here is a chicken-scratched list of tips for keeping your WordPress website secure.

Maintain strong passwords
Let’s kick off the list with the easiest step you can implement immediately. If your current admin password is ‘password123′ or something remotely similar in its simplicity, then you have a serious issue. You might as well have a flashing neon Welcome! sign for hackers hanging in your website’s front window.
We suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like rockSTAR19!@ or $h@ruKh r0ck$ is a great example of a strong password. As aforementioned, most hackers try to brute force the password so if your password is as strong as we suggested earlier, you should be fine.

Keep up with updates

Second crucial step is to make sure that your blog’s version is up to date. The WordPress team creates patches to help fix security holes. But, will WordPress always be one step ahead of the hackers? Of course not. Quite the contrary. For the most part, as with detecting terrorist attacks by our government, software is always going to be one step behind the hackers.
But when major security holes are known and patches are available there is no excuse not to implement them. Thus, keep a tab on WordPress updates. The same goes for plugins and themes. We also recommend you to follow BlogSecurity as they will inform you whenever a new patch/fix is released.

Clean your site like you clean your kitchen
Now that you’ve got the latest plugins and updates why not get rid of the old ones? You wouldn’t leave dirty dishes and silverware sitting in stale water for three days in your sink would you? Of course not. It would be a breeding ground for filth and muck. If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach. A messy site also makes it much more difficult for security professionals to operate should your site be compromised.

Backups
Make it a habit to  backup your blog and database at regular intervals and do not depend upon your hosting company’s backups as it might be possible that the backup they have contains the hacked data. (If the backup ran after your blog was hacked) You can do this manually or use an available plugin. We recommend backup buddy which backs up your entire WordPress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Nice!

Rename the administrative account
When WordPress is installed on a System by default; it sets username ‘admin’ as the administrator of the blog. For better security it’s not suggested to use ‘admin’. After installation you can create a new user with administrator rights and delete ‘admin’.
But remember that it isn’t the pinnacle of security measures. Hackers can find usernames fairly easily from blog posts or elsewhere. More important than disguising the specific admin username is to make sure that every username of your site with administrator access is protected by a strong password. (Yes, we’re referring you back to #1 in this list.)

Firewall Plugins
There are a few plugins that scan suspicious-looking requests based on rule databases and/or white-lists. BlogSecurity’s WPIDS plug-in installs ‘PHPIDS, a generic security layer for PHP applications, while ‘WordPress Firewall uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration.

Change the WordPress table prefix
The default table prefix for wordpress is wp_ . We know it, you know it and so the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. Changing your database table prefix is highly recommended and you can do it easily using WP Security Scan Plugin. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess.

Secure wp-config.php
Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory will do the trick.
# protect wp-config.php

<files wp-config.php>
Order deny,allow
Deny from all
</files>

No directory browsing
Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes. In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.
# disable directory browsing
Options All –Indexes

Block WP- folders from being indexed by search engines.
Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

Preventing SQL Injection & URL Hacking.
WordPress is a database-backed platform that executes server-side scripts in PHP. This makes WordPress vulnerable to malicious URL insertion attacks.
In a SQL injection , hackers embed commands in a URL, and gain access to  sensitive information of your site. Other versions of URL hacks can trigger unintended PHP commands which, again, can lead to injecting malware or revealing sensitive information. So how do you prevent such attacks?
Simply copy and paste the code below to your .htaccess in the root. It works like a charm.

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Prevent Brute-Force Login Attempts
Hackers often rely on automated scripts which make numerous attempts to log into your WordPress administration page by trying thousands and millions of combinations of usernames and passwords. Remember the stat we cited to frighten you? It’s worth citing again: Every day, there are almost  50,000-180,000 unauthorized login attempts on the WordPress hosted sites.
Before you pass out at the magnitude of that number, know that you’re far from powerless against these nameless, faceless hack attempts.
First, go back to step #1 on the list.
Second, install a login limiter for WordPress. A login limiter can essentially block or quarantine an IP address or username which tries and fails to send login requests above a threshold rate. For example, a login limit of 10 attempts per 5 minutes can be backed up with a penalty timeout of 1 hour.Two WordPress plugins which let you enforce a login limiter are Limit Login Attempts and Better WP Security.

Bonus Tip
Install WordPress Firewall 2. That’s it. You don’t need to do anything. Sit back and relax as it protects your blog from malicious hackers and notifies you when abused.

Over to you!
Remember, steps above are not the only security safeguards you should be considering, but they are a well-rounded start, especially for those who may have trouble implementing the basics.Take action on these tips and you’ll have the essential WordPress security measures in place.

Any WordPress Security tips we might have missed?  Please feel free to share your thoughts in the comment below.

Bhupender

A strategic thinker, Bhupender is an IT pro and is into IT for over a decade. He leverages his expertise to explain complex technical queries in a simple & easy manner and discusses latest emerging trends in IT & IT security in his blogs.

More Posts