WordPress is the most popular publishing platform in the world. It runs over 24 percent of all websites worldwide. Since it’s an open source platform, the WordPress code is visible to everyone and because it powers so many websites, it has become a target for hackers. The most recent vulnerability discovered prompted the update to WordPress 4.7.2 to secure the WordPress core against SQL injections and the posts list table against a cross-site scripting (XSS) vulnerability.
If a perpetrator can find a vulnerability in WordPress itself, or a popular theme or plugin used by WordPress, it lets them very quickly infect a large number of websites using automated attacks.
Eric Murphy, Director of Security WP Engine, says “Web applications will never be 100 percent secure. Because WordPress makes up such a huge chunk of the internet, there’s the misconception that it’s less secure than other platforms (because it’s commonly targeted by hackers).
“With WordPress,” says Murphy, “a site owner must not practice laxity, but take extra precautions to harden his/her site’s web application. Security goes beyond the WordPress core code base; security management responsibilities fall on the site owner, IT departments, primary users, and external platform providers. It’s important that all parties understand potential security risks, and how to alleviate them.”
Web operators are always juggling the tradeoffs between security and website performance. Murphy says various security plugins that are implemented in a poor fashion can significantly degrade a site’s performance. Additionally, when default server software environments are not properly configured, performance (and security) inconsistency can occur.
“The biggest security vulnerability is an outdated WordPress component,” says Murphy when asked about what web operators can do to immediately to secure their WordPress sites. “The most important thing people should be doing is ensuring their WordPress core, themes and plugins are all kept up-to-date. Understanding the OWASP Top 10 further enables users, developers and engineers to protect their WordPress assets.”
Common Threats Against WordPress Site
Below is a list of common hacking attempts and vulnerabilities on WordPress and what you can do to prevent them.
- URL and SQL Injection
WordPress executes server-side scripts in PHP making it vulnerable to URL injection attacks. This happens when malicious commands are fed through the URL to WordPress making the platform act on them without authorization. SQL injection is a type of these attacks in which malicious commands target the database triggering behavior that could lead to exposing sensitive information that hackers use to deface and manipulate your site.
The best defense is setting up a thorough set of rules in your .htaccess file in Apache. This will act as a screen from all the URL requests and help strip off many of the malicious URL injections.
2. Access to Sensitive Files
This happens when you leave much of the sensitive files about your site easily accessed by anyone. Such files include the installation, PHP and wp-config files.
As with URL attacks, this is easily protected by writing a set of rules that blocks access to directory files, the site server and your CMS.
3. Default Admin Username
Retaining the administrator account after installing WordPress with the user name “admin” increases your site’s predictability, making it easy for a hacker to guess his way to your site. Create a new account with a new unpredictable name and strong password. Assign all the administrator privileges to the new user and delete the default administrator account. This makes it harder for any hacker to predict both username and password.
4. Change Default Settings
Many hacking attacks are done using automated programs. These rely on the default set up of your CMS. Changing the controls and permissions will protect you from many automated attacks
5. Update Your Site Regularly
Make sure everything from the platform to the plugins and extensions are all regularly updated. Making an update as soon as one is released will help prevent your site being compromised. Audit your plugins and remove unused plugins and themes and any vulnerability they may pose.
6. Enforce 2FA
Two-factor authentication adds a secondary form of identification in addition to an email address and a password to log into an account. This added layer of security makes it significantly harder to breach an account since the information is something only the user knows and can provide such as a security question, a thumbprint scan, a confirmation pin provided via a mobile device that is linked to the account or even an ID card.
7. Use Secure Hosting
Look for a hosting provider that offers managed patching when minor WordPress patches are released, and makes recommendations when major patches are available. Other features include reliable infrastructure security threat detection, firewalls and network monitoring.
Modern web security threats continue to persist. But Murphy is confident WordPress is prepared for the challenges ahead. “I think the community becomes very important here,” he says. “Reporting known vulnerabilities to firstname.lastname@example.org or email@example.com is the first step in communicating there’s a security issue so the open source community can work toward new security patches, and warn users of known issues with a certain plugin.
“One of the things WP Engine is working to change is the concept of threat intelligence sharing. Bad actors do this very well through a variety of mediums. Proper bug bounty programs, and intelligence sharing will be key to moving the community forward in WordPress security.
“It’s important for WordPress and its community to continue educating its users to know how to keep their site safe. No matter how secure WordPress is out of the box, it’s all for nothing if one fails to keep their site components updated, developers deploy exploitable code or practices general laxity in security best practices.”
Finally it’s important to implement security at all layers. A recent article from WP Engine discusses hardening WordPress at the application level. In addition securing a website’s infrastructure prevents unwanted hacks. Securing WordPress itself is not enough; it requires hosting providers, developers and users to work together to understand what’s required to prevent malicious activity.
Is there a question you have for our team or the team at WP Engine? Leave us a comment, we’d like to hear from you.