Why WordPress Needs Hardening with Better Security
20% of the web is powered by WordPress. Its the No.1 CMS on the internet by some distance and by proxy makes for an incredibly attractive target by those who want to hack it, own it, and use it for their own gain or ego. Out of the box WordPress is arguably as safe as any other CMS or web based software, however WordPress security could be better configured to cope with the sort of attacks now becoming commonplace on the Internet.
Below is a summary of 5 common issues within WordPress, and the community, and how to address them
1. Reduce or Eliminate Reliance on Third Party Plugins and Themes
One of WordPress’s greatest features, and arguably the reason for its popularity, is the access barrier remains low from a skill point of view. Its framework is simple and forgiving, meaning anyone with relatively little programming experience can start developing and publishing plugins or themes to the community. This is great in the sense it makes the community large and diverse, but without strict, enforced standards and knowledge of security a lot of vulnerabilities are unknowingly introduced into the community, effectively propagating exploits.
The fewer plugins you have the lesser exposure you have to potential vulnerabilities. Ideally you would have none installed, but this isn’t always possible due to the costs constraints of having a WordPress developer create all the bespoke functionality you need. If you are to use plugins we would suggest using ones from reputable publishers, that have a large install base, and have frequent updates (see the change log tab for publish dates).
Custom themes should always be avoided. Some disreputable sources are back doors in themselves, whilst others on popular sites like Theme Forest rely heavily on third party tools to create functionality that have historically had massive security issues (i.e. Revolution Slider and Timthumb).
2. Enforce Complex Passwords
Have you ever looked in the access logs of attempted logins on a website or even a server or router? If you did you would most likely see a huge log of attempted logins in the form of what’s known as a dictionary attack (“A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or pass phrase by trying hundreds or sometimes millions of likely possibilities”).
To minimise risk of a dictionary attack correctly guessing your password (as with any website) always use strong passwords. With WordPress by default it will allow for weak passwords, however you can enforce a stronger policy through plugins like iThemes security or Force Strong Passwords. Alternatively, switch to a two step authentication process like Google Authenticator.
One final thing to note is when setting up your WordPress install never specify ‘admin’ as a username, by doing so it eliminates a common base element of dictionary attack guess work.
3. Limit Login Attempts and Implement IP Bans
Restricting login attempts and temporarily locking out users who fail a certain number of attempts is standard in most software, either web based or desktop. It’s always been puzzling why it isn’t a default in WordPress itself in its naked state, consequently it’s fallen to a range of plugins to fill the gap. They all work on the same principle by blocking that IP address from having the right to attempt to login if they repeatedly fail:
However in recent years, with the advent of botnets and proxies, login attempts can be distributed across thousands of IP addresses, so whilst one address gets banned the next IP kicks in and tries making it almost impossible to restrict those actions.This is where tools like BruteProtect and iThemes security offer a unique approach against these sorts of attacks. If a user has this plugin installed, any attempts are fed back into a central information source which in turn notifies all sites an IP address is to be blacklisted, effectively blocking them from your site before they’re even there.
4. Lockdown the ‘wp-admin’ Area to an IP Address
Do you or your clients only access the website from work? Is work on a static IP? If yes to both then one quick way to secure the wp-admin is to simply upload a .htaccess file containing the following to your /wp-admin folder:
Order Deny,Allow Deny from all Allow from 11.11.11.11
This effectively disables authentication for those outside the specified IP addresses.
5. Disable File Editing in ‘wp-admin’
Should the worst happen, having access to the wp-admin with the file editor (not the HTML editor) enabled means PHP code can be added and/or modified resulting in complete ownership of the account to do whatever evil they want. In short always add the following to your wp-config.php
define( 'DISALLOW_FILE_EDIT', true );
Next month we will cover why people would want to exploit your WordPress site, as well as how to clean it. Follow us on Twitter or Facebook for notifications.
