Thoughts

Your WordPress Security Sucks – Fix It Now

By November 4, 2016 No Comments

Your friends and colleagues tell you them, the web has plenty of horror stories, all involving security problems with WordPress sites. Maybe they’ve got you worried about your own site. Most likely these stories have shied you away from using WordPress for your: blog, website, corporation or enterprise.

The simple truth is, any site is only as secure as it’s weakest security measure and we could all implement additional measures for securing our WordPress installs,and websites in general. Naturally, this article will focus in on WordPress. I’m going to share with you seventeen steps you can do today to step up the security of your WordPress-powered sites.

“Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.” — codex.wordpress.org

Website security is often a top concern for site owners and prospects. This should ring especially true for WordPress site owners. Approximately 26 percent of all websites on the internet are powered by WordPress, with this popularity the CMS is often targeted by hackers. That doesn’t mean your site has to fall victim to malicious behaviour.

Security experts will agree that no system is 100 percent hack-proof, there are certain measures to be taken to prevent a hacked WordPress site. Below are some of the most important WordPress security tasks you should implement to reduce your chances of being affected by a disastrous brute-force or DDoS attack. Become more proactive against potential threats today.

Part 1: Secure WordPress Setup Tips

1. Keep WordPress Core, Themes, and Plugins up to date

The most common culprit, and the easiest to avoid, of a hacked WordPress website is an outdated component. Outdated plugins, themes, and core open the door for a potentially hacked site. Did you know these outdated files are traceable and make your site a target for intruders?

One study reported 54 percent of WordPress security vulnerabilities belonged to outdated WordPress Plugins (outdated WordPress core installs accounted for 37 percent, and outdated WordPress themes accounted for 11 percent).

Making it a routine of ensuring your WordPress site is up-to-date- is simple. When you see the orange notification in your WordPress dashboard next to plugins, themes, or a notification to upgrade WordPress, update ASAP!WordPress Security Updates

Setup automatic WordPress updates

If you feel your memory is not that great, or you don’t want to be bothered with manual updates, you can configure automatic updates. To auto-upgrade WordPress core, insert this code into your wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

Insert these lines just above the /* That’s all, stop editing! Happy blogging. */ comment. Make sure you are archiving your WordPress database daily, just in-case one of the automatic updates breaks something.

2. Only install trusted WordPress Themes and Plugins

How do you tell if a theme or plugin can be trusted? First, read its ratings. The WordPress community is very active and you can find clues to whether there have been security breaches or issues in the past, like buggy or broken updates.

WordPress Trusted Themes and Plugins

The second step is to check when a theme/plugin was last updated. If a theme or plugin hasn’t been updated by its author in some time (say over a year), then this inactivity is a sign you should move on.

The last step is to analyze a theme or plugin’s popularity. This helps ensure you aren’t installing malicious code into your WordPress site. Just remember, a widely popular theme or plugin doesn’t mean it’s not going to be targeted by hackers, but it does likely mean it will be updated with security patches regularly due to its wide use.

3. Remove unused Themes and Plugins

Wordpress Inactive PluginsAs your WordPress site grows and evolves, you will start to accumulate themes and plugins. These require some housekeeping. Go through and delete any themes and plugins you are no longer using. Not only will this make your site run faster, it will also remove security vulnerabilities from stagnant or outdated files.

If using WordPress multisite, you will need to determine if what sites are using which themes and plugins before removing them. You can easily perform a theme and plugin audit using the Network Plugin Auditor plugin.

Read the codex for more information on WordPress housekeeping and how to remove unused plugins and themes.

4. Regular WordPress site backups

You’ve now taken care of many security precautions (along with the ones listed below) you should ALWAYS backup your WordPress site.

Backing up your WordPress site is fairly easy to do, check out these instructions from the WordPress codex. Or you can try a premium plugin like BackupBuddy.

5. Install a WordPress Security Plugin

Installing a WordPress security plugin should be a no-brainer when it comes to enhancing the security of your site. The truth is, most people don’t. Installing a security plugin allows you to become more proactive against security threats and minimize any security vulnerabilities.

iThemes Security

iThemes SecuritySecuri Security

Securi Security - Auditing

Premium: Hide My WP

Hide my WordPress

Part Two: Secure WordPress Users and Dashboard

1. Change or exclude the “Admin” username
WordPress Admin Username

WordPress, by default, gives the primary user account the username “admin” when installed via a “one-click” install system on most hosting platforms. Leaving the username as “admin” is an instant security threat to your site. If a hacker wants to crack the code, half of the puzzle is already solved, they just have to guess your password.

Removing or changing the “admin” username is an important step to improving site security. To do this, simply go to the “users” section of the WordPress admin panel and rename or delete the “admin” account or username.

2. Enforce strong passwords and usernames

Strong username and passwordWe all love using a password that’s simple to remember, but this quickly can become an easy portal into your WordPress admin dashboard. Using an easy password, like one that contains your house number, makes it easier for hackers to crack your passcode using brute force automated scripts or a dictionary attack, to try and guess your password and username over and over.

Help your users choose a strong and secure enough password, have them use a tool like Secure Password Generator or Strong Password Generator. Should you choose to require your users to use a strong password, you can use a plugin like Force Strong Passwords.

3. Secure your admin area

Now that you’ve implemented strong and random usernames and passwords, using additional layers of authentication is still a good idea. They can drastically lower the chance of a brute-force attack becoming successful.

a) Password protect the WordPress login page

On an Apache web server, you can use htpasswd, which is a simple method of password-protecting website files. (IIS, Nginx and other web servers will have their own version of password protection).

For WordPress, you could password protect the wp-login.php file, as an example. Doing this will require users of your site to type in an additional username and password before they can access the WordPress login page.

Read this great tutorial on how to password protect your WordPress admin area.

b) Set up Two-Factor Authentication (2FA)

Two-factor authentication requires two separate steps of validation before allowing you intor your WordPress admin area. If you username and password are ever compromised without your knowledge, this additional layer of authentication helps secure your WordPress site. 2FA can give you time to reset your login information before your WordPress admin area is breached. The second layer of authentication also informs you when there are attempts to log into your WordPress admin area.

Here’s how it works:

  1. You sign into WordPress as you normally do.
  2. Right after entering your login information, you’ll receive a unique one-time-use password on your mobile phone that will expire after a certain amount of time.
  3. If the unique password is incorrect or if the password has expired, access to your WordPress admin area will be denied, even if the login credentials used are valid.

Google AuthenticatorYou can use the Google Authenticator for WordPress plugin in conjunction with the Google Authenticator (which is available on Blackberry, iOS and Android devices).

Duo Two Factor Authentication

Another great plugin to consider is Duo Two-Factor Authentication. It can be set up to send an SMS to your mobile phone or to perform a voice call that discloses your unique password.

c) IP Address whitelisting

With this option, only authorized (whitelisted) IP addresses can access the WordPress admin area.

One of the drawbacks with IP address whitelisting is, if you work in many places (coffee shops, coworking spaces, etc.) or if you’re travelling frequently, this security measure can be a hassle since you’d have to whitelist the IP address you are using before you can access your admin area. Of course, there are work arounds, using a VPN so that you have a static IP address regardless of which network you’re connecting from.

Whitelisting IP addresses can be done through your site’s .htaccess file. You can use the following directive to deny access to WordPress’s wp-login.php page if the request does not originate from your IP address (replace your.ip.address below with the IP address you normally use):

<files wp-login.php>
   order deny, allow
   deny from all
   allow from your.ip.address
</files>

If you want to whitelist multiple IP addresses, just add additional allow from lines. Here’s an example where the directive whitelists two different IP address:

<files wp-login.php>
   order deny,allow
   deny from all
   allow from 255.255.255.0
   allow from 127.0.0.1
</files>
4. Limit login attempts

WordPress Core doesn’t have a limit as to how many times one can guess a password to log in. This presents a problem because hackers and bots generally won’t give up.

Example: in a brute-force attack, a hacker uses a script to enter different password combinations until they’ve cracked the code.

Fortunately, there are some great plugins built for limiting logins:

Part Three: Advanced Security

1. Hide your WordPress Version

If you plan on, or need to defer a WordPress update, you should consider hiding your WordPress version because it provides hackers and bots useful information about your site.

There are three areas where your WordPress version number will be hidden:

a) The generator meta tag in the header:

<meta name="generator" content="WordPress 4.6.1" />

b) Querystrings on scripts and styles:

subscriptions.css?ver=4.6.1

c) Generator tag in RSS feeds:

http://wordpress.org/?v=4.6.1

To get rid of your WordPress version number in all three areas, add this code to your theme’s functions.php file:

/* Hide WP version meta tag from header and generator tag from feeds
 * @return null
 * @filter the_generator
 */
function mbd_remove_wp_version_tag() {
	return null;
}
add_filter( 'the_generator', 'mbd_remove_wp_version_tag' );

/* Hide WP version strings from scripts and styles
 * @return {string} $src
 * @filter script_loader_src
 * @filter style_loader_src
 */
function mbd_remove_wp_version_strings( $src ) {
	global $wp_version;

	$parts = explode( '?', $src );

	if ( $parts[1] === 'ver=' . $wp_version ) {
		return $parts[0];
	}
	else {
		return $src;
	}
}
add_filter( 'script_loader_src', 'mbd_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'mbd_remove_wp_version_strings' );

You should also make sure your readme.html file is removed from your install, as this also exposes your version number.

2. Rename or Relocate the Login Page

Relocating your login page is worth the effort. Not only does it make your site more bulletproof, it hides the fact that you’re on WordPress, and limits brute-force attacks on your login page.

If a malicious user was trying to compromise your WordPress site and came across a 404 error upon entering your login page, say mybrotherdarryl.com/wp-login.php, they’d likely move on to an easier target.

You can try using a plugin like Move Login or Rename wp-login.php, but if you’ve already taken our earlier advice you could just use iThemes Security or Hide my WP to achieve this step.

Be sure to talk to your web host or developer to ensure the steps you are taking are correct.

3. Secure the WP-CONFIG file

The wp-config.php file contains your website’s base configuration details, like database connection information. Just like we did with your wp-login.php file, we want to protect your wp-config.php file from intrusion. Add the following code to your .htaccess file to deny access to anyone surfing it:

<files wp-config.php>
   order allow,deny
   deny from all
</files>

For information on moving the wp-config.php file, see the WordPress codex.

4. Use SSL (Secure Sockets Layer) for data security

Enabling SSL is the next crucial step to a more secure site. SSL (Secure Sockets Layer) encrypts all information sent to and from your site. That way the private data visitors share with your site stays private. Even Google is making it a requirement in their January 1, 2017 release of the Chrome Browser.

SSL helps ensure that malicious users can’t see or intercept the data your users share on your site. If you are collecting sensitive information like, credit card numbers, usernames, passwords it is important to have the secure tunnel SSL creates.

Indentifying whether or not a site is SSL certified is simple. An SSL certified site will start with an HTTPS in the URL address, while a site that’s not SSL certified will being with HTTP.

5. Actively monitor incoming attacks

It’s vital to your site’s health to monitor incoming security attacks. Not only does this make you aware of what’s going on inside your WordPress installation from a historical perspective, it also allows you to act before a breach occurs.

Here are a couple of tools that can help you with malware monitoring:

We like WP Security Audit Log as it lets us quickly identify if an individual user account has been compromised.

Receiving insight into what’s happening in your WordPress install via a website malware scan tool is a good idea for tighter security and eases diagnosis of any issues that might occur.

6. Use a secure hosting environment and developer

You can follow all of the security measures above, however, if you don’t invest in a secure hosting provider and developer, these efforts are all for nothing.

Secure hosting and development with My Brother Darryl addresses many of the above tasks (daily backups, 2FA, etc.) by setting your site up correctly from the start.

Here are just some of the security benefits working with My Brother Darryl.

Automatic updates to new versions of WordPress

When WordPress rolls out a fresh new version of the Core, we automatically upgrade your site for you so it contains the latest security patches.

Blocking potential hacks as they occur

Since we have set your site up securely from the start, we’re blocking potential hacks before they happen. We have the technology to detect threats in real-time, blocking even the most sophisticated hacks like, JavaScript/SQL injection and XML-RPC attacks, along with a variety of DDos and brute-force attacks.

This technology also blocks IP addresses identified as belonging to spammers or hackers.

Periodic security audits and code reviews

My Brother Darryl conducts periodic code reviews and security audits of our infrastructure. We also partner with outside security businesses to ensure we have the best possible security measures in the industry.

High-performance servers

We provide high-performance secure servers set up properly for your web environment.

Hacked? We’ll fix it for free.

Under the wrong provider, you could be charged thousands to fix a hacked site. By choosing My Brother Darryl as your web host and development provider, in the unlikely event that your site is compromised, we’ll fix it at no extra cost to you.

Happy Site Securing!