WordPress Security Tips

so you can get back to building WP

1. Lack of updates will get sites compromised

By far the majority of successful attacks against WordPress installations is due to automated attacks (scripts) exploiting known security vulnerabilities in themes or plugins.

The key is ensuring that security fixes for the known vulnerabilities are applied. Recent versions of WordPress have a builtin capabilitiy to automatically update the WordPress Core. Plugins and Themes will usually alert the user in the WordPress admin dashboard when updates are available.

Recommended Actions, 1 use automated updates, or make a regular schedule to apply updates to all components, this includes WordPress Core, all plugins and your theme. 2 Delete unused plugins and themes from the WordPress installation. If code is left in the /wp-content/plugins/ or /wp-content/themes/ folders on the site it can still be attacked, even if not in use.

2. Passwords really do suck

During 2013 a botnet made up of over 90'000 web servers was built by automated scripts brute forcing WordPress weak admin passwords. The password list used consisted of 1000 common passwords.

In testing WordPress password brute forcing against a small VPS I was able to attack 700'000 password combinations a day without taking down the VPS or the site. In fact without security monitoring (see number 6), I may not have even noticed the password guessing attack.

These two examples highlight the fact that weak passwords can easily be attacked both by automated attackers and more focused targeted attacks.

Recommended Actions, make your password strong and don't reuse passwords:
jfe*3fF1@5hN <- Good (just don't use the example!)
P@ssw0rd1 <- Bad (common words with simple changes can be easily guessed)

3. Secure your Server

It is important to understand that the security of your WP site is more than just locking down the WordPress application, you must also ensure the server that the site runs on is also secure, no point locking the window if the door is wide open.

From required services such as Nginx / Apache, PHP, Mysql, to remote access services (SSH / webmin / cpanel) and components such as web server caching components it only takes a configuration error, a poor password or software vulnerability to lose everything including root access.

In the past even some of the most well known shared web hosting providers have had mass compromises of WordPress sites.

Recommended Actions, whether your hosting is VPS / Dedicated / Shared Hosting / managed or unmanaged, ensure the administrators of the servers follow basic security processes and manage the system in a proactive manner. This could mean using a dedicated WordPress hosting solution, or in many instances you may be the adminstrator; in that case at a minimum keep everything updated, use strong passwords and regularly check for vulnerabilities.

4. FTP is very much a protocol from the 90's

If you transfer files to your web server using FTP is simply a bad idea. The FTP protocol sends the username and password in the clear to the server. There is no security around the authentication, meaning anyone sniffing the traffic can easily collect your web hosting password.

Most web servers will have SSH and if they do you should be able to upload your files using SFTP or SCP. Using SFTP ensures the authentication and transfer of the all occurs within an encrypted tunnel using the SSH protocol. A client such as WinSCP can make this process very similiar to FTP for those Windows users who think bash is something you do with a club.

Recommended Actions, whatever method you use for uploading images and other files, ensure the protocol is using encryption. Examples include SFTP over SSH, HTTPS if using a web based upload method or even a virtual private network to your server (VPN).

5. Of course you have HTTPS on /wp-admin/

Similar to Tip number 4, accessing /wp-admin/ over HTTP means your password and WordPress authentication cookie can be scooped up by anyone with access to your traffic. In a coffee shop / library / airport with Free WiFi this means anyone could get full admin access to your site without even sending a packet to you.

Recommended Actions, enable HTTPS on /wp-admin/ and your login page at a minimum. SSL certificates are cheap at less than $10 for a year.

6. Who is watching your site?

Security monitoring alerts you to events on your system that are a potential threat. Tuning (customisation) of the security monitoring application or script ensures that only events (log entries) that meet a threshold are alerted upon, other events are recorded and can be compiled into a regular security report.

Recommended Actions, for those who manage the server a security monitoring tool such as the Open Source OSSEC is an excellent option. It will detect a wide variety of events on a system, will alert on or block attacks; even provide immediate alerts in the event of a compromise.

7. Test for weak security

Find out if your security is rubbish, so you can start to mitigate any security issues. Understand the security of both your system and your WordPress site so you can effectively evaluate the risk and make informed decisions when securing your system.

Recommended Actions, use security vulnerability scanners to discover your points of security weakness. Test your WordPress Application (WPScan), Web Server (Nikto), System (OpenVAS) and Firewall (Nmap) for any issues.

8. You do have Backups..... Don't You???

In the event that the above steps are not enough and you still get hacked (yes it could happen) you need a plan of last resort to get your site back online and doing its thing. This is where Backups take the stage. Even if you don't get hacked you really need a recent a recent backup in the event of hardware failure anyway.

Recommended Actions, 1 make sure you always have an up to date copy of your web server path (WordPress files), your full WordPress Database and any custom configuration files from your server. Basically you should be able to get back online as fast as possible in the event of catastrophic failure (hard drive fail) or system compromise. 2 Make sure the backups are tested regularly and they are working, and can be extracted. Test by installing your site to a local system from the backup.

© 2014 Hacker Target Pty Ltd - ACN 600827263, Powered By Open Source Software