WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. As one of the most popular content management system solutions in use, WordPress is used by 42.8% of the top 10 million websites as of October 2021.
Its wide use makes WordPress an avenue for a peripheral of attacks since attackers know that a number of users would be affected by a single exploited vulnerability.
In this article, we dive into how to implement some basic security for your WordPress site to avoid being a victim of amateur attacks, but before that, we’ll look into some common vulnerabilities that can be exploited to attack your WordPress site.
Contents
Common vulnerabilities:-
WordPress plugins
Plugins allow users to add new functionality or extend existing functionality on their WordPress site which usually simplifies their work and improves their experience. This inadvertently means that virtually every WordPress user uses one or more plugins on their site.
However, like most software, a lot of these plugins come with their own flaws and vulnerabilities which can be exploited by attackers to gain access to your WordPress site. Examples of plugins that have been exploited in the past include Contact-Form-7, Simple-File-List, among others.
Misconfiguration
When setting up your WordPress site, you have an array of setting options that you can play around with to meet your needs. When configured right, you can make it harder for an attacker to use tools like wpscan to map your site but because security is rarely a priority when setting up a site for the first time, a lot of people ignore the security configurations.
This would lead to instances like unchanged default admin credentials, exposed wp-admin and/or wp-login page, disabled logging, disabled alerts, e.t.c, all of which are threat avenues an attacker can use to take over your site.
Poor Access Control
Like any other digital asset, it is important to control who has and can access your site. Poor access control would lead to scenarios where some users have admin privileges that they don’t need, users having weak passwords, every IP being able to access your wp-admin/login page, e.t.c.
All of these forms of poor access control and many more would make it easier for an attacker to get into your site and/or take it down if they exploited a user with admin privileges.
The above cover the most common avenues an attacker would exploit to attack your site. Now that we know what’s wrong, here’s a number of Security recommendations;
How to protect your wordpress site from common vulnerabilities
Update software
The war between attackers and defenders is never-ending and therefore software and plugin developers are always working to make their plugins more secure by sending updates and patches. It is important to ensure that all the software you’re using on your WordPress site is up-to-date and every latest patch has been installed e.g PHP version, WordPress version, plugins, e.t.c. Updates and patches can come in anytime so always be vigilant and on the lookout for them.
Apart from updates and patches, you should also ensure that your software is from a trusted source so that you do not unknowingly install a malicious plugin/software on your WordPress site. You can do this being finding out more about the developer, other products they’ve received, and what people that have used them have to say, more often than not you’ll be warned if a piece of software is malicious.
Last but not least, even if your software is from a trusted source, always check that it is still being updated and isn’t on the journey of being phased out. If a piece of software is being phased out, no more updates and patches will be made for it which will make you vulnerable to future attacks that arise due to a flaw in that software.
Use Secure WordPress Hosting
The security of your site doesn’t only rely on how secure your site is but also on how secure your hosting service is. Be sure to make enough research before choosing a hosting service and keep security in front for your decision.
Have a strong Username and Password Policy
First things first, ensure to change your default admin credentials. But also make a policy that allows for clever usernames and strong passwords. Weak passwords are one of the most common reasons for attacks so don’t be a culprit.
LockDown WordPress Admin
Sometimes the easiest way to protect something from an attacker is to make sure they can’t find it. The same is true for your wp-admin URL; by changing the URL you can make yourself less of a target and better protect yourself against brute force attacks. This is not a fix-all solution, it is simply one little trick that can definitely help protect you.
Another way you can protect your site by hiding something is by hiding your WordPress version. What an attacker doesn’t know, they can’t use.
Two-Factor Authentication
Since brute force attacks are very common with WordPress sites, one of the easiest ways to mitigate them is by setting up two-factor authentication for both your WordPress installation and your WordPress hosting account.
HTTPS – SSL Certificate
A common misconception is that if you don’t accept credit cards then you don’t need SSL. However, one of the easiest ways to harden your WordPress security is to install an SSL certificate and run your site over HTTPS.
Hardening wp-config.php
Your wp-config.php file is like the heart and soul of your WordPress installation. It is by far the most important file on your site when it comes to WordPress security. It contains your database login information and security keys which handle the encryption of information in cookies. To secure it you can start with;
- Moving your wp-config.php file from your root directory to a non-www accessible directory.
- Update your WordPress security keys
- Change your permissions from the default ones
HTTP Security Headers
Another step you can take to harden your WordPress security is to take advantage of HTTP security headers. These are usually configured at the webserver level and tell the browser how to behave when handling your site’s content.
KeyCDN has a great in-depth post if you want to read more about HTTP security headers.
WordPress Security Plugins
Since we know that plugins have become part of the anatomy of a WordPress site, it would be promiscuous to not mention the various security plugins that exist. Here are a few that you can check out to help beef up your site’s security.
Database Security
More than anything, it is important to secure your database. You could start with using a clever database name. With a site named a new site, by default, your WordPress database is most likely named wp_newsite. Changing your database name to some more obscure helps protect your site by making it more difficult for hackers to identify and access your database details.
You could also use a different database table prefix. By default, WordPress uses wp_. Changing this to something like 39xw_ can be much more secure. When you install WordPress it asks for a table prefix. There are also ways to change the WordPress table prefix on existing installations.
File and Server Permissions
File permissions on both your installation and web server are crucial to beef up your WordPress security. If permissions are too loose, someone could easily gain access to your site and wreak havoc. On the other hand, if your permissions are too strict this could break functionality on your site. So it is important to have the correct permissions set across the board.
Always Take WordPress Backups
We all always put off backing up our data until it’s too late. But in the likely scenario that your site has been hacked, having a current backup would help you recover pretty fast. So even if it feels like taking backups won’t immediately protect your site, it might be the only way you recover from an attack in the future.
Conclusion
As you can see, there are a number of things that we ignore that make our WordPress sites more vulnerable to attacks from weak passwords to misconfigurations. We’ve gone through some basic measures you can take to protect your WordPress sites from attacks but it’s important to note that each of these measures has a lot more to it that we might have not mentioned in this article.
Vigilance is the best way to keep safe from attacks but we should remember that if an attacker is committed to hacking your site, they’ll eventually get in so it’s crucial to keep current backups to be able to recover easily in case an attack happens.