|
|
7 Essential Steps For Hardening WordPress |
By
Piyush Vekariya
4.9.2017
Phone:8866698094
Mail Now
|
WordPress is well known to be a target for hackers. So, anything you can do to harden your WordPress site is a sensible thing to do; and should be part of your overall design process. Here we’ll look at some of the main areas that should be on your list of potential areas of weakness and what you can do to add greater levels of security and protection.
The general areas that need to have attention are shown below but you may have site specific security requirements too, so bear this in mind:
Access control to the site content
Securing WordPress core files
Plug-in and theme security
WordPress vulnerabilities
Webserver vulnerabilities
Secure communications / HTTPS
Disaster recovery
Much of the security of WordPress comes down to the same core processes as securing any other digital
system, i.e. handling software vulnerabilities, controlling access, securing communications and having a plan if it all goes wrong.
To begin, you should always start with a security strategy plan in mind, based on the types of security issues and their potential resolution. The plan should take into account what the site is used for and by whom. For example, SSL may not be required for visitors if you don’t create user accounts, and so on; but you may use third party adverts and these can have potential as a malware vector. So the plan should reflect the level of security that is required by the site.
However, some things are fundamental and should always be implemented, for example, good login security for site administrators and contributors.
ACCESS CONTROL: FRIEND NOT FOE
The first area to look at is setting up how your administration,
contributors, and other users can access and modify the site content. This
area is fundamental to controlling the security of your site. Some areas are
very difficult to secure — insider threats for example. If one of your
privileged users decides to turn against you, then this event is difficult
to predict and control. However, you can manage insider threats through good
monitoring of usage behaviour and pre-empt any issues by removing old
accounts, for example.
Insider threats are one thing, but controlling cyber-attacks, such as brute
force attacks, is another. There are a number of ways you can control these
sorts of attacks where hackers attempt to access your accounts.
Brute force attacks are where a hacker uses an automated program to enter
many typical usernames and passwords into your login screen to try and force
entry. People have a tendency to use password and username patterns and so
these attacks can be very successful. For example, password policies, which
typically ask for a capital letter and number, result in many people using a
typical password, such as “password” and instead replacing it with
“Password1”. Hackers know this and use this type of behaviour against us.
To prevent brute force attacks you should:
~ Use a non-typical username (for example, don’t use “admin” as your
username).
~ Use a long password with special characters as well as words and
letters, this just makes it that much harder for hackers to use brute
force attacks.
~ Enable second factor authentication within your WordPress login
system. You can use plugins such as the DUO plugin to request a mobile app
based code, or an SMS text code, as well as username and password to access
the WordPress CMS.
~ If you don’t like second factor authentication, you can
alternatively use a Captcha method such as Math Captcha.
SECURING CORE WORDPRESS FILES
There are certain, core files that WordPress uses that should have
protection applied. These files are involved in the appearance and
functionality of your WordPress site. If a hacker gains access to these
files, you can kiss your site goodbye. The files are neatly placed together
in well-known folder areas, perfect for hackers to find.
To protect these important files from being compromised you should only
allow write access on a highly limited, need to know, basis. You should add
password protection to your wp-admin/ folder, which contains many of these
important files.
There’s one file in particular, wp-config.php which tells WordPress where to
find your site database. It contains your MySQL username and password as
well as your WordPress authentication keys. This file needs to be hardened
against attacks and one way to do this is to move it from its default home
(under the public_html folder or www folder) to another folder.
However, the jury is out on the effectiveness of this tactic. Ultimately the
best way to protect this and other files is through strong access control
and anti-malware actions.
As an alternative to your own security actions, there are a number of
WordPress plugins that can help with security of core files and malware
threats, including Wordfence and Sucuri’s Security Plugin, the latter also
offering help with hardening of core files.
PLUGIN AND THEME SECURITY
Plugins and themes are the perfect vector for malware. Hackers look for
vulnerabilities in plugin and theme software and exploit those
vulnerabilities to insert many types of malware. Sucuri recently found that
100’s of thousands of sites had been infected with malicious code via an
insecure version of the plugin, Revslider.
The best way to prevent this type of entry point for hackers is to make sure
you use plugins that have at least some pedigree (and not found on some
dodgy looking Warez site) and most importantly keep your plugins and themes
patched and up to date. This won’t stop zero day vulnerabilities, aka
exploits using software insecurities that haven’t yet been recognised by the
vendor, but it will keep your software as malware free as you can possibly
make it.
You should also look at, but not rely entirely on, security plugins to help
prevent malware infections, examples being Anti-malware and Brute Force
Security or Theme Authenticity Checker, which checks themes for malware
infection.
WORDPRESS VULNERABILITIES
WordPress itself can have software vulnerabilities built into new versions,
which you often don’t hear about until the hackers have taken advantage of
them.
Like all other software, vulnerabilities are best handled by keeping
versions patched. However, the most recent patch was in version
4.2.1 released in April of this year, to fix a zero day vulnerability that
allowed an attacked to use JavaScript to perform a cross site script attack
(XSS) on a WordPress site.
The vulnerability was inherent in a default plugin (Jetpack) and Theme
(Twenty Fifteen) bundled with WordPress. If you installed this new version
and utilized the default settings, you were highly vulnerable. Patching
wouldn’t have immediately helped this issue of course as it was a zero-day
vulnerability, i.e. WordPress weren’t aware of it until after it had been
hacked, but they quickly brought out a patch which fixed it.
WEB SERVER VULNERABILITIES
Web server security should be applied in a number of areas. Generally you’ll
be looking at an Apache webserver, running on Linux. One of the most
important files to protect is .htaccess which should be set to not allow
Apache directives to be overridden.
One of the problems that a lot of sites have is that they run on a shared
webserver through a shared web hosting company. In this situation, you
should check out the security precautions your web hosting company take to
prevent cross-site contamination – they should be using security tools to
minimise this.
Again, as with all other aspects of your WordPress site, make sure your
webserver software is patched and up to date, patching really is the first
step in security.
SECURE COMMUNICATIONS / HTTPS
HTTPS is a version of HTTP which uses a protocol called Secure Socket Layer
(SSL) or Transport Layer Security (TLS) to encrypt traffic that is
communicated over the Internet. It helps to prevent “Man-in-the-Middle”
(MitM) attacks where someone intercepts communication traffic (data). As
default you should be accessing your WordPress site as an administrator, or
other contributing user, through and HTTPS connection. However, you also
need to implement HTTPS across your site if you are in any way likely to
gather data from your visitors.
To implement HTTPS across your WordPress site you need to install an SSL or
EV (a more secure version of an SSL certificate) digital certificate. Many
web hosting companies can help with this and even supply the digital
certificates (which will need to be securely issued to your organization –
visitors can then see it is issued to your company). Alternatively, you can
look at this WordPress tutorial on implementing HTTPS for your WordPress
site. Even following tutorials however can leave some areas of the site open
to attack and this article explains how to avoid them.
DISASTER RECOVERY: DON’T LET A DISASTER BRING
YOU DOWN
If it still all goes wrong and you get infected by malware, your site is
hacked, or you have a DOS attack, you need to be able to fix things and get
your site back up and running with as little time delay and loss of data as
possible.
Conversely, to what must seem logical, thinking about disaster recovery
should be one of the first things you think about and organize.
WordPress is basically split into four areas:
~ The WordPress code (PHP)
~ Theme (PHP)
~ Plugins (PHP)
~ Database content
All four need to be backed up to be able to bring your site back if disaster
occurs. Regular backups are a must, some people like to do them each night,
but really it is up to you and things like how regularly your site is
updated and so on, will determine this.
Backup software is often prescribed by the web hosting company you have your
site with, but automatic WordPress backup plugins are also available. If you
look in the WordPress plugin directory you will find many examples, you need
to research, which is the best for your site and database type. Whichever
you choose, test out the results before you start using it in earnest.
A FINAL THOUGHT
Security is not something you should grudgingly do, it is not an afterthought, it should be part of your general web design process.