Powering over 43% of the World Wide Web, WordPress is one of the world’s most popular content management systems (CMS). Despite its popularity, thousands of WordPress sites are compromised every day. Why? Not because WordPress itself is insecure, but because these websites are poorly maintained.
Having a good understanding of WordPress vulnerabilities and how to mitigate them will minimise the risk of your site being affected by cyber attacks. Our latest article will provide you with techniques and actionable steps you can take to optimise the security of your WordPress website.
1. Change the Default Usernames
When creating a fresh installation of WordPress, it may generate users with the default usernames. This is a security vulnerability, because hackers will try common usernames like admin or user against many different passwords in an attempt to brute force the system.
Usernames cannot be changed via the WordPress admin, but a simple workaround is to do the following:
- Go to Users > Add User
- Enter a new username, email address, select the role, and click Add User
- Log out of the website, then log in as the new user
- Delete the old user
- If any content was created by the old user, WordPress will ask you what to do with that content. Select the option Attribute all content to: and select the new user you created
- Click Confirm Deletion.
Changing the username can also be done using the Easy Username Updater plugin, or via the database.
2. Ensure that an SSL Certificate is Installed
Secure Sockets Layer (SSL) is a technology that encrypts the data that flows to and from your website to prevent unauthorised users from eavesdropping. An SSL certificate can help you to comply with data protection legislation, as it demonstrates that you are serious about protecting users’ personal data. When an SSL certificate is present, a padlock symbol is usually displayed in the address bar of the browser.
If no SSL certificate is installed, the browser may display a warning, or the website may not be accessible at all. If this is the case for your website, speak to your hosting provider about getting one set up. For continuous protection, select a certificate that renews automatically so you won’t have to worry about it expiring.
3. Change the WordPress Login URL
By default, the login URL of a WordPress site ends in /wp-login.php. Changing the default login URL makes it harder for hackers to find the actual login page. This can be achieved by using a plugin such as WPS Hide Login. Alternatively, the URL can be changed by modifying the functions.php file or the .htaccess file. However, we recommend these methods for advanced users only, as your website could break if the code is modified incorrectly.
4. Limit Login Attempts
By default, WordPress does not limit the number of failed login attempts that can be made by a user or IP address. To prevent unauthorised access to your website through brute force attacks or bot attacks, the number of failed logins can be restricted so that no more attempts are allowed once the specified number of attempts has been reached.
Installing a plugin such as Limit Login Attempts Reloaded can help you to achieve this. The premium version of the plugin also allows throttling, i.e. increasing the lockout interval each time a malicious IP or username tries to login unsuccessfully.
5. Enable Multi-factor Authentication (MFA)
Multi-factor authentication, or MFA, is a security measure that requires a user to identify themselves in two or more ways in order to gain access to a system. An example of MFA could be a website requiring a user to sign in with their username and password, then requesting a one-time passcode (OTP) which is generated by the user’s authentication app on their mobile phone. MFA is another measure which is very effective against brute force attacks, because it would be very difficult, if not impossible, for a malicious actor to gain access to a system without the additional factor, even if they knew the correct username/password combination.
Implementing MFA on your WordPress website is simple to achieve by using a security plugin such as Wordfence or Sucuri (we will cover these later in this article).
6. Use Strong and Unique Passwords
A strong password is one that is not easily guessable. Consider implementing a password policy to govern how users should create passwords. Our recommendations are:
- 8 characters or longer, if MFA is enabled
- 12 characters or longer, if MFA is not enabled
- Not a commonly used word (e.g. “password”, “abc”, “123”, “qwerty”)
- Do not share passwords with other users
- Do not reuse passwords across multiple accounts
- Use a password manager to generate and store passwords. Train staff members on how to use the password manager effectively.
7. Set Up a Web Application Firewall (WAF)
A web application firewall (WAF) is essentially a filter which is placed between a web application and the internet. It monitors traffic flowing into the web application and blocks any malicious requests. A WAF protects your website from common threats, such as distributed denial of service (DDoS) attacks, cross-site scripting (XSS) attacks, cross-site forgery attacks and SQL injection.
To protect your website with a WAF, you could use a service such as Cloudflare. The free plan of Cloudflare comes with some built-in rules, and also allows you to configure the WAF to your needs with custom rules. Additionally, you can monitor security events with the Analytics feature.
Alternatively, security plugins can also provide you with WAF protection.
8. Disable XML-RPC
XML-RPC is a service that allows WordPress sites to be accessed by external sources. If you do not use XML-RPC, you must disable it. To check whether XML-RPC is enabled on your website, type your website’s URL followed by /xmlrpc.php into your browser’s address bar and press Enter. If you see the following message, XML-RPC is enabled on your website:
XML-RPC server accepts POST requests only.
Disabling XML-RPC can be done by using a plugin such as Disable XML-RPC-API, or by inserting a few lines of code into the functions.php file. Using the plugin is preferable, as modifying the WordPress code can cause errors if done incorrectly.
9. Prevent User Enumeration
The WordPress REST API includes an endpoint which reveals the list of usernames associated with the users registered on the site.
Type your website’s URL followed by /wp-json/wp/v2/users/ into your browser’s address bar and press Enter. What do you see?
If you see a list of usernames, then the hacker’s job is half done. All they need to do is to guess the password, and they’ll gain access to the backend of your website via a brute force attack.
There are a few methods for disabling this endpoint:
- By using the plugin Stop User Enumeration
- By setting up a custom rule in Cloudflare’s web application firewall (WAF)
- By modifying the
functions.phpfile - By using a security plugin
We also highly recommend implementing multi-factor authentication (MFA) as a very effective measure against brute force attacks.
10. Only Install Reputable Plugins and Themes
Being open-source software, anyone can contribute to the WordPress project, or develop plugins and themes. However, you should only use plugins and themes which are made by well-known developers. These are updated more regularly and therefore less likely to contain security vulnerabilities.
Avoid using plugins or themes from untrustworthy sources, as they could contain malware which can harm your website.
Before installing any plugin, do you research by checking the WordPress Plugin Directory for details including features, reviews, and information about the developers.
You can find free themes on the WordPress Theme Directory, or paid themes on ThemeForest.
11. Keep Plugins, Themes and WordPress Core Files Updated
Hackers are always looking for new ways to break into websites. Fortunately, the software developers regularly release new versions of the WordPress core files, themes and plugins. These updates contain fixes that address security vulnerabilities, as well as bug fixes and new features.
Log into your WordPress admin and check if there is a notification near the top left-hand corner indicating if there are any updates. Install updates as soon as they become available. The update process can be automated, however, we recommend that you don’t do this. Installing the updates manually gives you more control should your website suffer an error after a particular update occurred.
Another piece of software that you must keep updated is PHP. This is the underlying code that WordPress is based on. This cannot be done via the WordPress admin, so you must have access to your hosting provider to make the update.
Before making any major updates to plugins, WordPress core files or PHP, we strongly recommend backing up your website.
12. Delete Unnecessary Plugins
Plugins are necessary for enhancing the functionality of your WordPress website. However, business needs can change, and as time goes by, you may find that there are plugins installed on your website which are no longer needed.
Conduct an audit of all plugins and review each one to assess whether it is still required. Delete (don’t just deactivate) any plugins that you are not using. Doing this will not only improve the security of your website by reducing its attack surface. It will also help to increase its performance and make it run faster.
13. Audit Your Website’s Data
Data can accumulate over time, and as a result, you may be unaware of the amount of data that your website is storing. This data is likely to contain personal information which is collected from various sources, including enquiry forms, newsletter signup forms, or an online store, if you have one. On a regular basis, conduct an audit of the data and delete any that you do not need. If any data must be kept, consider moving it to a more secure or offline location. Managing your data responsibly can also help you to comply with data protection regulations.
14. Monitor Login and Other Activity
Keeping a record of the login history of your website helps you to monitor who is trying to access your website. For instance, many failed login attempts from the same IP address could indicate a potential brute force attack.
Check if there are any successful logins from unusual IP addresses, devices or geographical locations. These could indicate that a user’s account has been compromised. If this is the case, then the password for that account must be changed immediately.
Verify that no unauthorised changes have been made to content on your site, by checking pages, blog posts, products, users etc.
The default installation of WordPress does not include logging, so you will need to use a security plugin to enable this feature.
15. Review Users’ Permissions and Remove Inactive Users
You may be familiar with the principle of least privilege. This is a security concept that requires that users are granted the minimum level of access required to perform their tasks. Review all users who are registered on your WordPress site, and their permissions. Ask yourself some questions. What are their roles? Do they still work for your organisation?
There should not be too many users with the “Administrator” role, so ensure that only those who need admin permissions are assigned this role, and other users are downgraded appropriately. Any user who no longer works for your organisation should be removed immediately.
16. Install a Security Plugin
Installing a security plugin is a great way to enhance the security of your WordPress site. A security plugin can help to automate many of the tasks we mentioned in this article, such as monitoring login activity, scanning for malware, checking for plugin updates, providing web application firewall (WAF) protection, and much more. After installing a security plugin, ensure to configure it according to your needs. For example, you may want to customise the alerts so that specific users in your organisation are notified when particular security events occur.
Two popular options for security plugins are Sucuri and Wordfence. If you opt for the paid plan of one of these plugins, you’ll also benefit from their incidence response service, should your website suffer from a malware infection or a hack.
We also recommend signing up to relevant newsletters so you can stay updated on the latest cyber threats.
17. Backup Your WordPress Website Regularly
Backing up your website is essential for many reasons, and we cannot stress its importance enough. If your website crashed unexpectedly due to a plugin update or error in the code, you’d want to be able to restore your website to the last working version before the crash occurred. Or, in the unfortunate event that your website was hacked, and data was lost due to a ransomware attack, a backup would be required to retrieve the lost data.
In both scenarios mentioned above, not having a backup of your website could have detrimental consequences. You could potentially lose months or years of hard work, or face financial loss, fines, and even loss of your business.
Fortunately, backing up your website is straightforward; here are three methods:
- Using a plugin such as UpdraftPlus
- Through your hosting provider
- Downloading the files via secure file transfer protocol (SFTP) and downloading the database via phpMyAdmin
If possible, automate the backup process. It’s also a good idea to keep at least two copies of each backup – one in the cloud, and one on a physical device in a different location from where you usually work (e.g. on an external hard drive). If backing up to an external hard drive, always disconnect it from the internet when not in use.
Finally, test backups on a regular basis to make sure that they are working.
18. Beware of Phishing Emails
Today, phishing is still the most common form of social engineering. Malicious actors send phishing emails to unsuspecting users to trick them into handing over personal data or login credentials, or installing malware.
For example, we recently became aware of a phishing campaign which involved emails pretending to be from WooCommerce. The emails tricked users into visiting a fake WooCommerce Marketplace page and installing an “update” for a vulnerability that didn’t exist, causing their websites to be infected with malicious code.
If you receive a suspicious email which appears to be from WordPress, or a WordPress plugin, do a few checks before taking any action:
- Look at the sender’s email address. Is the domain different from what you were expecting?
- Hover over links in the email – don’t click them. Do the links look suspicious?
- Are any files attached to the email?
- Does the email use threats or language that conveys a sense of urgency?
If the answer is “yes” to any of the questions above, you may have received a phishing email. Please report it via your email program before deleting it.
Backup your website, then log into your WordPress admin and ensure that all updates are made.
Conclusion
A compromised WordPress website can result in negative consequences for your business. However, by taking the time to maintain your website properly, you can avoid the stress associated with having to deal with a hacked website.
Our article outlined the measures that you can implement to elevate the security of your website and significantly reduce the risks of a compromise.
For help with any area of securing your WordPress website, please contact us today.
0 Comments