One of the weak points in your enterprise may be something that you haven’t paid much attention to, your WordPress (WP) servers. When you think more critically about the issue, there are a lot of exposed attack surfaces: a Web server running PHP scripts and accessing a SQL database. Sadly, criminals have long recognized this target and have begun to focus more of their efforts on exploiting WordPress servers. Indeed, this story from last summer’s DefCon conference demonstrated how hackers were able to locate a fresh new WP site within 30 minutes of going online.
So other than not using the platform, here are a few suggestions on how to improve your WP security and close off some of the more obvious ways WP has been exploited over the years. Some of these are easy to implement, others will require more effort and in some cases some money too.
- Use a managed WP hosting provider, so your WP server is not sitting on your internal corporate network where it can be leveraged for a privilege escalation attack. Given its popularity, you can purchase a cloud WP server for a very low cost today.
- Regularly update your WP version. WordPress comes out frequently with updates, and some hosting providers offer automatic upgrades to keep current. This is another reason for using a managed WP hosting provider. If you do self-host, make sure you update WP regularly.
- Use a complex and unique administrator password. Many of the attempts that I have seen come through my own WP installation try to login to my server with a common username, such as admin, root, or something similar. Choose some other actual name and make sure it is protected with a complex enough password. If you have guest authors, make sure their access rights are set appropriately too.
- Harden other settings. This beginner’s guide covers some other basic security steps, such as limiting login attempts, making certain directories read-only, and disabling directory browsing. Another suggestion: limit access to your WP site to just your own IP address in your .htaccess file while you are setting up your server for the first time.
- Reducing the number of plug-ins. When I first put up my own WordPress server, I went plug-in crazy, installing more than a dozen of them to do various things. Now I realize the error of my ways, and the most secure server is one that has the minimum number of plug-ins.
- Be on the lookout for compromised plug-ins. A number of them have been exploited recently, such as Form Lightbox, Appointments, RegistrationMagic-Custom Registration Forms, MailChimp for WooCommerce, WP No External Links and Flickr Gallery. Depressingly, those are just a few of the more notorious compromised plug-ins. The exploits range from hidden backdoors to remote file execution to privilege escalation, so pretty much all over the security map. Some plug-ins have thousands of users and active installations. Regularly screen what plug-ins you need and ensure that they haven’t been tampered with.
- Make sure your certs are in order. Setup your intrusion detection systems to scan for SSH key exploits, because this is a common way that attackers can compromise your systems. Ensure that you haven’t stored any private keys in any publicly accessible directories.
- Install specific security plug-in modules. Wordfence and Sucuri are two of the best, and both offer free versions. Wordfence covers login security, IP blocking, security scans, and comes with its own WP firewall. Sucuri has malware scanning, blacklist monitoring, and its own WP firewall too. Both are used by thousands of WP site operators. Both will send you regular email reports about the status of your WP security, and have comprehensive dashboards within your WP main dashboard that can offer a rich perspective of your WP installation.
- Stay up-to-date by regularly reading WP-specific security sites such as Plugin Vulnerabilities and Wordfence’s own blog. Both post frequently about exploits and zero-day attacks that their own instrumentation networks have uncovered.
- Finally, stay vigilant. WP continues to be an attractive target and keeping your WP servers secure is a constant battle.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.
Learn how to select the best cybersecurity solution for your environment in our whitepaper: Choosing a Cybersecurity Solution – 11 Key Points to Consider