How to find vulnerabilities and protect your WordPress site
The vast majority of security concerns on WordPress sites are actually easy to control. The core of this system has come a long way of development and is fairly secure. This may seem unexpected to many, but developers take security seriously and release patches very quickly. One of the strengths of WordPress is the ease of updating and the high speed of the development cycle.
A considerable part of the problems is caused by the short-sightedness of the end user, the choice of themes and plug-ins with unsafe code, as well as the poor quality of hosting. This guide will help ensure the security of WordPress sites and eliminate the most common hacking loopholes.
Developers do not patch holes in outdated versions. Keeping the CMS and plug-ins up to date with new patches is essential for protecting the site. In most cases, it’s enough just to click the update button.
In addition, you need to regularly update all installed plugins and themes to avoid security problems. The optimal approach to this issue is the following: wait no more than 2-3 days from the time when updates became available. Check the forums for problem reports, and if not, feel free to update the site.
')
In the unlikely event that the update breaks something, roll back to the previous version (via shell or SFTP access), or restore the site from a backup.
This seems obvious, but with the presence of keyloggers and malware on your home computer or WiFi router, attackers won't be able to hack your website.
It's no secret that plugins and themes downloaded from Google or any random site are likely to be infected with malware. A recent study found that 8 out of 10 top Google results for “WordPress Free Themes” included malware in the code. Download themes and plugins from the official repository and other reputable sources. Using something that is obtained on random Internet sites, you risk the security of your own resource.
A good hoster not only backs up your site, but also prevents cross-infection of resources located on the same server. Unfortunately, such phenomena are quite common even among large hosters, so the question of choice should be approached thoroughly.
In addition to server administration, you should also pay attention to the competence of the support service - its employees must be competent enough to quickly respond to security issues and resolve them in a timely manner.
Regularly check your hosting provider to make sure that it uses the latest versions of the operating system and server software.
Many have a bad habit of using lightweight passwords. However, for really important things it is worth using long and complex combinations. Passwords from:
1. A randomly generated set of numbers, letters, and special characters.
2. Phrases from unrelated words (Right Horse Battery).
3. The first letters of each word from a memorable sentence to you with the addition of numbers and punctuation in some places.
If you have a problem with remembering the password or you are afraid of losing it, there are various browser extensions, as well as third-party applications that will store them for you.
It is important to come up with a separate password for each site, otherwise it will be much easier for hackers to hack your accounts.
The standard administrator login by default and its privileges are an easy target for any exploit. This user account should be deleted immediately after installing WordPress on the hosting. To do this, follow these steps:
1. Log in to the base Admin account.
2. Create a new user with a unique name and give him administrator rights (the latter is very important).
3. Log in with the new user data and delete the Admin account.
In addition, during a new installation, you can change the default username from Admin to another.
Bots constantly scan sites, trying to find the tags of the authors of messages, and then use the found names as logins. This is a very effective attack vector for hacking using brute force. To eliminate this vulnerability, log in to your account and set up a public nickname that is different from your actual login.
This procedure is mandatory for those who care about the security of their site. A great solution would be to set up regular backup not only of the WordPress database, but also the contents of the server disk. There are a number of plug-ins and services that allow you to save backups. In addition, it is worth asking your host about whether the backup.
Made backups should be checked at least once a month to make sure that they are created correctly, and it will not be difficult for you to restore the site if necessary.
This system uses encrypted security keys for information stored in cookies. These keys go into your WP-config. The key random number generator can be found on the official WordPress website at the link . Navigate through it and refresh the page in your browser to get new keys and copy them into your WP-config.
This item is only suitable for sites created from scratch. If the procedure is performed incorrectly on the work resource, you can completely kill it. If you are starting a new installation, you have the option to change the database prefix. By default, WordPress installs the “wp_” prefix, which makes the work of any hacker much simpler. Changing it to something unique will eliminate this security breach.
In addition, it is worth removing the test database, the users of the anonymous database. Make sure that the main database is not available from the Internet.
In addition to the fact that many themes and plugins are not safe, a large number of them seriously slow down the site. Reduce the number of used plugins and themes, and delete those that you have stopped using. Keeping your system clean does not only reduce the chances of vulnerabilities being exploited by attackers, but also makes it easier to fix problems if an infection with a malicious code does happen.
The WP-config file contains all your credentials for accessing the site database. You can move it higher by placing it outside the root directory accessible from the Internet. This will help protect the configuration file from any browser-based attacks. In addition, a good idea would be to change the permissions on it by setting the value to 600.
Using security plugins may be a late decision. Also, relying on protection for what is already unsafe is a bad idea. On the other hand, the Limit Login Attempts plugin is a very useful choice, as it prevents hacking with brute-force by limiting the number of failed login attempts. It can also keep logs of ip-addresses from which they tried to log in.
Access rights to files and directories can have quite complex dependencies on hosting settings. In most cases, file permissions must be set to values ​​of 664 or 640, and for folders — 755 or 750. You should never set the value to 777 until your host is configured. The golden rule of setting access rights - set the values ​​as low as possible at which the site maintains its operation. The last digit of permissions should always be 0, 4 or 5, never 6 or 7.
Hiding information about the installed version of WordPress is a fairly simple step that prevents bots from crawling your site. In the function.php file of your theme you need to place the following:
// remove version info from head and feeds
function complete_version_removal () {
return '';
}
add_filter ('the_generator', 'complete_version_removal');
If your site has an SSL certificate, do not forget to enable authorization using this protocol. You can set it only for logging in or for the entire administrator section in your WP-config.php file. SSL encrypts the information you send to WordPress and is particularly well protected against man-in-the-middle attacks.
Google search can scan unnecessary addresses and open their presence for hackers. It would be better if you disable the Google bot and any other bots that follow the robots.txt instructions (not all bots support them) to index anything other than your content. The robots.txt file is located in the root folder of your site and it is a plain text file.
If you run a personal blog or create a site where a large number of users do not intend to publish materials, you should disable the option to register accounts in the admin section. For commentators, use social media accounts.
It is necessary to remove the user rights to edit and update important files through the administrator interface.
Below are the basic rules that can be added to the .htaccess file in the root partition, more advanced rules are described in the advanced manual. Their absence can lead to hacking your site.
// limit indexing of directories
Options All -Indexes
// protect the htaccess file,
// this is done by default with apache config file,
// but you never know.
order allow, deny
deny from all
// disable the server signature
ServerSignature Off
// limit file uploads to 10mb
LimitRequestBody 10240000
// protect wpconfig.php.
// If you followed step 6 this is not necessary.
order allow, deny
deny from all
The root directory of WordPress is a file readme.html, many plugins and themes also have similar files. A good solution would be to remove them, as they can be used for fingerprinting or snooping, and often contain version information. Clean up the folders of your site from these and any other unnecessary files.
Use a copy of the site to test updates and new features before applying them on the main resource. It may even be a local installation of WordPress on your computer or laptop, if you do not want to pay for additional hosting.
Credit card information, social security numbers, medical information and other confidential information should not be stored on your website unless there is a valid reason for this. Hackers often choose for hacking those resources that have the opportunity to get hold of such information. If you don’t have one, your website is less likely to be targeted by intruders.
It should always be prepared for the fact that the resource can be hacked. With a clear plan of action, you can quickly stop the attackers and prevent negative consequences.
1. Take the site offline (maintenance mode). This will prevent the hacker from increasing the damage to the site or hindering your attempts to regain control of the web resource.
2. Tell your hosting provider about hacking so that he can help you.
3. Back up the hacked site if you want to explore it later.
4. View the server logs to determine how the attacker was able to hack the site. This will help you learn how to fix this problem, and also need to find what the attacker managed to do.
5. Update everything that can be updated.
6. Delete all files, pages, messages, comments or process added by the attacker. If you’re unsure whether you’ve found everything, create a new WordPress site from scratch, and then restore the latest backup made before the hack.
A considerable part of the problems is caused by the short-sightedness of the end user, the choice of themes and plug-ins with unsafe code, as well as the poor quality of hosting. This guide will help ensure the security of WordPress sites and eliminate the most common hacking loopholes.
Keep your wordpress up to date
Developers do not patch holes in outdated versions. Keeping the CMS and plug-ins up to date with new patches is essential for protecting the site. In most cases, it’s enough just to click the update button.
In addition, you need to regularly update all installed plugins and themes to avoid security problems. The optimal approach to this issue is the following: wait no more than 2-3 days from the time when updates became available. Check the forums for problem reports, and if not, feel free to update the site.
')
In the unlikely event that the update breaks something, roll back to the previous version (via shell or SFTP access), or restore the site from a backup.
Maintain Internet security on your computer.
This seems obvious, but with the presence of keyloggers and malware on your home computer or WiFi router, attackers won't be able to hack your website.
Only install plugins and themes from the official repository.
It's no secret that plugins and themes downloaded from Google or any random site are likely to be infected with malware. A recent study found that 8 out of 10 top Google results for “WordPress Free Themes” included malware in the code. Download themes and plugins from the official repository and other reputable sources. Using something that is obtained on random Internet sites, you risk the security of your own resource.
Choose a solid hosting
A good hoster not only backs up your site, but also prevents cross-infection of resources located on the same server. Unfortunately, such phenomena are quite common even among large hosters, so the question of choice should be approached thoroughly.
In addition to server administration, you should also pay attention to the competence of the support service - its employees must be competent enough to quickly respond to security issues and resolve them in a timely manner.
Regularly check your hosting provider to make sure that it uses the latest versions of the operating system and server software.
Come up with a really good password.
Many have a bad habit of using lightweight passwords. However, for really important things it is worth using long and complex combinations. Passwords from:
1. A randomly generated set of numbers, letters, and special characters.
2. Phrases from unrelated words (Right Horse Battery).
3. The first letters of each word from a memorable sentence to you with the addition of numbers and punctuation in some places.
If you have a problem with remembering the password or you are afraid of losing it, there are various browser extensions, as well as third-party applications that will store them for you.
It is important to come up with a separate password for each site, otherwise it will be much easier for hackers to hack your accounts.
Remove the default login Admin
The standard administrator login by default and its privileges are an easy target for any exploit. This user account should be deleted immediately after installing WordPress on the hosting. To do this, follow these steps:
1. Log in to the base Admin account.
2. Create a new user with a unique name and give him administrator rights (the latter is very important).
3. Log in with the new user data and delete the Admin account.
In addition, during a new installation, you can change the default username from Admin to another.
Change your nickname in WordPress
Bots constantly scan sites, trying to find the tags of the authors of messages, and then use the found names as logins. This is a very effective attack vector for hacking using brute force. To eliminate this vulnerability, log in to your account and set up a public nickname that is different from your actual login.
Set up regular backups
This procedure is mandatory for those who care about the security of their site. A great solution would be to set up regular backup not only of the WordPress database, but also the contents of the server disk. There are a number of plug-ins and services that allow you to save backups. In addition, it is worth asking your host about whether the backup.
Made backups should be checked at least once a month to make sure that they are created correctly, and it will not be difficult for you to restore the site if necessary.
Get WordPress Security Keys
This system uses encrypted security keys for information stored in cookies. These keys go into your WP-config. The key random number generator can be found on the official WordPress website at the link . Navigate through it and refresh the page in your browser to get new keys and copy them into your WP-config.
Change the database prefix (just before installing!)
This item is only suitable for sites created from scratch. If the procedure is performed incorrectly on the work resource, you can completely kill it. If you are starting a new installation, you have the option to change the database prefix. By default, WordPress installs the “wp_” prefix, which makes the work of any hacker much simpler. Changing it to something unique will eliminate this security breach.
In addition, it is worth removing the test database, the users of the anonymous database. Make sure that the main database is not available from the Internet.
Limit the number of plugins and themes used.
In addition to the fact that many themes and plugins are not safe, a large number of them seriously slow down the site. Reduce the number of used plugins and themes, and delete those that you have stopped using. Keeping your system clean does not only reduce the chances of vulnerabilities being exploited by attackers, but also makes it easier to fix problems if an infection with a malicious code does happen.
Move the WP-config file one directory up and lock it
The WP-config file contains all your credentials for accessing the site database. You can move it higher by placing it outside the root directory accessible from the Internet. This will help protect the configuration file from any browser-based attacks. In addition, a good idea would be to change the permissions on it by setting the value to 600.
Limit the number of login attempts
Using security plugins may be a late decision. Also, relying on protection for what is already unsafe is a bad idea. On the other hand, the Limit Login Attempts plugin is a very useful choice, as it prevents hacking with brute-force by limiting the number of failed login attempts. It can also keep logs of ip-addresses from which they tried to log in.
Check permissions for files and directories
Access rights to files and directories can have quite complex dependencies on hosting settings. In most cases, file permissions must be set to values ​​of 664 or 640, and for folders — 755 or 750. You should never set the value to 777 until your host is configured. The golden rule of setting access rights - set the values ​​as low as possible at which the site maintains its operation. The last digit of permissions should always be 0, 4 or 5, never 6 or 7.
Hide version information
Hiding information about the installed version of WordPress is a fairly simple step that prevents bots from crawling your site. In the function.php file of your theme you need to place the following:
// remove version info from head and feeds
function complete_version_removal () {
return '';
}
add_filter ('the_generator', 'complete_version_removal');
Enable SSL Authorization
If your site has an SSL certificate, do not forget to enable authorization using this protocol. You can set it only for logging in or for the entire administrator section in your WP-config.php file. SSL encrypts the information you send to WordPress and is particularly well protected against man-in-the-middle attacks.
Don't let search robots browse directories
Google search can scan unnecessary addresses and open their presence for hackers. It would be better if you disable the Google bot and any other bots that follow the robots.txt instructions (not all bots support them) to index anything other than your content. The robots.txt file is located in the root folder of your site and it is a plain text file.
Disable user registration
If you run a personal blog or create a site where a large number of users do not intend to publish materials, you should disable the option to register accounts in the admin section. For commentators, use social media accounts.
Disable users to edit and update themes and plugins.
It is necessary to remove the user rights to edit and update important files through the administrator interface.
Set .htaccess rules
Below are the basic rules that can be added to the .htaccess file in the root partition, more advanced rules are described in the advanced manual. Their absence can lead to hacking your site.
// limit indexing of directories
Options All -Indexes
// protect the htaccess file,
// this is done by default with apache config file,
// but you never know.
order allow, deny
deny from all
// disable the server signature
ServerSignature Off
// limit file uploads to 10mb
LimitRequestBody 10240000
// protect wpconfig.php.
// If you followed step 6 this is not necessary.
order allow, deny
deny from all
Delete Readme and other unnecessary files.
The root directory of WordPress is a file readme.html, many plugins and themes also have similar files. A good solution would be to remove them, as they can be used for fingerprinting or snooping, and often contain version information. Clean up the folders of your site from these and any other unnecessary files.
Create a separate version of the site for development
Use a copy of the site to test updates and new features before applying them on the main resource. It may even be a local installation of WordPress on your computer or laptop, if you do not want to pay for additional hosting.
Do not process confidential information unnecessarily.
Credit card information, social security numbers, medical information and other confidential information should not be stored on your website unless there is a valid reason for this. Hackers often choose for hacking those resources that have the opportunity to get hold of such information. If you don’t have one, your website is less likely to be targeted by intruders.
What if your WordPress site was hacked?
It should always be prepared for the fact that the resource can be hacked. With a clear plan of action, you can quickly stop the attackers and prevent negative consequences.
1. Take the site offline (maintenance mode). This will prevent the hacker from increasing the damage to the site or hindering your attempts to regain control of the web resource.
2. Tell your hosting provider about hacking so that he can help you.
3. Back up the hacked site if you want to explore it later.
4. View the server logs to determine how the attacker was able to hack the site. This will help you learn how to fix this problem, and also need to find what the attacker managed to do.
5. Update everything that can be updated.
6. Delete all files, pages, messages, comments or process added by the attacker. If you’re unsure whether you’ve found everything, create a new WordPress site from scratch, and then restore the latest backup made before the hack.
Source: https://habr.com/ru/post/324140/
All Articles