WordPress Security Basics - the Security 101
WordPress is one of the most popular content management systems. However, this also means that it is a popular target for hackers. With a few simple measures, many attacks can already be successfully countered.
Ing. Philipp Doblhofer
WordPress is one of the most popular content management systems. However, this also means that it is a popular target for hackers. Once a security vulnerability is found, thousands of websites can be attacked at once. But with a few simple basics, automated attacks – which try to attack thousands of pages at the same time – can be made more difficult or even prevented. Here are the most important measures:
Updates, Updates, Updates
As with all other IT systems, it is important to keep the software up to date. Outdated WordPress versions, plugins, or themes may contain known security vulnerabilities that are happily attacked automatically. Keeping your system up to date usually means all known security vulnerabilities are quickly closed.
It is important to note that especially premium plugins or premium themes often do not distribute updates through the integrated WordPress update system. Here, it is particularly important to be proactive.
Are the plugins used still maintained?
Along with updates, it is also important to check: Some plugins are no longer maintained and updated by the developer. It should be checked regularly whether the extensions are still being maintained – that is, whether security vulnerabilities are being actively closed. A rough guideline is the WordPress plugin directory. For each plugin, the date of the last update is listed here. If this date is too far in the past, it is worth considering alternatives.
Secure Passwords
As with updates – secure passwords are essential. Never reuse passwords for multiple sites. It is better to choose a separate password for each site that is long enough, contains numbers, letters, and special characters, and cannot be easily guessed. To avoid having to remember these complex passwords, a password manager is recommended. The No-Gos in password management are: sharing passwords, storing them unencrypted (Excel lists, text files) – or the classic: on a Post-It at the office desk.
“Cracked” Plugins or Themes
Premium plugins and themes, i.e., paid extensions, are always floating around on the internet as “nulled”, “free”, or “unlocked” versions on dubious sites. These often contain malware and backdoors, thus deliberately introducing security vulnerabilities. Extensions should always be obtained from the original sources.
User Management
Most security vulnerabilities require at least one WordPress user. Therefore, it is important: Give WordPress users only as many rights as absolutely necessary. An author for the website does not need administrator permissions. Similarly, the option of user registration should be disabled if it is not actually needed.
To “force” other users to use secure passwords, it is possible to define password rules via extensions (minimum length, complexity, etc.). Another option is so-called 2-factor authentication (2FA). After logging in, the user must enter a time-dependent code, which, for example, is displayed on the mobile phone. Thus, password theft is fundamentally useless, as the corresponding mobile device must also be taken into possession.
Standard Administrator Name
Do not use “admin” as the username. Although this only helps with relatively simple attacks, these run very automatically. Many attack scripts try to gain access to the site via the standard user “admin”. If there is no user with the name “admin”, you are already a bit safer.
Secure Server Infrastructure
Another critical factor in terms of security is the server: It is important that the user who has access to the server data really only has access to the data of the corresponding website. There are various hosting providers where several websites (domains) can be operated with one web hosting package. Each of these should have no read/write access to the other domains. If one of the sites becomes the victim of an attack, the attacker automatically gains access to all other sites.
It is also important: Are there sufficient Access-Logs? Are backups created automatically on a regular basis that can be quickly restored? Is there an SSL/TLS certificate to offer the own website via HTTPS?
How is the upload of server data done? This should definitely be encrypted – FTP is therefore not an option. The encrypted variants are, therefore, SFTP, FTPS, or SSH. The access data for these data should of course not be identical to the WordPress users.
Furthermore, the ongoing software should be up to date (operating system, web server, PHP, MySQL, etc.)
MySQL Access Only Through the localhost
The MySQL database should only be accessible by the server itself. It is usually preset on servers that external IP addresses also have access to the MySQL server. In most cases, however, this is not necessary at all – and thus represents a security risk. If the MySQL access data is stolen, an attacker automatically has the opportunity to steal the data in the database. If only the localhost – i.e., the server itself – can connect, this is not directly possible. As with the SFTP/FTPS/SSH accesses, the database accesses should again be a unique, secure password.
Counteracting Brute-Force Attacks
There are always attempts (through automatic attack scripts) to gain access to the site. In doing so, thousands of passwords are tried blindly – until one is successful. Basically, complex passwords prevent the success of such attacks. Some recommend here to change the login URL from the standard. However, this only prevents very simple attacks – Security through obscurity is a generally poor “security”.
Meaningful ways to counter brute-force attacks are to block IP addresses that make too many invalid login attempts for some time. It is also possible to set up a directory protection for the administration area via .htaccess. The disadvantage here, however, is that another password must be entered. Likewise, it is possible to allow logins only for certain IP addresses – also via .htaccess.
Further Measures
If the points mentioned are considered, a first step has been taken. Of course, these are not enough to be prepared against all attacks – they are just the basics. To prevent targeted attacks against one’s own website, it is necessary to develop individual security concepts to prevent possible attack paths.