Guest Kim Crawley's first of a multi-part series presents a multi-tiered strategy for protecting sites that run the popular open source Wordpress content management system. Part II, also by Kim, will consider addons to further improve Wordpress security.
Web site attacks are all too common, and Wordpress sites are among the most frequently hacked. There are many reasons or motives why your web site might fall victim to such attacks. Some of the most common are listed below:
- To plant malware on your site that will infect your visitors, take control of their computers, and recruit them into a botnet,
- To hijack your server and use it to attack other systems,
- To send spam from your server,
- To gain access to credit card info or personal identities you host in databases accessible from your server,
- To plant hidden links to other sites in an attempt to fool search engines and fraudulently raise those site’s rankings or to illegally earn click-through revenue,
- To experience the trill of vandalizing property,
- To satisfy a grudge against you, or simply
- Because someone was bored and you made it easy.
The article, How Hackers Target and Attack Your Site at InfoSec Institute presents a step by step breakdown of how hackers can target and crack into a WordPress site.
You can see from the article that hacking a site might not be as difficult as you once thought.
This being said, owners of websites need to do everything they can to prevent a security breach. Following these steps will help harden your WordPress sites security and send hackers looking for lower hanging fruit.
Audit Overall Work Station and Server Security
Make sure that any and all PCs and web servers you use are kept properly secure or hardened. (In its Web Vulnerabilities report, the APWG notes that over 75% of attacked servers run Linux and recommends that you consult best practices for Linux web server security such as Barrettt2003, Turnbull2005, Garfinkel2011. Similar resources are available for other server OSs).
- Run the most recent release of your favourite web browser, make sure that it’s set to automatically patch, . (APWG also recommends that you consult resources for securing Apache web server such as Apache, Debian, Mobily2004; again, similar resources for your web server software).
- Make sure that all authentication vectors you use have strong passwords which are changed regularly. It’d be sad to create a really secure password for your WordPress admin account, only to find out a keylogger defeated all of your efforts.
- Keep your admin client and server antivirus software and operating systems patch current. Scan your PCs and servers for malware regularly and frequently.
- Make sure you use proper firewalls- at the OS level, at the router level and at the ISP level, if at all possible.
Remember, any security holes outside of WordPress, in software and hardware you use on the server you host your site from or the work station(s) you manage your content from, can affect the Wordpress content management system itself.
“Harden” Your Wordpress
Now that you've hardened your web site platform, turn your attention to hardening and monitoring Wordpress.
Keep WordPress Updated. Make sure you always have the most recent version of WordPress installed. Updating WordPress is relatively quick and easy, and can be done through the WordPress panel in your web browser. If the most recent version of WordPress is incompatible with the versions of PHP installed in your web server or web host, make the effort to upgrade those to ensure your version of WordPress is up to date. Obsolete versions of WordPress will no longer get security patches, much the same way that older OSs see support expiration.
Speaking of PHP, bear in mind that these are among the most commonly exploited web site components. The APWG offers some good advice for dealing with PHP:
“One of the most common attack vectors for phishers is to inject untrusted data into web forms or database queries [Malyshev]. Such attacks exploit insecure application (PHP/Java) code Software and security communities at large promote software review and secure programming practices as means to mitigate vulnerabilities. Various secure code and runtime techniques may be used to mitigate these threats. Victims’ PHP developers should consult the PHP Security Guide and similar resources, for example Linux: 25 PHP Security Best Practices For Sys Admins. These will be particularly helpful for organizations whose sites were victims of spoofed form submissions or HTTP requests, cross-site scripting, session data exposure or other common PHP attack vectors.”
Disable Custom HTML When Possible. WordPress can use custom HTML for various functions. If that isn’t absolutely necessary for the form and function of your website, you may want to disable unfiltered HTML by adding define( ‘DISALLOW_UNFILTERED_HTML’, true ); to your wp-config.php file.
Don’t Look Brand New. Remove all default posts and comments. If malicious hackers find those on your site, it may indicate to them you have a new WordPress site, and brand new sites are often easier to crack into. It’s easier to crack into a WordPress site when you know which version is installed, so be sure to hide it. This is done in two places. The first is the meta generator tag in your template. That’s found in wp-content/{name of your WordPress theme}/header.php. Look for something like “” and remove it. The other element is in your RSS feed. Open up wp-includes/general-template.php and look around line 1858. Find:
function the_generator( $type ) {
echo apply_filters('the_generator', get_the_generator($type), $type) . "\n";
}
Make sure a hash is applied next to the echo command so that it looks like this:
function the_generator( $type ) {
#echo apply_filters('the_generator', get_the_generator($type), $type) . "\n";
}
Also, remove all instances of “Powered by WordPress” footers, as crackers use the phrase to find sites to crack into via search engines. That footer also indicates new WordPress sites, or sites developed by newbies, whether or not that actually applies to you.
Be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every WordPress installation or upgrade. Those scripts are only ever used during the installation and upgrade processes, and aren’t used in the everyday development of your site. You can still upgrade without those files, as all upgrades contain those scripts.
Change a couple of the file and directory name defaults. Go to Settings > miscellaneous in your admin console and change the names of wp-content/ directory and wp-comments-post.php. Make sure to change the template URL within the template and wp-comments-post.php accordingly, to maintain the function of your site.
Hide Indexes. Be sure to disable public access to indexes whenever possible. If people can find the files in your site’s wp-content/plugins/ directory without being authenticated, it’s a lot easier to crack into your site through plug-in vulnerabilities. If your web server runs Apache or another OS that uses .htacess files, it’s simple to do. Find the .htaccess configuration file in your site’s main directory. That’s the directory that contains index.php. Insert the text Options -Indexes anywhere in the file. Alternatively, if you can’t alter a .htaccess file, upload an index.html file into your main directory. You could make that web page have a similar look to your site’s PHP web pages and insert a hyperlink to your index.php file if you’d like. But obviously, in a site that uses WordPress as a CMS, visitors won’t see your index.html file unless they type a specific path to it in their web browser address bar. Alternatively, you could make your index.html file a 0 byte placeholder.
In case your web server ever has problems computing PHP files, it’s crucial to block directories that are only accessed by your server. If the PHP source code is ever displayed in a visitor’s web browser rather than the web page it’s supposed to render, they may find database credentials or in depth information about the PHP/mySQL programming of your site. Your site’s wp-includes/ directory is the most important one to block. Find the .htaccess file there and insert:
RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]
If there are or will be subdirectories of wp-includes/, insert the following code for each one in the same .htaccess configuration file:
RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]
Back It Up!WP-DB Manager is excellent for backing up your entire WordPress site. It will also alert you to mySQL vulnerabilities and let you know when parts of your database are publicly accessible.
Always be sure to properly back up the content of your site. In a worst-case scenario, at least keeping back ups will allow you to easily restore your site. With WP-DB Manager, you could also use Online Backup for WordPress. The back up the plug-in creates can be stored in your e-mail inbox, on your PC, or you can use the 100MB of free storage space on developer Backup Technology’s own secure servers.
Report Bugs and Vulnerabilities. If you ever discover security vulnerabilities on your own, do the community a favour by sending a detailed e-mail to [email protected] or e-mail [email protected] if the vulnerability is in a plug-in instead,. You would want other web developers to report loopholes that may affect your website, so treat others as you would like to be treated! Just avoid writing about those newly discovered vulnerabilities on the web or on social networking sites, so that information doesn’t fall into the wrong hands.
Check For Exploits. Routinely run the Exploit Scanner plug-in to check for indications of malicious activity. Exploit Scanner doesn’t directly repair any issues, but it will leave you a detailed log to troubleshoot with. Run this plug-in at any point where you suspect someone’s been cracking at your web site as well.
Guest Kim Crawley is a security researcher for InfoSec Institute, a security certification company. InfoSec Institute has trained over 15,000 certificate candidates. Its training program includes popular CEH and CCNA certification courses.
References:
Infographic : History of WordPress, N.S Gautham Raj
Hardening WordPress, wordpress.org
Exploit Scanner, wordpress.org
6 simple steps to hardening WordPress, Sam Devol
Hardening WordPress Security: 25 Essential Plugins + Tips, Daniel Smeek
How to Stop Your WordPress Blog Getting Hacked, David SEM Labs
Hardening WordPress Security, Brian Haddock
6 Tips to Secure WordPress from Hackers, John Phillips
Vulnerability Report: WordPress 3.x, Secunia.com
Great post! I've had a wordpress website for a while and I constantly have to try to get rid of the hackers. Wordpress website maintenance can be such a pain to keep up on. This looks like it will do the trick though, thanks!
Posted by: Abednadier20 | Monday, 05 August 2013 at 01:54 PM
Brilliant post Kim!
I found your post after Blackknight retweeted it. Since Im hosted with them and most of my websites are Wordpress I clicked.
Since reading iv installed WP-DB Manager & Exploit Scanner to each of my WP websites.
A really simple way of protecting yourself from bruteforce is changing the Admin username to something else & as you stated creating strong passwords.
Thanks again for great info!
Posted by: Locksmiths | Thursday, 18 April 2013 at 08:25 AM
Word press is a great platform; unfortunatly, in my opinion it relies far more on the user to sort out security, and their lies the problem. Passwords are usually easy to crack and are seldom changed.
Posted by: chriscuts1 | Tuesday, 22 January 2013 at 03:50 AM