stuartjdavidson.com http://stuartjdavidson.com/wordpress-security/

WordPress Security: How To Avoid Being Hacked

Website security is serious business. Knowing how to maximise your WordPress security can be the difference inlosing your business or ruining your reputation. The rise in compromised websites has (and in my opinion willalways) increase due to the nature of the Internet’s popularity and the demand from consumerism.

Since 2009, the number of WordPress security hacks has increased over twofold. In 2012, the number wasreported to be over 170,000 sites.

If you work in online marketing, the odds are thatyou would have worked on, or will at some pointwork on a WordPress site. Thousands of malwaretypes and infections are active on the Internet butfortunately, not all apply to WordPress. Whatmakes WordPress security vulnerable? Here’s themost common exploits you will come across toWordPress security:

Out-of-date software

Poor servers

Poor credential management

Poor system administration

Lack of technical knowledge

Cutting corners

Being knowledgeable of the reasons why your WordPress security may be compromisable is half the battle.Knowing the typical types of attack could also be of great benefit. Here is a breakdown of the most commonWordPress security issues you should be aware of.

Back-doors

A back-door allows an attacker to gain access to your website via what you would consider to be abnormalmethods (i.e. FTP, WordPress admin etc). Back-doors are exceptionally dangerous and if left unchecked, cancause havoc on your server.

Drive-by downloads

A drive-by download is usually embedded on your website via some type of script injection. The point of a drive-bydownload is often to download something onto your user’s local machine. One of the most common downloadsinforms the user that their website has been infected with some sort of virus and that the user needs to install ananti-virus product to fix it.

Pharma hacks

A pharma hack is one of the most prevalent exploits. It is actually categorized as SPAM (stupid-pointless-annoying-messages) and if you are found to be distributing SPAM, you run the risk of being flagged by Googlewith various alerts to deter visitors, such as “This site may be compromised”.

Malicious redirects

Quite simply, a malicious redirect sends a user to a malicious website. If a visitor is redirected to a website otherthan the main one, the website may contain infectious software, advertisements or what might appear to berandom or foreign sites.

Brute force attacks

Brute force attacks occur when someone tries to gain access to your site by attempting an enormous number ofdifferent username and password combinations, until the right one is found. Password guessing is very fast whenused to check all short passwords but for longer passwords, other methods can still be used to the same effect.

Zero-day Attacks

A zero-day attack exploits a previously unknown vulnerability on your site and occurs prior to awareness of thevulnerability. It is sometimes difficult for you to prevent this, as these attacks occur before developers have time torealise and address the vulnerability and thus, find a secure solution or update to provide you with.

Armed with this knowledge, here are my top 10 security tips to ensure your WordPress site is and remainssecure:

1. Make contact with your web host

Its reported that 41% of hacks occur as a result of hosting. You should contact your web host and ask themwhat they have put in place to establish WordPress security on their servers. Your hosts will be able todelete any generic accounts, so you should always know who is accessing your website. Avoid anyunnecessary credentials or access points, including FTP, wp-admin and SSH. Stay clear of cheap hostingproviders without solid customer service and high WordPress security measures in place.

2. Undertake regular backups

Prevention is one thing, but if all else fails then you should have a backup plan. You should never rely onlyon your web host for your site backups. Some hosts do periodic backups, but either way it should bestandard practice to routinely backup your whole site and database in case your WordPress security is

compromised.

3. Default site information

Brute force attacks on WordPress security are mostly attempting to compromise the websites administratorpanels by exploiting hosts with default credentials (i.e. “admin” as a username). If your site’s username isstill admin, you need to change this immediately.

Have very secure passwords, that uses a good mix of capital and non-capital letters, numbers andcharacters and is at last 8+ characters long is advised. Try to avoid common phrases and passwordvariations like stuart123. Instead, use 9St1u3a!rt~? (remember to make a note in a secure place, asguessing these types of passwords is next to impossible).

WordPress databases are like the brain for your entire WordPress site – every single piece of informationis stored in there and thus, makes it every hacker’s favourite target. The smartest way you can protect yourdatabase and increase the WordPress security is by changing the database prefix from wp_ to anythingelse – perhaps something like wp_st6u3a88r0t.

4. Directory hardening

Many web hosts often provide the ability to browse a site’s directories as a default configuration.Unfortunately, this also allows a hacker to see the contents of these directories. Updating your .htaccessfile can disable this (read here for more information).

Your “uploads” folder stores all the media that gets uploaded to your WordPress site. By default, this folderis also visible to anyone online. Updating your .htaccess file will prevent online users from viewing thisfolder too (read here for more information).

Lastly, updating your file permissions enables your core files to be secured against various other attacks.For a full list of recommended file permissions, read this article.

5. Default WordPress files

You should rename or delete your install.php, upgrade.php and readme.html files as these are completelyunnecessary after installation and actually serve as WordPress security vulnerabilities. If you don’t want todelete these files for any reason, then you can just rename them.

You should also remove any mentions of WordPress, so that your not providing hackers with usefulinformation that might lead to potential exploits. Remove the “Powered by WordPress” tag, the WordPressversion meta data from your theme and any links back to WordPress from your website.

6. Keep everything up-to-date

Hackers will look for vulnerabilities that they can exploit in older versions of WordPress, including outdatedversions of WordPress plugins and themes. Ensure that all of your WordPress files, plugins, themes etcare always up-to-date to maintain strong levels of WordPress security.

Consider a situation where a security flaw is found in a older version of WordPress. If you don’t keepcurrent with WordPress updates and don’t remove the unnecessary WordPress mentions, it is easy forpeople to know how best to exploit your WordPress security. Its essential to update everything as soon asnew versions become available.

7. Security plugins

Using additional security measures can be effective in preventing your WordPress site from being hacked.There are a number of free WordPress security plugins available that address many of the commonsecurity issues that most WordPress website owners face. Here is a list of the better security plugins I havecome across:

Better WP Security

Bullet Proof Security

WP Login Security 2

All In One WP Security & Firewall

Wordfence

Sucuri WordPress Security Plugin (paid plug-in)

8. Universal registration

If your website is currently set up so that anyone can registeras a user, then this can be a potential method for hackers to access your website. This option should onlybe necessary if you are running a community site where signing up is encouraged. So if don’t run this typeof website, then you should prevent anyone from having the opportunity to register. Simply go to Settings -> General in your WordPress dashboard.

9. Do your research

Plug-ins and themes are great. They make life easier and allow those without coding knowledge or thetime needed to build a site from scratch to have a site ready in a short space of time. But beware. Manyfree themes are potential security risks. And out-of-date plugins can be good places for hackers to findholes in your security. Do your research and make sure only to install plugins that are tested with the latestversion of WordPress and have solid reviews.

10. Fire-power!

Deploying a web application firewall (WAF) on your server helps protect your site against vulnerabilitiesfound in plug-ins, out-of-date software and zero-day attacks. You should ask your hosting provider if theyoffer web application security as a service. If they don’t, then it may be a good indicator of the overall levelof security they can offer.

WordPress Security: Conclusion

I am of course just scratching the surface here. The knowledge and tips above should allow you to beginoptimising your WordPress security. The aim of my article was not to frighten you, or point out variousvulnerabilities in the WordPress platform. The reality is that any website can be hacked. But there are significantmeasures you can take to avoid common hacking practices from threatening your website.

Has your WordPress site been hacked before? Feel free to share your horror stories.

Website by TheSocialShark © 2014. All rights reserved.Privacy Policy Cookie Policy Terms & Conditions Sitemap↑ Back to top