Compendium: how to secure your WordPress?

WordPress is one of the most popular CMSs in the world. Depending on the statistics, it runs from several to even dozens millions of websites. The increasing popularity of WordPress in Poland translates into the growth of number of the associated attacks. Many of them can be prevented by securing the given website with simple steps. This will the main topic of this article.

Topics related to security of websites require spending some spent on the implementation of good solutions. There is no magic “Secure My WordPress” button or a plugin that will solve this problem for us. Despite the fact that the creators of WordPress takes the subject very seriously, there is a large list of things that we have to take care of ourselves.

That is why I have good and even better news for you. The good news is that this article is really long and comprehensive. What is the better news? Its volume is accompanied by quality. You will find an overview of the most important topics related to WordPress security in one place, so you won’t have to jump through different pages and articles.

Let’s start.

Podcast (polish)

If you prefer listening to us to reading the articles, you can find our podcast below. There is also an audio version of this article. You can listen to it using Podcasts app on iOS, an application of your choice on Android, Tunes, YouTube, SoundCloud and Spreaker.

General recommendations

When you start securing your WordPress-based website, you should focus on several general issues. They concern not only the CMS itself, but also all the things related to it that affect its security.

You can listen to Niebezpiecznik podcast, where very interesting topics related to enhancing security are discussed.

Take care of the quality of passwords

Website login data is one of the most desired information by cybercriminals, which may leak out during attacks. The most common mistake is using the same password for many websites and using too weak passwords in general.

If we use a weak password, security measures might not be effective. It doesn’t concern only difficult password for the WordPress admin panel itself, but also for the server, e-mail or client panel in the hosting company. If we use a simple password and, what’s worse, we use the same password on several websites, the password doesn’t necessarily have to be hacked on our website. An attacker can hack passwords on another website, and since we use the same password everywhere, he or she can simply log in to our WordPress.

Try to create difficult passwords by adding special characters, lowercase and uppercase letters and numbers. Simple passwords are hacked with brute-force method. Today’s computers can guess such a password in a fraction of a second.

It is worth having a different password for each website. Applications such as 1password, KeePass or LastPass, will help us remember all of them.

Apart from the password itself, it is worth mentioning the method associated with its recovering. Password reminder is often used to hack passwords. Most often, it is a question such as “Name of my dog”, “Favourite dish” etc. This type of information is publicly available on social media, so the attacker can use it to change your password in the mailbox to which they will then send a WordPress password reset.

What I personally recommend to everyone is the inclusion of two-factor authorisation (2FA) on the most important accounts (mail, social media profiles, important websites). Such an approach drastically increases the level of security of accounts protected this way.

Two-factor authentication

Usually, we log in to many websites with a login and a password. Two-factor authentication(2FA) is another obstacle an attacker has to overcome in order to access the website.

The idea of the two-factor authentication is simple: apart from the login data, the user has to provide additional information or perform an additional operation in order to be authorized. It can be a text, a code from an application or clicking the link sent to the e-mail address associated with the account. In order to log in you need to have access to data that the potential attacker may not have (phone, other account, etc.).

Most of poplar websites support 2FA, so it’s worth using it for your own peace of mind. Additionally, 2FA authentication is often required only on new devices or browsers from which you log in — this way you won’t have to enter an authorization code at every login (although you can do so for even better security).

This method secures access to the website, even if your password is hacked, and for that reason this service should be enabled wherever possible. For example, access to our Client Panel and hosting panel is protected by 2FA.

It is also possible to enable two-factor authentication to the administrator panel in the WordPress.

Pay attention to who have access to your websites

While creating and developing a website, we often use the external services to perform certain tasks. We provide access to our website, hosting server or other services to programmers, SEO teams or editors. Unfortunately, after some time, we forget to remove the accounts of people who no longer cooperate with us.

On the one hand, a list of people who have access to our website is important from the point of view of the GDPR, and, on the other hand, for safety reasons. When terminating cooperation with a given person or company, remember to change their passwords or remove their access. We often simply forget about such activities.

Avoid outdated software

Updates to software, operating system or applications on a mobile phone are already executed on a daily basis. Don’t ignore them when taking care of the security of your computer or website. A new version of a programme not only provides you with more features but also fixes bugs found in the older version. Many of these errors relate strictly to security.

If you work on a computer with an outdated operating system, antivirus or a programme to connect to the server, you may pose a risk to yourself or visitors to your website.

There are many computer viruses that can steal server passwords from your computer from outdated versions of programmes such as these: FileZilla, WinSCP or Total Commander. Even worse, they can use stolen passwords to infect websites on the server they have access to.

Recommendations on the server or hosting side

An administrator or a hosting company is responsible for the security of the server and its hosting — this part will focus on the aspects we can influence ourselves and what we can do to improve the security of the website running on that server.

Do not treat your server like a trash

The server should contain only the most necessary things that we and our visitors will use. By keeping order in directories, databases, email accounts, it will be easier for you to update everything or simply watching over the access to services.

Keeping various test scripts, forgotten sites or another version of the /old directory on the server gives attackers plenty of room for manoeuvre. They can access your data through such forgotten files placed somewhere on your disk.

The mess in your hosting is also a great place to hide all kinds of malware such as: Trojans, Internet worms, backdoors or cryptocurrency extractors. This will make it equally difficult for administrators and programmers to identify the threat and remove it.

If you don’t care about having order in your files and databases, you may also have a problem with backup and, even worse, faster file recovery. The more unnecessary things are kept on the server, the longer it takes to perform the backup. This may also delay restoring a file.

Remember: your the server is not a trash.

User, password and database

One of the simplest steps we can take is to create a separate database and user for each website. This will ensure, first of all, that we are able to keep it clean. If it is necessary to restore a database, we will be able to restore the database specific for a given website. Another advantage of such a solution is the creation of separate users and passwords to websites. Each instance of WordPress or other script uses its access data.

When creating a database, giving a unique name to both the database and a user who will access it, is also a good idea. This is not an ideal security measure and can be classified as so-called deep hiding, but it will certainly make access to the data more difficult.

You should also avoid remote connections to the database. MySQL / MariaDB server does not encrypt its connections in the default configuration. When you access your database from an office, home or café you might risk eavesdropping on the connection. As a result, the attacker will be able to read your WordPress data, such as login, e-mail or password hash.

select * from wp_users;
wp_users
display_name
display_name
mateusz"$P$BxZBPEad1Mxq0lZL9SCzdAgUQz9nyI.
mateuszmateusz@exadop.org
2017-03-21 12:24:18
mateusz

Above you can see an example of data hacked when user login mateusz logged in to the WordPress panel. You can also read the password hash and you could try to hack it.

Use SSL certificate

There is a lot to tell about SSL certificates. The most important principle is to use them. It doesn’t matter whether you use free or paid certificate. You protect your website against eavesdropping and various attacks, e.g a man-in-the-middle attack.

Pay attention to the server on which you install the certificate and check whether is had the correct configuration. You can check it using various tools available online or ask the server or hosting administrator.

Using an encrypted https connection means not only security, but also HTTP/2 access, which speeds up the loading time of the website.

The next step is to enable SSL in WordPress. There are two ways to do it: a fast and incorrect way or a bit more difficult and correct one.

How not to enable SSL in WordPress

How to properly enable SSL in WordPress

Use the latest versions, e.g. PHP, MySQL, etc.

Separate the test environment from the production environment

Avoid auto-installers

Recommendations on the WordPress side

Update WordPress, its plugins and themes

Difference between update and upgrade

How to differentiate between update and upgrade?

How to update/upgrade correctly?

When is an update necessary?

Automatic updates

Install plugins and themes only from proven sources

Change the prefix in the database

Transfer database data

Change your administrator login and ID

Restrict access to the WordPress panel using .htaccess

Disable editing of theme files and plugins

Disable user registration if you don’t need it

Enable two-factor authentication in WordPress

Keep WordPress organized by removing unnecessary plugins and themes

Change WordPress keys to your own

Disable comments if they are unnecessary

Protect yourself against enumeration of users

Disable debugging mode

Providing access data to other services in WordPress

Block access to XML-RPC

Do backups

What is not worth doing?

Security plugins

Changing default paths

The default paths to plugin and themes resources are wp-content/plugins and wp-content/themes respectively. The paths and names of these directories can be changed by adding an entry to wp-config.php:

define( 'WP_CONTENT_DIR', dirname(FILE) . '/www/multimedia' );
define( 'WP_CONTENT_URL', 'http://example.com/www/multimedia' );

Such a change will only result in that our website may not resemble WordPress to numerous simple web robots and will bypass it. However, this will not protect us from attacks on the vulnerabilities in these add-ons.

Most plugins add Java Script or CSS files to our website, which makes it easy to check which directory they are in.

Hide unnecessary information about WordPress

Another thing you should not do is to hide information about the WordPress version you are using. Very often, tutorials focus on removing the generator tag from the site code. Such a change does not do much, since the attacker is not really interested in this tag. Internet worms do not pay attention to such data either. They simply scan the page and try to find a vulnerability.

However, if we want to remove information about the version, we should block access to the readme.html file, for example by adding a rule to .htaccess:

<FilesMatch "readme.html">
  Order allow,deny
  Deny from all
</FilesMatch>

Then delete the WordPress version:

remove_action('wp_head', 'wp_generator');

We also hide versions in RSS, ATOM, comments, scripts, and so on.

define('THE_CAMELS_FILE_VERSION', '0000001');

function rm_generator_filter() {

  return '';

}

if(!function_exists('thecamels_remove_wp_ver_css_js')) :

  function thecamels_remove_wp_ver_css_js($src) {

    if(strpos($src, 'ver=' . get_bloginfo( 'version'))) {

      $src = remove_query_arg( 'ver', $src );

    }

    if(!strpos($src, '?')) {

      $src .= '?ver=' . THE_CAMELS_FILE_VERSION;

    }

    return $src;

  }

endif;

add_filter('the_generator', 'rm_generator_filter');

add_filter('style_loader_src', 'thecamels_remove_wp_ver_css_js', 9999);

add_filter('script_loader_src', 'thecamels_remove_wp_ver_css_js', 9999);

add_filter('get_the_generator_html', 'rm_generator_filter');

add_filter('get_the_generator_xhtml', 'rm_generator_filter');

add_filter('get_the_generator_atom', 'rm_generator_filter');

add_filter('get_the_generator_rss2', 'rm_generator_filter');

add_filter('get_the_generator_comment', 'rm_generator_filter');

add_filter('get_the_generator_export', 'rm_generator_filter');

add_filter('wf_disable_generator_tags', 'rm_generator_filter');

This code could be written better, probably, so all suggestions are welcome.

Security testing

If we want to go deeper into the subject of security related to WordPress, it is worth seeing WordPress Vulnerability Statistics. These very interesting statistics show the elements of WordPress where security vulnerabilities are found.

Information about errors can be found on one of the exploit aggregators, e.g exploit-db.com.

When it comes to testing WordPress security, you can use a tool such as WPScan. Before each run, it is advisable to update its database with the following command:

wpscan --update

Website testing is quite simple:

wpscan --url http://moja-strona-domowa.pl

We can also use such scanners as: Detectify, Security Ninja, Acunetix or Sucuri.

Plugin Inspector might also be interesting – it generates a report on the safety of plugins.

Plugin Inspector

We will see the code fragments that are OK, Unsafe or Deprecated, all presented in a simple way. The Unsafe status shows those code elements that are suspicious and potentially dangerous. That might not be necessarily the case, but it’s worth looking at the code fragment.

The Deprecated status shows outdated functions and plugin code fragments. Over time, they will be removed from WordPress or PHP itself and the plugin may stop working. In such a situation, it is worth considering an update.

Summary

WordPress hardening is often a complex process. It requires time and understanding of certain elements. We cannot be always 100% sure whether we have managed to protect our website against everything (e.g. 0-day attacks). However, taking these or other steps will surely minimize the level of risk.

I am really glad you managed to reach the end. But that’s not all. I have more security-related links for you.

Other interesting materials about WordPress security (in Polish):

• Presentations:
  • WordUp Trójmiasto #6 – Krzysztof Dróżdż. Why does this malware keep coming back?
  • WordUp Kraków #autumn 2015 – Krzysztof Dróżdż. Safe code – three slightly more difficult elements
  • Krzysztof Dróżdż: Myths of (non)safety
• Articles:
  • How to protect the wp-login.php file against brute force attacks
  • WordPress hardening: basics
  • How to secure WordPress? A step-by-step guide

Stay up to date

Information about new articles and topics related to servers and WordPress on your e-mail.

If you don't want to miss our articles and interesting podcasts, subscribe to our newsletter. You will also receive a discount on your first shopping 😉

I agree to the processing of the above data in order to receive the newsletter. Your personal data will be administered by The Camels, 18 Wróblewskiego Street, 93-578 Łódź, e-mail: info@thecamels.org. Detailed information on the processing of personal data can be found in terms and conditions, in the privacy policy section.

Sign me up