Web Dandy Web Design Articles
Web Dandy Web Design Articles

WordPress Security - Does It Affect You?

WordPress Is Used By Millions

WordPress, used by millions to host their websites and blogs has suffered from highly distributed, global, brute-force attacks in the past. More than 117,000 WordPress blogs were attacked and affected in 2012. That number grows each year.

Successfully exploited sites provide attackers with ongoing access to the WordPress site, regardless of whether you subsequently change the password guessed by attackers. Exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites. Given the number of IP addresses involved in the attack, common security measures, e.g. tools that just limit logins by IP address, aren't going to be effective.

Username And Passwords

WordPress "admin" attacks aren't new, but they are increasing in number. Sucuri CTO Daniel Cid commented, "In April 2013, attacks increased to 77,000 per day on average, reaching more than 100,000 attempts per day."

The top user names being tried are "admin", "test", "administrator" and "root" and of the approximately 1,000 different password guesses used by attackers, the six most commonly guessed passwords are "admin," "123456," "666666," "111111," "12345678" and "qwerty".

Are usernames and passwords the only WordPress areas that can be exploited? No. There are numerous other ways a hacker can gain access to or compromise your WordPress site.

So What Can You Do?

There are a few steps you can take to minimise the risks of being hacked. Remember - always backup your files and database before making any changes!

  1. Upgrade WordPress and Plugins to the latest versions.
  2. Change your login details: setup a new administrator account and use an unusual admin username and a complex password. Once you have created this account delete your old "admin" account BUT remember to assign the posts made by the admin account to your new admin account. If you don't your posts will be deleted!
  3. Unless you’re running a membership based site make sure " Anyone can register" under Settings > General (Membership) is unticked.
  4. If your database uses the "wp_" prefix change it. If you’re doing a new install define a unique table prefix. Edit your wp-config.php file $table_prefix = 'wp_'; to a unique prefix. If you’ve already installed your WordPress site changing the table prefix is more complicated but can be done. Detailed instructions can be found on the WPBeginner blog.
  5. Prevent the WordPress version info being revealed in page's meta data and RSS feeds. Add to functions.php  file:
    function remove_version() {
    return '';
    }
    add_filter('the_generator', 'remove_version');
  6. Remove the "ver" parameter which has the WordPress version number from all enqueued CSS and JS files. Add to functions.php  file:
    function vc_remove_wp_ver_css_js( $src ) {
    if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
    $src = remove_query_arg( 'ver', $src );
    return $src;
    }
    add_filter( 'style_loader_src', 'vc_remove_wp_ver_css_js', 9999 );
    add_filter( 'script_loader_src', 'vc_remove_wp_ver_css_js', 9999 );
  7. Prevent the wp-config.php file from being accessed. Insert in .htaccess  file:
    # protect wpconfig.php
    <files wp-config.php>
    Order allow,deny
    deny from all
    </files>
  8. Rename your install.php, upgrade.php and readme.html files.
  9. Prevent unnecessary information being displayed on failed login attempts. Add to functions.php  file:
    function wrong_login() {
    return 'Wrong username or password.';
    }
    add_filter('login_errors', 'wrong_login');
  10. Disable the WordPress Theme Editor. Add to wp-config.php  file:
    define ( 'DISALLOW_FILE_EDIT', true );
  11. Remove access to the Uploads folder. Insert in .htaccess  file:
    Options -Indexes
    or
    create a blank index.php  and upload to the Uploads folder.
  12. A recent article by Matt Cutts talks about fixing "full path disclosure" issues in WordPress by adding a line like display_errors = off in the php.ini   file or adding the line php_flag display_errors off in the .htaccess   file.

Questions To Ask

If you aren't technically savvy or don't have access to make the changes yourself then contact your web designer to carry out the changes above or ask them what other security service plans they offer. Below are 8 questions you can ask your designer:

  • Will I be notified when someone tries to execute a brute-force attack on my site?
  • What security risks and vulnerabilities do you scan for?
  • Do you provide a "fix" for known risks and vulnerabilities?
  • Are attackers IP addresses logged and are suspect IP addresses banned?
  • What checks are made to ensure core WordPress files have not been corrupted?
  • Do you provide a "login captcha"?
  • Will my site be scanned on a regular basis?
  • Will backups be carried out on a regular basis?

Take the security of your WordPress website seriously! It's far easier to take precautions now than to try to recover a hacked site.

If your designer can't provide a security solution contact us and we will talk you through your options.