6 Ways to Protect Your WordPress Site From Hackers
As one of the most popular platforms for website creation, WordPress is a common target for hackers. The sites you work so hard on can be taken away, broken or used to distribute malware. It’s frustrating when your hard work gets stolen or ripped off.
Here are 6 of the most common threats to WordPress sites and how to fix them.
Threat #1: Brute force password attacks
Brute force password attacks are when a computer tries to guess your login information by trying every combination of numbers and letters it knows. For a person, this could take years, but for a computer it could guess a relatively short password in minutes.
This is especially dangerous if the attacker already knows your username. It’s just one fewer thing they have to guess. But hang on, how could they know your username? Well, if you left it as “admin”, then they already do. Even if you’ve changed the username from “admin” (and you really should), there are still ways of finding it out.
Type in your browser window “my-site.com/?author=1” (replace my-site with your domain name and add your WordPress subdirectory, if it’s not on your main domain. So this could be example.com/blog/?author=1). Most often, you’ll see your username come up. If not, try typing the same thing again with 2 at the end, and keep going until 10. You’ll see your username soon enough.
Once an attacker has your username, they can try to brute force your password. If you have an easy password, then the only reason your website hasn’t been hacked yet is that nobody has really tried to.
Solution: Strengthen passwords and limit login attempts
There are plugins out there to prevent user enumeration but the best ways to prevent brute-force password attacks are to choose a strong password and limit login attempts.
Strong passwords
It goes without saying that “admin/123456” is not a good username/password combination (although it is distressingly common). A strong password is long, not a word from the dictionary or Wikipedia (in any language), and contains a variety of symbols.
CLU is the acronym to remember: Complex, Long, and Unique. That, unfortunately, also makes your passwords almost impossible to remember. One option is to use a pass phrase instead of a single word. A computer is going to take a long time guessing a 25-character phrase (assuming 1000 guesses per second, that’s 550 years – source) that’s comparatively easy for a person to remember – it’s harder for a computer to guess a random phrase than it is to guess just one word. A password like “B0ndfriskingmaniacvillain” can be easy to remember but very hard for a computer to brute force.
Just remember – if your attempts to make a secure password lead you to writing it down and sticking it onto your monitor, then that’s already a bad password.
You can also enable multi-factor authentication. It can seem like a pain, but effective security measures often mean that we need to change our habits just a little bit.Limit login attempts
No matter how strong your password is, if someone has an infinite number of attempts to guess it, they eventually will. On the other hand, even a relatively weak password can’t be guessed in just a couple of tries. Good security plugins and software will limit the number of unsuccessful login attempts and block IP addresses that try to brute-force your passwords.
Threat #2: Plugins, WordPress version and themes
Remember that no reputable developers try to make software with security flaws. That means that when something comes up, developers stay up all hours patching their software and fixing the code. Imagine their disappointment when people don’t update their sites. A new version of the code isn’t going to help if you’ve still got the old version on your site because clicking the “update” button was too hard.
Check your plugins and themes regularly to make sure that they aren’t out of date and that they don’t have serious security risks. It also makes the developers happy that people value their work.
Another important thing to remember here – people who crack and distribute free versions of WordPress themes? They’re usually including some of their own code in there. And when we say “code”, we mean viruses, Trojans and backdoors that they can use to damage your site.
Solution: Update Your plugins, WordPress version and themes
Enough said. The latest versions are the versions with problems that nobody knows yet. In the world of information security that’s as good as it gets.
Also, don’t try to pirate themes. It’s just not worth it. Only download themes from sources that you can trust, and if someone has created a great theme, just buy it. It saves time and trouble in the long run.
Threat #3: Table access
Here’s where we get into a little bit of code – but don’t worry, it’s very simple code.
The first of the two files we’ll be looking at is wp-config.php. This is a very important file that WordPress uses to communicate with databases. The databases are where posts, settings and users are all stored. You want to make sure that nobody can access this file, other than you.
The second is the .htaccess file. This is a file that Apache (the software that web servers use) uses to decide how to retrieve files. It’s also a very important potential vulnerability. The good news is, it can be used to close down access to both itself and to the wp-config.php file.
Just by seeing these files, attackers can gain valuable information about how your website is configured, which can lead them to discovering vulnerabilities. Obviously, you don’t want this to happen.
Solution: Your own coding
Here is the code you need to put into your .htaccess file:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>
Just go to your .htaccess file and put that code in there. This code will tell your server not to let anyone access those files, but won’t stop you from getting to them with local access.
Threat #4: Phishing
This isn’t so much a specific WordPress problem, as it is a general security problem, but it’s such an important one that it deserves a mention here.
Phishing can take many forms. It can come as spam emails that directly ask you for your passwords or as fake sites that ask for login details. Basically, any way you can think of for someone to try and steal your username and password.
The Solution: Be suspicious
Now, being suspicious is normally not a good thing. But online it can save you. Don’t use links that you get in emails to log onto sites. Log on in a separate window by navigating to the site, as you normally would. Also, never tell anyone your login details over email. No matter who they claim to be.
Threat #5: Cross-site scripting (XSS)
This is the most common threat to WordPress sites and almost deserves an article to itself. It’s a way that attackers can put their own code into your website. Let’s look at how that’s possible.
HTML is the language used to create web pages, and it’s what is called a tag-based language. Almost all tags in HTML function the same, with one exception. That tag is <script>. The <script> tag says to the browser “Hey, what’s written inside this isn’t text, so don’t show it to the user. Instead, it’s a piece of code.” This is really useful for creating interactive sites but it can lead to some big problems if it’s misused.
Now, some fields in a website allow use of HTML – sometimes you want your visitors to be able to put a link in a comment or make their text bold. That’s fine, and it usually doesn’t hurt anything (unless it’s a spam link).
However, if they can put <script> in your pages, then that’s a disaster waiting to happen. They use that vulnerability to change the way your website works, which is never good. Forget what you learned at nursery school – not everything needs to be shared, especially control over your website.
For example, if you have a page that prints the most recent search that a user has made (for example something that reads: “You searched for X”), then this is a sort of pseudo-code that might be what your server says (note: this is not real server code):
print "<html>"
print "<h1>You searched for</h1>"
print database.latestSearch
print "</html>"
This lets an attacker search for
<script>doSomethingTerrible();</script>
When the page loads, that script will execute because the page will read:
<html>
<h1>You searched for:</h1>
<script>doSomethingTerrible();</script>
</html>
Because the page loads user input as HTML without blocking the <script> tag, the attacker is able to add this script to a page.
That’s XSS in a nutshell, and while there are more complex ways of doing it (hence, all the vulnerabilities related to it) that’s the basic way that XSS works.
The Solution: Approve user input
But hang on, you might think, there’s nowhere that people can create user input on my blog. Why should I be scared of some script tag? But what about the comment section? The same place where people tell you how much your posts rock can also be the place that attackers inject code into your site. This is how most XSS attacks are made, so protect yourself by manually approving comments. It may seem like a lot of work but it can save your website.
You should never allow comments that have a bunch of what looks like nonsense in them – this is probably obfuscated (hidden or disguised) code and you should delete those comments with extreme prejudice.
Apply this principle to all user input on your website, and again, make sure that you update your plugins as soon as new versions come out, as new XSS attack methods get found very often.
Threat #6: Using poor software
There is so much software out there that you can use to harden your WordPress site that there is no excuse not to use the very best. These are just some programs that you can use to improve your security, categorised by the threat they cover. Using substandard software will bring you substandard results, so accept no substitutes.
Solution
One thing to remember is that WordPress security is not static – it’s not something that you do once and forget about forever.
Hacking is like all software development. It exists in a constantly changing world that now, more than ever, refuses to stand still.
Make sure you’re checking frequently. Even if you have software that checks frequently for you, it’s always good to be sure.
SOURCE: Crazy Domains
