With WordPress running on one in five websites, it comes as no surprise that these sites are a popular target for experienced hackers and script-kiddies alike.
WordPress sites are notoriously lacking when it comes to security, often due to the insufficient security expertise of the developer, or the use of the many potentially insecure plugins available. For example, in 2013, around 90,000 WordPress sites were hijacked for use in a botnet. They are also a popular target for malware.
The following are the top 10 measures that can be taken to address some basic security holes or malpractices that are commonly present in thousands of WordPress sites today:
1. Run the Latest Version of WordPress
Running the latest version of any software is probably the most obvious security measure that should be taken. However, with over 86% of WordPress installations running outdated versions, this point can’t be stressed enough. Each update not only brings with it new features, but more importantly, bug fixes and security fixes. These help your site remain safe against easy-to-exploit vulnerabilities.
2. Run the Latest Versions of Themes and Plugins
However, running the latest version of WordPress is not enough – your site’s plugins and themes could still contain vulnerabilities that can compromise security. Recently, for example, an older version of Slider Revolution, a very popular WordPress plugin that is used by a large number of WordPress themes sold on the Envato Market, allowed malicious users to steal database credentials.
3. Be Selective When Choosing Plugins and Themes
Plugin enumeration easily allows attackers to discover what plugins your WordPress site is using. By avoiding the installation of unnecessary plugins you automatically reduce your site's attack surface. When choosing which plugins and themes to use, be selective. Before installation, read up and check how many downloads they have and when they were last updated.
4. Remove Inactive Users
Users, especially administrators and others which have the ability to modify content, are among the weakest points of any site because, unfortunately, most users choose weak passwords. If you absolutely need to keep inactive users in your WordPress database, change their role to ‘subscriber’ in order to limit their actions.
“Running the latest version of WordPress is not enough – your site’s plugins and themes could still contain vulnerabilities”
5. Prevent Directory Listing
Directory listing occurs when the web server does not find an index file (i.e. an index.php or index.html) – and, if directory listing is turned on, the server will display an HTML page listing its contents. This could be used to exploit a vulnerability in a WordPress plugin, theme, or even the web server itself.
6. Use Complex Security Keys
WordPress makes use of a set of long, random and complex security keys. A security key functions similarly to a very strong password or passphrase and should contain elements that make it harder to generate enough options to crack. You can either make your own random keys, or you can use WordPress’ online key generator.
7. Restrict Access to wp-admin Directory
Password protecting your WordPress admin area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess users’ passwords.
8. Disable File Editing
By default, WordPress allows administrative users to edit PHP files of plugins and themes inside the admin interface. This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server, so disabling it enhances security.
9. Enable HTTPS for all Logins and wp-admin
HTTPS is usually synonymous with shopping carts and internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa. TLS/SSL may significantly consume server resources depending on traffic, consequently it is not required for the entire site. However, WordPress’ login form and admin area are probably the most sensitive areas of a site and therefore it is strongly advised that TLS/SSL is enforced here.
10. Restrict Direct Access to Plugin and Theme PHP files
Allowing direct access to PHP files can be dangerous. Some plugins and PHP files can contain PHP files that are not designed to be called directly, causing the PHP interpreter to display errors or warnings which may lead to information disclosure. Additionally, restricting direct access to PHP files prevents attackers from bypassing security measures (such as authentication) when code is split up into smaller files.
Aim to follow these basic measures to keep your WordPress sites safe – they are a good starting point in making security a top, and ongoing, priority.
About the Author
Ian Muscat is a technical and QA engineer at Acunetix, spending his time identifying new web vulnerabilities and assisting customers in remediation of the flaws uncovered. Ian is particularly interested in the vulnerabilities present in open source applications such as WordPress.