What is WordPress Security?
WordPress content management system powers over 35% of all websites on the Internet and is by far one of the most popular ways to build a website, with thousands of WordPress themes and plugins. This alone poses a problem with regards to WordPress security. There have been numerous problems regarding the security of WordPress websites, however, this string of problems typically follows when users aren’t practicing best security measures when deploying their WordPress site. With WordPress being utilized by so many enterprises and organizations these days to power their content, WordPress security and overall web application security are vital for protecting your informational assets.
What are Common WordPress Vulnerabilities?
The list of WordPress security issues is endless, but there is a handful of which appears to be recurring among those who are setting up their WordPress sites. These plethora of vulnerabilities in WordPress sites are often the reason why they’re such a popular target for malicious adversaries. It was reported in 2018 that 90% of all compromised content management systems were indeed WordPress sites.
Below are some of the most common WordPress security-related issues often encountered by those deploying WordPress sites.
1. Outdated Software
Outdated software, plugins, and themes are ripe with security vulnerabilities and are often collected in readily available resource databases for those looking to exploit them. When site developers don’t update the WordPress version and its associated plugins or themes, the site will continue to operate with these WordPress security issues, ultimately resulting in compromise of the site’s information and data.
2. Untrusted Software
Often WordPress sites will make use of plugins or themes that are less credited and come packed with security issues of their own such as malware and backdoors. These components are designed so that when they’re added can immediately compromise your WordPress site and can be extremely difficult to detect.
3. The Login Page
Your WordPress login page alone provides several avenues for attack when it comes to compromising WordPress sites. Brute-force attacks in which login credentials can be guessed from a database of common usernames and passwords to gain unauthorized access into an account associated with that WordPress site and make changes or retrieve sensitive information. Additionally, to enhance brute-force attacks, if username enumeration can be performed on the login page, the malicious adversary can develop their own list of valid usernames.
4. Your Environment
Where you host your WordPress site and how you’re maintaining the security of the server hosting your WordPress content are also key components in determining the overall susceptibility to WordPress-targeted attacks. A lot of this relies on your infrastructure and network security as you want to reduce the number of attack vectors to your organization’s assets, thus broadening the scope beyond just application and WordPress security.
5. Injection Flaws
Lack of input validation and sanitization can lead to manipulation of database information and contents or back-end data through the use of queries or commands in existing forms or input fields on the WordPress site. This WordPress vulnerability can lead to the disclosure of sensitive information and ultimately, the overall compromise of the site’s data.
How can you Secure your WordPress Site?
Based on the listed vulnerabilities, there are also a number of tips that your website can leverage to overall improve your WordPress security.
- Maintain WordPress and Plugins: Since outdated WordPress sites make up a great portion of the WordPress security-related issues, it’s important that the WordPress software along with any installed plugins and themes are always updated to the current version. There are also numerous WordPress security plugins such as iThemes Security Pro which has a WordPress version management feature that allows you to automate updates ensuring that any critical security patches are applied.
- Install from Trusted Sources: In addition to keeping all updates current, make sure to only install WordPress plugins that are from trusted sources. If you’re unsure whether or not a plugin is trusted or safe, you can install WordPress security plugins such as WordFence or MalCare which can scan your WordPress themes and plugin files to check for signs of malicious intent.
- Restrict Access to Admin Console: There are several areas of the login page that pose a security vulnerability to your WordPress site. First and foremost, it’s important that the WordPress login page only is exposed if necessary and to those that need access to it, therefore imposing network restrictions or forbidding access to pages such as wp-admin, wp-login, and xmlrpc is key.
iThemes Security Pro is a WordPress security plugin that helps to limit the number of login attempts to protect your WordPress login page from brute-force attacks. Implementing a password policy in addition to this is critical to ensuring that the strength of your passwords is also sufficient to prevent successful brute-force attacks.
Lastly, if brute-force deems successful, enforcing multifactor authentication is an additional layer of security which makes it more difficult for an adversary to gain access into that account. Additionally, make sure to return general error messages for all valid and invalid usernames attempted and leveraging login CAPTCHAs can also prevent further ease of these attacks.
- Use a Secure Hosting Provider: Web hosting is an important aspect of securing your WordPress site overall, and so choosing a reputable one and securely integrating your site is key. A few tips to harden the server hosting your WordPress site include:
- Limiting the number of open ports on the system to only the absolutely necessary ports
- Locking down any remote access protocols being used
- Keeping any installation of software up-to-date and applying missing security patches
- Since your network security plays a large role here, there are several resources on our site for more information on how you may begin locking down your enterprise infrastructure.
- Protective measures for securing against injection-based attacks include sanitizing and validating the input retrieved from users and analyzing how it is being interpreted and stored on the back-end, as well as making use of parameterized queries and encoding input. There are plugins such as Sucuri which can help to look for areas where injection attacks may be successful.
In addition to the most common WordPress vulnerabilities and their recommended remediations listed above, there are several additional ways you can improve the security of your WordPress site. A few of these are listed below:
- Implement additional security measures such as secure encryption (SSL/TLS) on your website to prevent malicious adversaries from sniffing for credentials over an insecure login portal
- Prevent users from accessing back-end and configuration files, as well as disabling any directory indexing
- Disable access to xmlrpc.php which can help avoid an avenue for brute-force and denial-of-service (DoS) attacks
- Make use of quality web hosting and WordPress security plugins such as All in One WP Security & Firewall or Sucuri Firewall to help limit the impact of an attack.
How can we Help?
Overall, this process can feel very overwhelming but implementing the above countermeasures is a good place to start. If you’re interested or need help getting started with securing your WordPress site, please feel free to contact us.
Several of the recommendations outlined with regards to how to secure your WordPress site are often regarded as overall best practices for securing any web application which developers often fail to address when deploying their website. At Packetlabs, we perform web application security testing with this in mind. Our web application security testing approach is tested against the Open Web Application Security Project (OWASP) Top 10 Security Risks.
The OWASP Foundation provides a methodology for performing web application security testing which provides us with the fundamentals of how to assess your application security posture. Therefore, knowing how to secure a WordPress site is two-fold, not only must you know what goes into deploying a secure WordPress site, but you must understand the role of overall web application security and vulnerabilities to truly maintain it.