How to Secure WordPress Against Hacking

How to Secure WordPress Against HackingOver the past year there has been an unprecedented flurry of hacking activity worldwide. A massive botnet emanating from former Eastern Bloc countries has been specifically targeting WordPress and other CMS systems with a view to accessing administrative accounts.

On top of that, there have been widespread brute force attacks targeting Cpanel hosting accounts, along with attacks focusing on sites with MS Frontpage Server Extensions left enabled. Distributed Denial of Service attacks have hit many sites, in some cases leveraging innocent WordPress site’s via trackbacks / pingbacks and the XML-RPC vulnerabilty.

WordPress hacking efforts have grown in volume and sophistication as the CMS platform has grown in popularity. Because there are many millions of WordPress-powered websites, a successful exploit offers a vast array of targets.

WordPress, along with other content management systems such as Joomla and Drupal, and forums such as phpBB and vBulletin, are major targets for hackers and spammers. However, in the case of WP at least, basic preventive measures to minimise the risk of hacking need not be complicated nor expensive.

Why Hackers Do What They Do

People often ask “why would anyone bother to hack MY site?”

  1. The general motivation for hacking is to either use the site as a concealed (cloaked) link farm, or to insert some kind of phishing scheme – a fake banking or financial entity designed to acquire user ID and password details. Alternatively, to steal membership / credit card information. So its a financial motive.
  2. Secondly, defacement – usually deactivating your Home page and replacing it with their own. In this case the motive is to brag about their hacking skills…
  3. Malicious attacks designed to hurt your business by making your site slow, unavailable or unreliable. This can be done via DDos (distributed denial of service) attacks. This is costly, so it is most likely a deliberate campaign by a competitor, disgruntled employee or client etc.
  4. Extortion – pay us to stop or we will destroy your business – a less common strategy.

In the 1st instance, it’s rare that actual damage is deliberately done to your site. The intent is that the site owner will remain unaware that there’s been any outside interference for as long as possible. The longer the time period before discovery, the greater the chance of the hacking delivering a financial reward!

In the 2nd instance, you will know immediately because your site will have been rendered inoperable and a “brag” screen will replace your Home page.

WordPress hacked brag screen

In the 3rd instance, you might not be able to connect to your site, it may show “Error, cannot connect to database” or similar. Under DDoS attacks, it is possible that your database may be corrupted as a result of the disconnection…

 

How Do I Know if I’ve Been Hacked? As above, but…

  • You might not know – things will work normally, but your site traffic may slow due to Google highlighting your site as containing malware… That’s a good reason to have your site monitored in Google’s webmaster Tools – as soon as they observe any kind of issue, you receive an alert message!
  • You might know when your Hosting Company shuts down your website at the same time as they send you an email explaining that you are offline until the malware code is removed…

Many hosting companies have a zero tolerance policy for malware and phishing code and the onus is on YOU to ensure your website is protected and secure!

Whilst some of the link injection systems may be very sophisticated, testing for them can also be as simple as opening your site and choosing View / Source and reading through the content of the <Head> section down to, and including, the <BODY> tag. The link injections I’ve seen are usually immediately after <BODY>. If there is a long string of HTML code containing links to dozens of sites you know nothing about, its likely that your site has been compromised.

Phishing code is more difficult to find, as its usually concealed deep inside in nested sub-directories, often using directory names that look logical.

How To Identify and Block the Entry Points

This article is less about fixing security violations and more about implementing simple preventive measures. Whilst some may scoff at using “security by obscurity,” I think that any efforts you take to keep yourself OFF a hacking target list make just as much sense as implementing security systems to prevent an assault succeeding!

The main entry points for WordPress hackers are;

  • guessing Admin User ID and Password combinations
  • exploiting known vulnerable URL’s – especially wp-config.php
  • targeting MySQL databases
  • targeting known plugin and / or theme vulnerabilities
  • software that is out of date and does not have the latest security patches applied

Added to that, hackers can be very quick to exploit weaknesses such as;

  • inadequate directory permissions – 777 instead of 755
  • forgotten instances of MS Frontpage Server Extensions that can easily be exploited
  • weak hosting account / FTP passwords, attacked via Cpanel Cracker

You need to understand that hacking activity also happens at multiple points – hosting account Control panels and Domain Registrar accounts are prime targets! A lot more can be achieved at this level than can be done at WordPress Administrator level.

The following steps can and should be taken on EVERY WordPress site to minimise the possibility of a successful hacking attack.

1.) Via FTP, edit your .htaccess file and add in the following items after the #END WordPress section;

# Disable directory browsing
Options All -Indexes
# Protect wp-config.php file from being accessed from outside the site
<files wp-config.php>
order allow,deny
deny from all
</files>
# Protect XMLRPC from being accessed from outside the site
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# Protect HTACCESS from being accessed from outside the site
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Protect ERROR LOGS from being accessed from outside the site
<Files error_log>
Order allow,deny
Deny from all
</Files>

2.) Within wp-config.php use Wordpad to add in the following items;

# Disable admin editing – stops theme and plugin edits from within WP Admin
define( ‘DISALLOW_FILE_EDIT’, true );
#
# Disable error reporting – stops hackers accessing information about your site’s responses to their efforts
error_reporting(0);
@ini_set(‘display_errors’, 0);

3.) A recommended by WordPress, set Permissions on wp-config.php to “600” instead of the default “644”

 

Stay off The Hacker’s Radar

Much of what hackers do is automated… and just like us, they use Google as a search tool to find potential victims. In the case of a known security vulnerability in a core function, plugin or theme, a Google search for likely targets is the first stage of a hacking effort.

1 – Prevent Google Indexing Vulnerable Areas? Not any More!

Major search engines respect the instructions issued in the robots.txt file. It was once common to disallow indexing of wp-includes, wp-admin, plugins and themes directories, along with licence.txt and readme.html etc. That helped minimise the chances that your site made it onto a hit list of sites with known vulnerabilities.

Unfortunately, Google’s change in policy on “mobile-friendly” had an unexpected impact – if you block access to core and theme files, you probably won’t pass the Mobile-Friendly test now!

2 – Removing WordPress Identifiers

Remove the Powered by WordPress credit details in the footer of your website’s theme – e.g.; /wp-content/themes/the-current-theme/footer.php. This is another mechanism to reduce the chances of the ill-intentioned finding your site in the first place! Try it – do a search on Google for “Powered by WordPress” and you’ll get the picture… There are millions competing page opportunities out there for hackers!

By all means give WordPress the credit they deserve – but you could do it on your links page, or make it a graphic / image link instead of text…

A lot of WordPress themes come with a WP version HTML tag in the <HEAD> section. In View / Source it displays as follows; <meta name=”generator” content=”WordPress 3.9-RC1″ />

Obviously, this immediately reveals the WordPress version used on the site. Since some versions may be vulnerable to known security flaws, it makes sense NOT to tell hackers anything at all… Removing this giveaway is usually straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that’s outputting the Meta Generator tag.

You could also remove links to “Log In” from the current theme’s footer. There are millions of competing page opportunities for a Google search for “wp-login.php” and it’s probably a good thing to not be on that list either.

– but again –  good security plugin does all this for you…

Removing those WP identifiers eases you out of the “easily found via simple searches” realm.

3 – Remove Theme Identifiers

For the same reason, remove the Powered by XYZ Theme credit details in the footer of your website’s theme – e.g.; /wp-content/themes/the-current-theme/footer.php.

Security flaws are sometimes found in a specific design theme. Making your theme and version less obvious and not readily identifiable makes sense.

4 – Use Premium Themes with a Built-in Upgrade Path

Many themes have an array of libraries and plugins built into them, yet don’t provide an upgrade mechanism. Old versions of plugins within a theme which is not updated are a serious security liability.

You get what you pay for! Investing $75 in a premium theme from a reputable company will generally give you both professional design, standards compliance AND an upgrade path. A good example is Studiopress and its Genesis platform, coupled with its array of child themes. Primary functionality is built into the core, which is easily upgraded without impacting the child theme’s design and layout. Regular upgrades provide security enhancements as well as new features and functions.

That adds up to increased peace of mind.

Enforcing The “No Trespassing” Signs

There are some simple things that every site owner should do to prevent unauthorised Admin-level access via brute-force password cracking methods.

1 – Don’t Ever Use Default Admin ID

If you use “admin” as the default user ID, you’ve provided hackers with 50% of the puzzle and they only have one item left to crack – the admin password! Under no circumstances should you use “admin” – instead, pick a somewhat more complex User Name, and complicate the situation even further by making guessing it more difficult!

  • Pick an obscure User Name
  • Set a different Nickname
  • Set the Nickname as “Show Public Name”

Doing so means a hacker has no idea what your actual Admin User ID is, nor any easy way to establish it. Security plugins such as Wordfence remove any clues as to the validity of a User ID used in password guessing efforts. In addition, Wordfence allows you to immediately block anyone who uses an invalid User ID in a login attempt.

2 – Don’t Use Easy Passwords

Don’t make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies equally to the;

  • WordPress administration account
  • hosting account control panel & FTP access
  • WP Database

If you can remember the password, it is TOO EASY! Set passwords that;

  • Are a minimum 15 – 18 characters long
  • Contain mixed case alphabetical characters, numbers and special characters
  • Don’t have any recognisable words

Above all, make sure you use a different passwords for each of those areas!

If random password creation is a challenge, go tohttp://passwordsgenerator.net/

Activate the “Enforce Strong Passwords” on Wordfence to ensure users cannot use trivial passwords.

3 – Force a password change on all users;

  • edit the wp-config.php file and replace the full set of Secure Keys
  • get new keys here; https://api.wordpress.org/secret-key/1.1/salt/

 

Inhibit Script-Based Attacks

Most of the hacking efforts are script-based and target the WordPress generic default settings. By ensuring that your site is not using the same settings as a normal site, you minimise the effectiveness of SQL injections and script-based hacking attacks on your site.

1.) Don’t Use the Default wp_database table prefix

If you did so when the site was first created, there is a plugin for that….

It will change the database table prefix and also update the wp-config.php file so it uses the correct prefix.

2.) Install WordPress in a Sub-directory

This is very effective against script-based attacks… The majority of WordPress installations do not use the option to store WordPress core files in a sub-directory, even though it is an option in the installation process. The usual file targeting attacks assume that files will be in the usual;  www.yoursite.com/wp-content/plugins/ or www.yoursite.com/wp-content/themes/ locations.

By having a www.yoursite.com/subdir/wp-content/ structure you escape the ‘automated’ attentions of an attack script…

 

Use A Reliable WP Security Plugin

My business involves providing security and website maintenance for a great many clients in different countries. Over the past few years, I’ve worked through many hacked sites, undoing the damage wrought by various hacking methods and restoring sites to their correct operating state. The old adage that “An ounce of prevention is better than a pound of cure!” is still very relevant when it comes to site security!

1 – Good Security Plugins for WordPress.

One of the easiest to use and fullest-featured plugins is Wordfence. It provides a range of core functions that provide fine-grained control over the highest-risk areas of the site. Configuring it at the maximum Threat Level 4 implements a broad series of settings that will provide a high degree of protection. By immediately blocking any logins from incorrect User Names, Wordfence effectively resolves brute-force password efforts.

Another key feature is that as IP Addresses are blocked on any website participating in the global user base, the IP Address is added to a central pool of bad addresses and shared across the Wordfence Servers to all other sites.

I have used the Sucuri Security plugin alongside Wordfence because it covers different ground and has some excellent tools to aid in any restoration efforts should WP be breached by an unforseen event (Cpanel of FTP hacking affecting WP files etc). For example, Sucuri is capable of;

  • installing WP Salts to force new logins after password changes
  • restoring ALL plugins to original state from the WP repository

NB: WordPress security plugins harden your site against threats to the content management system’s administrative interface.

This does NOT provide any protection to other areas under threat, such as the hosting account or FTP port access.

2 – Implement Country Blocking on Admin Area

Given the massive botnet attacks that have taken place this year, wisdom suggests that doing what you can to screen out some parts of the world from accessing your website makes sense. If you are an English-language website providing a localised business service in the USA, Australia or the UK etc, you certainly don’t need the risk of incoming traffic from known trouble-spots. The premium / paid version of Wordfence provides Country Blocking.

Sure, the determined manual hacker can use a proxy server to bypass the country blocking rules. However, the highest volume of attacks of late emanate from automated botnets from across the old Eastern Bloc countries. Block those and you’ve significantly reduced the overall volume of IP Addresses at a botnet’s disposal by millions!

A premium license for Wordfence includes that functionality, or you can use something like IQ Block Country plugin which is admittedly a lot more awkward to install and maintain.

3 – Implement Cloudflare CDN (Content Delivery Network)

This works by routing all incoming visitors through Cloudflare servers before they reach your site and pre-screening them against known trouble sources. Nothing changes on your website, it works as before. A background change to your Name Servers implements the rerouting function. Their Basic service is free… Their Premium version is $20 per month and provides good first response to perceived threats.

https://www.cloudflare.com/overview

“We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources.”

There is a WP plugin for Cloudfare;

4. Implement Sucuri Cloudproxy Firewall

There is a “modest-cost” option for small business websites and Sucuri protection is world-class. The bad guys are filtered out before they reach your website. It is possible to uses BOTH Cloudflare CDN and the Cloudproxy Firewall at once… this is possibly the ultimate solution as load times are fast all over the planet AND your site is automatically protected from those with nefarious intent about to hack it.

Sucuri techs will help you with the configuration, and it can usually be all sorted within minutes.

5 – Implement a WAF (Web Application Firewall)

I now use Ninja Firewall on all sites I manage because attacks seem to be increasing in frequency and severity. The Ninja Firewall is an excellent bit of kit but does require a little more technical ‘know how’ to implement than the usual WordPress security plugins.

It’s biggest advantage is speed of operation as it sits in between Apache / PHP services and in front of WordPress. Therefore, it filters out attacks without generating noticeable database activity and server load. Other security plugins rely on database requests and/or Ajax to process incoming traffic, slowing things down further still.

Ninja effectively nullifies Brute Force Login attacks and some DDos activities without placing any load on your server.

This is a “must have” application to give your site the best protection.

 

Preventing Software Exploits

WordPress version releases often address recently discovered security issues as well as adding new features and functionality. Persisting with an older version is a very risky strategy indeed.

1 – Upgrade All Software Immediately

Upgrading has always been easy, no more than a button click and WordPress has now evolved to the point where it will initiate minor version upgrades automatically. The community of plugin authors also work surprisingly quickly to address known security problems.

It is a “must do” issue – many WordPress and plugin updates are done specifically to address newly discovered security vulnerabilities. The releases give a clue to the reason, and hackers are VERY fast to exploit every new opportunity. There was a high-profile revelation of a security flaw in a very popular plugin a few months ago. Over 50,000 websites were hacked within a week!

Wordfence Security automatically alerts you to available upgrades…

2 – Ensure File Permissions Are Correct

File system security is an important element in preventing unauthorised access. Over the years, some hosting environments have had different rules for uploading files through WordPress updates and also via FTP. There may have been times when you needed to alter permissions to edit a file, or copy files into a directory. Plugins that work with files have been known to instruct site owners to set specific directory permissions to 777, for example. Have you ever had to reset an images directory permission to 777 in order to upload a file? Did you remember to reset it back to 755 afterwards? If not, you’ve left an unlocked door for any curious hacker! Everyone has read, write and execute permission in that directory and can do anything they like in it!

3 – WP Plugin Security & Integrity

As a general rule, only install plugins from the official WordPress Extend / Plugins repository, or premium plugins from a reputable source such as CodeCanyon etc. Installing plugins from sources of unknown reliability is a high risk strategy and exposes you to exploits!

Think hard about installing OLD plugins – if something has not been updated for a year or two, chances are higher that its not 100% secure. Not everyone who writes a plugin is a skilled and knowledgeable programmer and fully aware of security vulnerability pitfalls…

By way of example, a few months ago a security alert went out about a contact form plugin that had exploitable admin-level access code embedded in it!

4 – WordPress Theme Security Integrity

Free themes are widely available, but you get what you pay for – and sometime more than you bargained for!

  • Can you trust that the source has not included a malware payload?
  • Can you be sure that no security breaches are opened by insecure coding?
  • How can you be sure the theme is coded for current versions of PHP, HTML & CSS

If I want a theme, I’d rather go to a reputable source and purchase a premium theme from a professional author that is coded for the latest version of WP, HTML and CSS standards. That way, some assurance is implied as its suitability for the intended purpose. A clearly stated upgrade policy also adds an additional degree of comfort.

5 – Server, Network and PC Vulnerabilities

Be aware of the configuration of your hosting company’s web server. Is it running old versions PHP, MySQL, Cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up-to-date security tools like mod_security and cpHulk services running.

Never access your WP installation from non-secure networks such as an internet cafe, coffee shop or hotel WiFi system.

Another common sense measure is to ensure that the PC you post from uses a current and reputable antivirus software application that also detects malware, spyware and key-loggers.

WP Disaster Recovery Steps

Repairing a security breach is a lot easier if you have complete confidence in your backup mechanisms. Having to restore from backup is quite a rare situation, as most hacking efforts are directed more at stealth than inflicting damage. Efforts are made to hide stuff inside the site without breaking anything in the process.

However, some data centres have been known to terminate hosting accounts that have been breached. Unfair, draconian even – but if a hacker installs a successful phishing scheme into your site, the risk of account termination is very real.

You need to be assured that in the event of sudden and total loss, you are in a position to reinstate your website immediately – and somewhere else if necessary.

1 – Automated Backups

Premium backup plugins can fully automate the process of backing up your WordPress database and/or full file structure. These can email the backup files to you daily, weekly or monthly, or transfer them to your cloud storage account such as Dropbox. Install and use one of them, because they can be a lifesaver in the event that a hacker breaches your website and does actually cause severe damage.

Database backups are only one part of the puzzle. Ensure that you do have a complete backup of the entire site, including WordPress, and most importantly, the /wp-content/ directory which includes all themes, plugins and image data. In that way, it’s relatively easy to relocate your site into new hosting.

2 – Server, Network and PC Vulnerabilities

Be aware of the configuration of your hosting company’s web server. Is it running old versions PHP, MySQL, Cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up-to-date tools and services such as cpHulk and Mod_Security running.

Never access your WP installation from non-secure networks such as an internet cafe, coffee shop or hotel WiFi system.

Another common sense measure is to ensure that the PC you post from uses current and reputable antivirus software that also detects malware, spyware and key-loggers.

WordPress Technical Support Services

We provide comprehensive WordPress technical support services: – you never know when trouble will strike, but help is available should you require it. (wwwwordpresstechsupport.co.nz)