The best way to make WordPress more secure right now

Photo by Ben White on Unsplash

The easiest and quickest way to make WordPress more secure and prevent 90% of hack attempts is child's play!

Do you remember something called the "Panama Papers" from a few years back?  It was the biggest leak of confidential data in history, as far as we know. It involved the financial and personal data from over 214,000 offshore accounts.

An outdated WordPress plugin was part of what made that leak possible.

And do you recall in February 2017, when hackers defaced 1.5 million web pages? A WordPress flaw allowing malicious users to change WordPress page contents was responsible. The attacks happened despite the fact that a fix for the problem was already published.

Or maybe you remember when celebrity chef, Jamie Oliver's, blog was hacked? Some of his 10 million monthly visitors were infected with malware.  An outdated WordPress plugin is also presumed to have been the cause (though not yet confirmed.)

Such stories of internet attacks are making it onto mainstream media more often. This is a trend that will continue.

It's inevitable that some of these stories involve the most popular software of the day.  For example, it's common to hear of malware and viruses on the Windows operating system. This because it's hugely popular and most people are familiar with it.

The same holds true for websites.  WordPress runs about 30% of websites on the internet these days, so it's only natural that it's involved in many of these attacks.

The cause of most website hacks

The vast majority of website hacks such as those mentioned above involve WordPress. Do you know the other major thing they have in common?

The websites are usually running software that's out of date.

Read on for the one simple - and hopefully now obvious - tip that could have prevented all of these attacks.  This tip is guaranteed to make WordPress more secure.  

For all you know, it could even prevent the next attack on your own website.

If you're short on time, then skip to the step-by-step details to securing WordPress below.

Why are there so many WordPress updates?

First, a bit of background.  If you log into your WordPress dashboard often, you’ve noticed that releases are frequent. There were just two new WordPress versions released in 2017.  But there were a whopping ninety-five updates released. (These releases were for all currently maintained versions!)

There’s a good reason for all these updates.  WordPress is a popular target for hackers (see Fact 3 on this page).  They are always looking for - and finding - new problems in the software. They can then exploit these security cracks to gain access to WordPress websites.

adding bricks to make wordpress more secure

Photo by Namroud Gorguis on Unsplash

Because of this, the WordPress development team are continuously repairing any problems found.  Hence the large number of updates they release.  Take a quick look at the changelog for each release (e.g. herehere and here). You'll notice the vast majority of updates deal with security problems found in earlier versions of WordPress.

Each of these updates is designed to make WordPress more secure; each one is another brick in the wall keeping out the intruders.

Why WordPress is popular for hackers

There is one big reason for WordPress being the most hacked website platform in the world right now. It’s popularity. There are around 80 million published sites on the internet.  An estimated 30% of these run on WordPress. That’s 23 million sites for WordPress hackers to mess with!

The second reason for its popularity with hackers is WordPress’s ease of use.  

Today, anyone with very little technical knowledge can build and run a WordPress website. As a result, many of these WordPress sites aren't maintained properly. Their owners don't know the steps they should be taking to make WordPress more secure.

Back to my favourite analogy of a car; once the engine is running, even a child can drive it.  (They're very unlikely to drive it well and very unlikely to drive it safely.  But they could probably drive it at least a short distance before something stopped it.)

So, the main reasons WordPress is the most attacked website platform are

  • This low barrier to entry caused by WordPress’s ease of use
  • It’s resulting popularity

Why would Hackers attack MY little WordPress website?

I’m often asked “why would hackers be interested in my little site?”

There are several answers I usually give to this:

  • They aren’t.  Not really.  At least, not specifically in your site; it's just another website to them.  They rarely care about the individual site. Robots crawling the web, looking for known problems with past versions of WordPress perform the hacks.
  • Hacking your site could give them further access to anyone you might work with online.
  • Just because they can.

Granted, there is increasing awareness surrounding cyber threats. But it's evident that the motivations driving online crime go far beyond financial gain.  They can include political, ideological or even I-just-want-to-break-something reasons.

These are not mischievous minors using your website for harmless pranks.  There's no need to panic, but take the threats they pose to your website seriously.

So, what’s a bewildered site owner to do?  Well, here’s the very first thing you need to do.

The one thing to do right now to make WordPress more secure

It's child's play ...

1. Log in to your WordPress site.  This will bring you to your WordPress dashboard.

2. Go to Updates at the top of the menu on the left. https://<yourwebsite.tld>/wp-admin/update-core.php

Find WordPress Updates to make wordpress more secure

All the updates available for your site are listed here.

Install WordPress Updates to make wordpress more secure

3. Update WordPress to the latest version by clicking Update Now.

Strictly speaking, this is the second step.  

The first step before ever working on your site is to take a backup.  But you knew that already.  I've removed it from the sequence of steps you should take here because

  • backups are such a fundamental step and
  • they should be running automatically and repeatedly in the background anyway

Precautions

As usual when dealing with any technology, there are some things to watch out for

  1. Always check through your website after installing updates.  You may not notice any error messages. But older plugins sometimes don't work too well with a newer version of WordPress. There is an almost infinite* number of plugin combinations. You can see why you must check manually by going through the site and testing its functionality and appearance. (*Infinite for all practical purposes. I tried to calculate the number of possible combinations. the result was too big for my calculator!)
  2. You should read the changelog for each update.  This is a text file that comes with the new release. It explains what changes were made and any known problems already found.
  3. It's always possible that an update can introduce problems. These could be even more dangerous than those it tries to fix.  Stay up to date with the latest WordPress news. Visit the WordPress.org site and your plugin authors' pages.

Conclusion

Now you know the single best thing you can do right now to make your WordPress website more secure.  Trust me, your site is now much less likely to be hacked and defaced by an automated program.

Next, why not make your site even more secure by following the tips in this article:

MAke your wordpress website more secure in 30 minutes

make wordpress more secure in 30 minutes

Take just half an hour and a few easy steps to making your WordPress website more secure.

Sources

  1. Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal. (2016, April 08). Retrieved March 16, 2017, from https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
  2. Constantin, L. (2017, February 10). Recent WordPress vulnerability used to deface 1.5 million pages. Retrieved April 10, 2017, from http://www.pcworld.com/article/3168846/security/recent-wordpress-vulnerability-used-to-deface-1-5-million-pages.html
  3. https://blog.malwarebytes.com/threat-analysis/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/
  • by Seán
  • |
  • February 5, 2018
Click Here to Leave a Comment Below
Viktor - May 16, 2018 Reply

If you are about to block WordPress attack vectors then read through this list.

-> Compromise from hosting provider

Choose an enterprise-level server provider (e.g. UpCloud)
Secure control panel access: 2FA, login notification
Secure API (IP whitelist)
Subscribe to status updates
Protect computers used for logging in (HitmanPro.Alert)

-> Compromise through server software

Use modern server software (OS, web server, PHP version, in-memory cache, database)
Hide server software version
Don’t install multiple websites on a server / separate by OS user
Subscribe to OS security updates

-> Server-side

HTTPS websites receive less attacks: force HTTPS (HSTS)
Block known hostile networks (myattackers-ipset)
Preventively block vulnerability scanners (WordPress Fail2ban)
Restrict access to core, theme and plugin files and directories (wordpress.inc.conf)
Disable file upload to the server
Source code integrity check (hourly)
Alert on source code change (hourly)
Have daily offsite backup
Keep backups for one week

-> Application

Delete unused plugins and themes and demo content
Audit plugins and themes (source code) – prefer authors providing enterprise services
Install an auditing plugin
Disable file editing
Block on WordPress security events (WordPress Fail2ban)
Add SRI (Subresource Integrity) attributes to elements with foreign CDN content
Content Security Policy (CSP) HTTP header
Choose wisely if you decide on a page builder

-> Authentication

One administrator per site
One user account per natural person
Remove roles from unused accounts
Disallow weak passwords
Two-factor authentication
Alert on foreign country logins (PHP geoip_country_code_by_name() or Apache mod_maxminddb)
Analyse HTTP headers on login (WordPress Fail2ban)
Limit login attempts (WordPress Fail2ban)

All the best!

    Seán - May 16, 2018 Reply

    That’s a good list Viktor, thanks. We implement most of what you suggest. The post isn’t ignoring these extra precautions but it’s dealing only with the very first effective step any user can take right now.

Leave a Comment:

Share
Tweet
Share