LinkedIn, Ashley Madison, Yahoo! and Mossack Fonseca… what do these companies all have in common? Large-scale data breaches have received much coverage in the media recently, prompting a renewed interest in online privacy and security. Today, we’re going to look at WordPress website security and how we can help prevent ourselves from falling victim to an online attack.
WordPress is the most popular content management system available. It’s use is mind-boggling, powering 27% of the entire web. Particularly among those in the wider developer community, WordPress has a reputation as being, perhaps less secure when compared to say… their own preferred solution.
WordPress is a tool available to web developers. It can be used well, it can also be used poorly. The software itself is battle-hardened, partly in thanks to its widespread adoption. There are defined processes in place to handle vulnerabilities and these are documented in The WordPress Security White Paper. A team of 25 professionals are responsible for ensuring vulnerabilities are dealt with in a structured and efficient manner.
I didn’t want to give the world another clickbait-ey, ultimate top ten security tips for guaranteeing your WordPress is safe from cyber attackers! These posts generally contain a checklist of dodgy, mostly ineffective techniques which do nothing other than provide a false sense of security. Instead, I wanted to focus on what really matters. The fundamentals which are overlooked and put off for another day.
You may feel your website is not a target or that the contents of your website are not sensitive. However, many attacks are now automated and so as part of owning a website, a level of due diligence is required.
Even if you’re not holding sensitive customer data, a compromised website might help an attacker gain access to other, more sensitive business systems.
You could be held in some way liable should an attack result in your website being used to spread malware or to play some part in a further attack.
Google maintain a blacklist of websites which have been compromised. This will affect your ability to rank in search results. Google’s web browser; Chrome, will also display a warning to visitors before allowing them to access your site.
Other potential consequences of being compromised include the damage to your reputation. An attack could lead to defacement, or your visitors being redirected to less savoury parts of the web. Your website might be used to send spam email, leading to your domain being blacklisted and therefore hamper your ability to send legitimate email.
It is essential to put into practice the basics of good password management and seriously consider two-factor authentication.
We hear about it so often, we’ve become numb to it.
This really is it. The most important step to ensuring the security of your WordPress site and your digital life. You need to use strong passwords. Unique to each login.
It’s advice we listen to, nod to and think… I’ve never had a problem up until now, so I guess one day… one day when I get the time.
Guess what? That spare time will never come around. You have to make that time.
Strong passwords are long, they’re made up from a combination of mixed case letters, numbers and symbols. Strong passwords are not made up from or derived from dictionary words.
It’s important to use a unique password for every website. If you’re sharing passwords between websites, should one website suffer a security breach, an attacker might try reusing the credentials to login to other websites. It could also make it possible to access your email and therefore an attacker could request a password reset from your WordPress install.
So what we’re saying is, the secret to securing your online life is to commit to memory an unknown number of impossible to remember passwords. It really is that simple!
This leads nicely on to the next point, because there is some good news. The initial investment of time and effort can be minimal. The move to strong, unique passwords for every login can be a gradual one.
A password manager is essential. As of right now, I have just over 700 logins in my password manager. While I may not be representative of the average person, no one can be expected to memorise the numerous strong passwords previously outlined.
Without a password manager, the idea of using a different password for each login is unfeasible. Not without coming up with a convention which could be sussed out by someone else.
Password managers often include password generators. Saving you from coming up with strong passwords.
Depending on the password manager, you can sync your encrypted password data across computers and devices. They often also have mobile apps and browser extensions which make logging in easier and faster. With a single click of a button, a browser extension can fill in a login form and hit submit.
Password managers safely store your data in an encrypted format. To access the login credentials stored within your password manager, a master password is required to decrypt the data.
When deciding on a master password, instead of thinking in terms of passwords, think in terms of passphrases. They’re easier to remember and the length increases the strength. For in-depth advice on coming up with a strong master password, see Toward Better Master Passwords.
While the master password does become a point of failure, the benefits gained from using strong, unique passwords everywhere is, in my opinion, worth the trade-off. Particularly when you consider that the use of a password manager introduces a second factor. An attacker would need to obtain both your encrypted data and your master password.
Using a weak password is equivalent to leaving your keys in the front door. There isn’t a better time than now. Make the time to investigate.
A strong password protects against brute force attacks, where an attacker guesses your password until they stumble upon the correct one. Using unique passwords ensures compromised credentials cannot be used to login to other accounts you own. Let’s get paranoid. What if an attacker does get hold of your password?
As the name suggests, two-factor authentication, or 2FA for short, provides a second layer of security. Typically the second factor is something only you have. Meaning an attacker would need more than your password to log in. After entering your username or password, you’ll also need to enter the second factor. A hardware token, a time-limited, one-use number sent to you as a text message or generated through an app on your phone.
This second layer of security introduces a level of inconvenience when logging in. At this point in time, at iWeb, we don’t enable 2FA for our WordPress clients as standard. However, depending on the sensitivity of the data you store, it’s worth considering the benefit 2FA provides.
If nothing else, I’d recommend enabling 2FA on your email accounts. As previously mentioned, a compromised email account can be used by an attacker to receive password resets from other accounts, including your WordPress website.
When browsing non-HTTPS websites, data sent and received is transmitted in plain text and is vulnerable to interception. A HTTPS connection to a website ensures data sent between your browser and the website is encrypted. If you anticipate logging into WordPress over a public network, protecting at least your WordPress dashboard with HTTPS will help prevent your password from being intercepted.
HTTPS also helps protect against man-in-the-middle attacks. A type of attack where the contents of a webpage can be altered. Perhaps by injecting a keylogging script or entirely changing the location a login form sends data to. This is particularly problematic with public Wi-Fi where you place a lot of trust in the provider, in many cases, without any real assurance.
With initiatives such as Let’s Encrypt, the financial outlay is minimal. Speak with your hosting company about your options. Many hosting companies are tooling around the provision/renewal of Let’s Encrypt certificates. It may be the case that you can enable HTTPS through a hosting control panel.
Moving your entire WordPress website to HTTPS has additional benefits. The secure connection padlock symbol is well recognised by users as a sign of trust. Google now include HTTPS as a ranking signal. This additional trust, along with a minor SEO benefit should help incentivise website owners to make the switch.
WordPress follows a rough 3-4 month release cycle. Between major versions, a number of point releases may be made available. These point releases can include bug fixes and patch security issues.
Since WordPress 3.7, WordPress has included the ability to automatically update itself to the latest point release. This allows WordPress to push out security fixes to the core WordPress software.
A recent study found that 25% of all compromised WordPress sites can be attributed to just three outdated plugins. Keeping up with updates for all the software under your control is therefore important.
When a software vulnerability is discovered, in many cases, the issue is reported responsibly to the software author. The author is able to write a fix and release an update before the vulnerability is made public knowledge.
Running out-of-date software with known vulnerabilities is clearly not ideal. Once a vulnerability is made public, attackers can scan the web for sites running out-of-date software. There are many ways to detect the specific version of a piece of software. While it may be possible to mask some of the more obvious giveaways. Attempting to hide version numbers is in no way a replacement for simply patching a vulnerability once discovered.
If you’re running a premium theme or plugin bought outside of the official WordPress repository, the way you receive updates will be different. Many come with built-in update mechanisms. However, you’ll likely need an active licence in order to receive updates. Make sure you have activated your theme or plugin licence and that you renew your agreement to maintain access to updates.
Updating regularly reduces the so-called update anxiety. Websites are built upon constantly evolving software. There can be a fear that an update may cause issues. The risk of an update failing is low. When updating regularly, you’re more likely to spot subtle changes in behaviour. The alternative is putting off updates, letting them build up, at which point, the combined change across WordPress, numerous themes and plugins could be jarring.
Check regularly for updates. Plugins and themes can be updated through WordPress. There are tools to help with this, saving you from having to manually check. WP Updates Notifier will email you when an update is made available for your WordPress site. If you find yourself looking after multiple WordPress sites, there are management tools which can oversee multiple sites. ManageWP, WP Remote and InfiniteWP are all excellent tools. Along with keeping on top of updates, these tools often offer additional functionality such as cloning websites, useful for creating temporary development sites.
We can trust that WordPress provides a solid foundation to build from. As previously mentioned, there are tight processes in place to ensure vulnerabilities are handled in a timely and thorough manner. Beyond the base WordPress codebase, the biggest threat comes from the themes and plugins you choose to add in addition.
The beauty of WordPress is its vast ecosystem of themes and plugins. Whatever look you’re going for, whatever functionality you’re trying to achieve, someone has likely come across it before.
The official plugin repository alone has close to 48,000 plugins. Some of these are popular and well maintained. However, when it comes to niche plugins, plugins which are less popular, their authors have less motivation to keep working on the plugin. They have less accountability. Less eyes looking over, scrutinising the quality of the code. Less contributors submitting patches and improvements. We’re more likely to find abandoned plugins.
Many niche plugins are actually wrapping a very simple solution with a lot of interface/fluff. Case in point, iWeb’s own Background Update Notification Email Address plugin (~1028 lines of code across ~17 files) vs the update notification redirection mu-plugin we use ourselves in production (14 lines of code including the plugin header). Both implement identical functionality “the WordPress way”. The plugin introduces a fair amount of bloat including an options page (where we need to trust the form is correctly nonced, that user input is being handled correctly, sanitised and escaped…).
When we’re building a website, when it makes sense to, we prefer to implement a code solution rather than make use of a plugin. As we can see from the example above, going down the plugin approach introduces additional code and has the added burden of requiring us to keep a plugin up-to-date until the end of time.
The WPScan Vulnerability Database tracks vulnerabilities in WordPress, its themes and plugins. It’s an eye opener for sure. You can search by theme or plugin. A history of vulnerabilities in any one project is not always a bad sign, particularly for popular, feature rich plugins. It’s worth remembering that all software has flaws. Even the most resource rich, largest software companies in existence cannot write perfect software.
Adding any third-party code to your WordPress installation increases it’s surface area. Increasing the amount of code which might introduce a vulnerability. Minimise your attack surface by avoiding bloated WordPress themes and by selectively installing plugins. You should source your themes/plugins from the official repositories or from reputable developers who stand by the quality of their software and provide a clear update process.
It’s tempting to install a security plugin, say you’ve done your due diligence and call it a day. Security plugins provide a false sense of security.
Security plugins are bloated, containing a lot of features that make it feel like a lot has been done. You could say a lot of small tweaks add up to make a big difference. In reality, if any of the hardening techniques made a real difference, they’d be included in WordPress core. WordPress is secure by default.
To be fair, some security plugins come with interesting tools, in particular around logging and keeping track of file changes.
A brute force attack is one of the simplest methods for gaining access to your WordPress website. Using a script, an attacker repeatedly attempts different passwords until they stumble upon the correct one.
Limit Login Attempts is a widely used plugin which slows down the rate at which passwords can be guessed. It does this by temporarily blocking the users IP address should they enter the incorrect credentials too many times.
fail2ban watches over your server log files for signs of malicious activity. WP fail2ban is a plugin which ensures login attempts are written to the server log in the correct format. fail2ban can be configured to update firewall rules. Blocking malicious login attempts before they reach WordPress. This is a good option if you have a high degree of technical knowledge and have access to the server to configure fail2ban.
Jetpack provides a smorgasbord of additional functionality for your WordPress site. Jetpack Protect utilises it’s connection to the wider WordPress network to block distributed brute force attacks. If someone is blocked for malicious behaviour on one site, they’re also blocked from every other website covered by Jetpack Protect. In 2016, Jetpack Protect blocked 23 billion brute force attacks.
Wait a minute… what happened to keeping it lean? Yes, well, err… if you have Jetpack anyway, it’s a feature worth enabling. Otherwise, it’s true, you should of course weigh up the pros and cons of adding additional complexity to your WordPress codebase.
Backup provides peace of mind. Giving you the ability to recover your website should the worst happen. Beyond recovering a compromised website, a well thought-out backup plan also covers you against the accidental deletion of data, as well as hardware/software failure.
Cleaning up a compromised website is a difficult task. It’s important to understand how the attack was carried out. Even if you fix up the original vulnerability exploited to gain access, an attacker will often leave a number of so-called “backdoors” allowing them to gain access to your website again.
After identifying the vulnerability exploited, being able to rollback to the most recent, known clean state is important. It’s from here, we can patch the vulnerability. Reset all related passwords and push the recovered site live.
It’s important that backups are carried out automatically. Relying on human action inevitably means backups will be missed. Your backups should be monitored and periodically tested to ensure that should the worst happen, you’re able to get back up and running with minimal disruption.
Website backups are best handled server-side. Speak with your hosting company about their backup strategy. While some may offer comprehensive backup, others will only backup the server as a whole. In the event of a catastrophic hardware/software failure, this will allow for the server to be recovered in it’s entirety. However, it may be difficult to rollback just one website.
If your website has been compromised or a file accidentally deleted, you’ll want to be able to go back through numerous revisions and restore individual files. If your hosting company doesn’t provide sufficient backup there are a number of strong WordPress based solutions.
Each have their own subtle differences. Look for a solution which enables you to store your backup off-site. Saving the backup externally, away from the live server, protects you against hardware failure as well as preventing backups from being deleted by an attacker.
I’ve focused on the steps that a developer can take. If you’re also in control of the server running WordPress, it’s important to harden and keep up-to-date the operating system and all your installed packages including the web server, MySQL and PHP.
If you’re not the only administrator of your WordPress website, remember that all your efforts are null and void if the person sat next to you doesn’t also follow good security practices.
It’s a good idea to periodically review who has privileged access to your WordPress. You may still have logins for ex-employees. There are cases where you may have given access to a third party such as a trusted plugin developer or an SEO consultant. When their access is no longer required, remove their account or swap their role for one with reduced privileges.
The all important takeaway. As with any CMS, there are no magic bullets. No security plugin can change your password habits. Attempting to hide your WordPress version number is not a replacement for simply keeping your software up-to-date. Securing WordPress isn’t difficult. Use a strong password, run a lean codebase and keep everything up-to-date. Cover the basics and you’ll be doing more than most.
If you’ve got any questions you can tweet us at @iwebtweets and I’ll be happy to help.