We design and administer a lot of WordPress sites, and we are increasingly called on to restore sites that have been hacked. This is a reflection of the popularity of the CMS system. WordPress as a whole is quite secure, and it is updated frequently, but addon themes and plugins vary widely in quality and security. It is a large target, comprising over 20% of all web sites. The ease of use and administration of WordPress means most of them are not overseen by professional sysadmins whose desire for job security provokes paranoid vigilance. We could all do better. Here are some WordPress security tips.
- Prevention is easier than recovery
- Scan Your Site for Malware Make sure your site is clean now. Many malware infections are not destructive, and depend on a working site to achieve their aims, such as inserting link spam into search results associated with your site. Viagra anyone? You can detect most infections with a malware scanner such as the one from the noted WordPress security specialists at Sucuri: Sucuri SiteCheck. There are plugins that scan for malware, but I think it best to keep your plugin load to the bare minimum required for your site.
- Make Regular Backups A database backup and a backup of your WordPress files is the fastest, surest road to recover your site. Backup the wp-content folder and the wp-config.php file with an ftp client. Backup your database with the MySQL administration tool provided by your host, usually phpMyAdmin. There are plugins for this, but I cannot recommend any from personal experience.
- Use Strong Passwords Longer is better, 15 characters or more. Mix uppercase, lowercase, numbers, and punctuation symbols. Use spaces or special characters as spacers. Avoid dictionary words if possible. Avoid the most common user names for admin users: admin, test, Admin, administrator, test, and root. Most brute force attacks are directed against those usernames. Automated scripts are frequently used in brute force attacks on WordPress. Your best defense is a good password and a less common username. The strongest passwords are randomly generated – see: Secure Password Generator. Enforce password discipline among all users, and give users only the privileges necessary to their role on your site.
- Update WordPress, theme, and plugins Keep your WordPress up to date. You will be notified in the WP dashboard of available updates. Depending on your install, minor versions will now automatically update. Delete unused themes and inactive plugins — they are still hacking targets. Plugin vulnerabilities are frequent hacker targets. It is easy to compile a list of sites that run a particular plugin with a simple search like “wp-content/plugins/revslider/”. Earlier versions of this deservedly popular plugin had serious security holes.
- Register your Site with Google Webmaster Tools (GWT). Blacklisting is often the first indication your site has been hacked. Internet and security authorities like Google, Bing, Norton, McAffee, Kaspersky, Yandex, etc. scan sites for malware will add your site to their blacklists when they detect malware. Google Webmaster Tools will notify site owners immediately upon detecting problems. Tools like GWT are often the only way to detect sites infected with SEO link spam malware. Leaving such malware in place will destroy your search ranking.
- Install a Security Plugin There are several all-in-one solutions. The major contenders have different emphases and different strengths. Stay tuned for a forthcoming side-by-side comparison. There can be advantages to using a popular WP security plugin and the following should be part of your evaluation:
- The plugin has been vetted by 100’s of thousands of users.
- The authors are subject matter experts.
- The authors have a vested financial interest in maintaining the plugin, and have done so.
- There are substantial feedback ratings and a long history of resolved support issues.
- Security vulnerabilities within the plugin itself have been addressed expeditiously. Check a WordPress vulnerability database.
- Lockdown Your Login Anytime you login into your site via the normal http protocol you are sending your password in the clear, and it is possible to sniff that traffic. You can install an SSL certificate to protect your login. If you do not need it for some public pages, as an ecommerce site does, you can install a free self-signed certificate. The details depend on your hosting — modern cPanel accounts no longer require a dedicated IP address to install an SSL certificate. Your browser will warn you the first time you use the certificate, which doesn’t matter at all for WordPress admin pages. You can also restrict access to admin or login pages to specific IP addresses using Apache directives in your .htaccess file. Substitute your IP address for 123\.456\.123\.789 and don’t forget to escape the dots with backslashes.
RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123\.456\.123\.789$ RewriteRule ^(.*)$ - [R=403,L]
Make sure to test this. You can test in your phone browser if you disconnect from WiFi. If your theme or plugins employ AJAX on the frontend, you will need to create an .htaccess with the wp-admin folder with this content:
# Allow access to wp-admin/admin-ajax.php Order allow,deny Allow from all Satisfy any
- Test for Vulnerabilities How do you test your site security once you have implemented new security? Try to break in to your site, naturally, using an ethical hacking tool. Warning: you can easily violate the hosting terms of service doing this. Or trigger a temporary ban of your IP. So tread carefully. Set up the wpscan tool. You also need ruby, rubygems, curl, and git. To enumerate your site and see what a hacker sees, run the following from a command line (please don’t use my site as the URL):
ruby wpscan.rb --url www.example.com ruby wpscan.rb --url www.example.com --enumerate
The second command uses all the wpscan enumeration tools, highlighting plugins and themes with known vulnerabilities and providing links to security bulletins. The wpscan team maintains an excellent WordPress vulnerability database. Of course if you want to see if the security measures you have implemented can foil a brute force attack you must mount one, and you can do so with wpscan. Warning: a brute force attack on the WordPress login is essentially a denial of service attack on your server. Use a short wordlist to test. Better yet, replicate your site locally on a WAMP or MAMP server, and bash away to your heart’s content. - Go for the Low Hanging Fruit First Why? Because most attacks are trying to take advantage of the easiest vulnerabilities — weak passwords or out-of-date plugins or themes.
- Strong Password
- Updated WordPress, theme(s), and plugins
- Site & DB backup
- Recovery, when all else fails
- Complete Site Replacement from Backup The is the easiest and cleanest way of ridding your site of malware. If you have been regularly scanning your site you will know that your backup is not infected. Here are the steps to take:
- Complete backup of the infected site. All WordPress files, database dump, and access logs. You need this to track down the infection and vulnerability.
- Clean slate reinstall of WordPress & database. Delete everything (another reason for the complete backup). If your host offers it, use an automated installer like Softaculous.
- Install your Database Backup Drop the new WordPress database tables and import your database backup.
- Replace wp-content Folder with Backup
- Change your Hosting Password
- Request Blacklist Removal The most important one is Google Webmaster Tools. When GWT has cleared your site, most of the other blacklisting authorities follow suit. Yandex can be an exception.
- When you don’t have backups You must find and delete (or modify) the infected files and database entries. Start by deleting and replacing the wp-admin and wp-includes folders, and all the WordPress files in the root directory except wp-config.php. Scan wp-config.php for suspicious content – look for base64_decode or str_rot13 function calls, or new files not in the base WordPress install like post.php. See more in our upcoming post on malware cleaning.
- Complete Site Replacement from Backup The is the easiest and cleanest way of ridding your site of malware. If you have been regularly scanning your site you will know that your backup is not infected. Here are the steps to take: