The Internet can be a scary place.
It seems like every day we're reading about some new weakness (Stagefright, anyone?) that, once you cut through the technical jargon, means that none of us are safe. As one of the most popular platforms for website creation, WordPress is a common target for hackers and often features in stories like this.
Even if we allow that some of the hype is media scaremongering, it's still a sobering thought that the sites you work so hard on can be taken away, broken, or used to distribute malware.
It's frustrating when your hard work gets stolen or ripped off. That's why we decided to write a quick tutorial on the common threats that WordPress sites face and some easy ways that you can reduce the threats to them. We tried to make this as easy as we could without too much technical mumbo-jumbo.
First we'll go over six of the most common threats to WordPress sites and how to fix them. At the end we have some suggestions on software and plugins to use when securing your site.
Brute force password attacks are when a computer tries to guess your login information by trying every combination of numbers and letters it knows. For a person, this could take years, but for a computer it could guess a relatively short password in minutes.
This is especially dangerous if the attacker already knows your username. It's just one fewer thing they have to guess.
But hang on, how could they know your username? Well, if you left it as “admin” then they already do.
Even if you've changed the username from “admin” (and you really should), there are still ways of finding it out.
Type in your browser window “my-site.com/?author=1” (replace my-site with your domain name and add your WordPress subdirectory if it's not on your main domain, so this could be example.com/blog/?author=1).
Most often, you'll see your username come up. If not, try typing the same thing again with 2 at the end, and keep going until 10. You'll see your username soon enough.
Once an attacker has your username, they can try to brute force your password.
If you have an easy password, then believe me – the only reason your site hasn't been hacked yet is that nobody has really tried to.
There are plugins out there to prevent user enumeration, but the best ways to prevent brute-force password attacks are to choose a strong password and limit login attempts.
It goes without saying that “admin/123456” is not a good username/password combination (although it is distressingly common). A strong password is long, not a word from the dictionary or Wikipedia (in any language), and contains a variety of symbols.
CLU is the acronym to remember: Complex, Long, and Unique.
That, unfortunately, also makes your passwords almost impossible to remember.
One option is to use a pass phrase instead of a single word. A computer is going to take a long time guessing a 25-character phrase (assuming 1000 guesses per second, that's 550 years - source) that's comparatively easy for a person to remember – it's harder for a computer to guess a random phrase than it is to guess just one word. A password like "B0ndfriskingmaniacvillain" can be easy to remember, but very hard for a computer to brute-force.
Just remember - if your attempts to make a secure password lead you to writing it down and sticking it onto your monitor, then that's already a bad password.
If you prefer even more secure passwords, or want a way to avoid having to remember them, there are some resources you can use for that. We'll include a couple in our list at the end of this article.
You can also enable multi-factor authentication, and there are great programs in our list that let you do that as well. It can seem like a pain, but effective security measures often mean that we need to change our habits just a little bit.
No matter how strong your password is, if someone has an infinite number of attempts to guess it, they eventually will. On the other hand, even a relatively weak password can't be guessed in just a couple of tries.
Good security plugins and software (you can skip to the end of the article for our suggestions) will limit the number of unsuccessful login attempts and block IP addresses that try to brute-force your passwords.
Remember that no reputable developers try to make software with security flaws. That means that when something comes up, developers stay up all hours patching their software and fixing the code.
Imagine their disappointment when people don't update their sites. A new version of the code isn't going to help if you've still got the old version on your site because clicking the "update" button was too hard.
Check your plugins and themes regularly to make sure that they aren't out of date and that they don't have serious security risks. It also makes the developers happy that people value their work.
Another important thing to remember here – people who crack and distribute free versions of WordPress themes? They're usually including some of their own code in there. And when we say “code”, we mean “viruses, Trojans, and backdoors” that they can use to damage your site.
Enough said. The latest versions are the versions with problems that nobody knows yet. In the world of information security that's as good as it gets.
Also, don't try to pirate themes. It's just not worth it. Only download themes from sources that you can trust, and if someone has created a great theme, just buy it. It saves time and trouble in the long run.
Here's where we get into a little bit of code – but don't worry, it's very simple code.
The first of the two files we'll be looking at is wp-config.php. This is a very important file that WordPress uses to communicate with databases.
The databases are where posts, settings, and users are all stored. You want to make sure that nobody can access this file other than you.
The second is the .htaccess file. This is a file that Apache (the software that web servers use, not the tribe) uses to decide how to retrieve files.
It's also a very important potential vulnerability. The good news is, it can be used to close down access to both itself and to the wp-config.php file.
Just by seeing these files, attackers can gain valuable information about how your site is configured, which can lead them to discovering vulnerabilities. Obviously you don't want this to happen.
Here is the code you need to put into your .htaccess file:
<Files wp-config.php> order allow,deny deny from all </Files> <Files .htaccess> order allow,deny deny from all </Files>
Just go to your .htaccess file and put that code in there. If you need help finding your .htaccess file, check out our Support articles for an explanation.
This code will tell your server not to let anyone access those files, but won't stop you from getting to them with local access.
This isn't so much a specific WordPress problem as it is a general security problem, but it's such an important one that it deserves a mention here.
Phishing, as we reported earlier can take many forms – it can come as spam emails that directly ask you for your passwords, as faked sites that ask for login details – basically, any way you can think of for someone to try and steal your username and password.
Now, being suspicious is normally not a good thing. But online it can save you.
Don't use links that you get in emails to log onto sites. Log on in a separate window by navigating to the site as you normally would.
Also, never tell anyone your login details over email. No matter who they claim to be.
This is the most common threat to WordPress sites, and almost deserves an article to itself. It's a way that attackers can put their own code into your site. Let's look at how that's possible.
HTML is the language used to create web pages, and it's what is called a tag-based language.
For example, if I want to create bold text, I use a tag that is placed around the text that I want to make bold - like this: <strong>text that I want to make bold</strong>. The tags aren't shown to the person visiting the page, instead they change how the text inside them is displayed.
Note - I'm describing HTML in a really over-simplified way, but it works for the example I'm trying to make.
Almost all tags in HTML function like the <strong> tag, with one exception. That tag is <script>.
<script> says to the browser,
"Hey, what's written inside this isn't text, so don't show it to the user. Instead, it's a piece of code."
This is really useful for creating interactive sites, but it can lead to some big problems if it's misused.
Now, some fields in a site allow use of HTML - sometimes you want your visitors to be able to put a link in a comment, or make their text bold. That's fine, and it usually doesn't hurt anything (unless it's a spam link).
However, if they can put <script> in your pages, then that's a disaster waiting to happen. They use that vulnerability to change the way your site works, which is never good. Forget what you learned at nursery school - not everything needs to be shared, especially control over your site.
For example, if you have a page that prints the most recent search that a user has made (something that reads: "You searched for X", for example), then this is a sort of pseudo-code that might be what your server says (note: this is not real server code):
print "<html>" print "<h1>You searched for</h1>" print database.latestSearch print "</html>"
This lets an attacker search for
When the page loads, that script will execute because the page will read:
<html> <h1>You searched for:</h1> <script>doSomethingTerrible();</script> </html>
Because the page loads user input as HTML without blocking the <script> tag, the attacker is able to add this script to a page.
That's XSS in a nutshell, and while there are more complex ways of doing it (hence all the vulnerabilities related to it) that's the basic way that XSS works.
But hang on, you might think, there's nowhere that people can create user input on my blog. Why should I be scared of some script tag?
What about the comment section? The same place where people tell you how much your posts rock can also be the place that attackers inject code into your site.
This is how most XSS attacks are made, so protect yourself by manually approving comments. It may seem like a lot of work, but it can save your site.
Akismet is one of the most common ways of securing comments - it also helps you eliminate spam. No WordPress site should leave home without it.
You should never allow comments that have a bunch of what looks like nonsense in them - this is probably obfuscated (hidden or disguised) code, and you should delete those comments with extreme prejudice.
Apply this principle to all user input on your site, and again, make sure that you update your plugins as soon as new versions come out, as new XSS attack methods get found very often.
There is so much software out there that you can use to harden your WordPress site that there is no excuse not to use the very best. These are just some programs that you can use to improve your security, categorized by the threat they cover. Using substandard software will bring you substandard results, so accept no substitutes.
Now what you've all been waiting for – here's our Crazy Easy software list, solutions that you can use so you don't have to worry about your WordPress site getting hacked. We've divided it into solutions based on what problems they solve.
LastPass is a service that remembers your passwords for you.
Passwordcard is a free resource that lets you create a card that generates and stores your passwords. It's a great, comparatively low-tech solution to the problem of creating and remembering effective passwords.
1password is similar to LastPass – it creates strong, unique passwords for you and remembers them for all your accounts.
Clef is an app for two-factor authentication. It uses your smartphone as a sort of digital key and is very easy to use.
The Stop User Enumeration plugin makes it impossible for attackers to find out your admin username.
The WordPress security scan is a simple testing tool that will find many of the vulnerabilities that we discussed in this article. It works as a good checklist to make sure that you have implemented your security correctly.
wpscan.org is a black box WordPress vulnerability scanner. It takes a little bit of technical know-how to use and install, but is very effective. It gives you a full understanding of your site's vulnerabilities.
The WordFence plugin is one of the most popular security plugins for WordPress and its advantages are enjoyed by literally millions of site users.
The BulletProof Security plugin is another very highly-rated security plugin and works as a general security solution with many interesting features. This one is great for the more technically-minded site owner.
The Crazy Domains All-in-one Site Protection and Scanner will monitor any site (not just WordPress) with daily site scans, malware and hacker protection, blacklist protection, and expert guidance. It's really Crazy Easy site protection.
One thing to remember is that WordPress security is not static – it's not something that you do once and forget about forever. Hacking is like all software development. It exists in a constantly changing world that now, more than ever, refuses to stand still. Make sure you're checking frequently. Even if you have software that checks frequently for you, it's always good to be sure.
We hope that you found this guide useful – make sure to share it with your friends if they also have WordPress sites. Together we can help each other make our sites more secure so that we can spend more time making them the best they can be.
Other Cool Stuff