By 
Actionable tips to protect your website from vulnerabilities
WordPress is my go-to blogging platform, and I’m clearly not the only one using it. It’s more or less a stable CMS, with user-friendly admin panel, great template and plugins ecosystem, and the pro’s do not end here.
In a recent study by W3Techs, a leading web technology survey company, 43.4% of global websites are using WordPress. While known as a blogging powerhouse, WordPress extends far beyond, with solutions like the WooCommerce plugin for e-commerce. But extending it even further, I personally hit a diminishing returns, where the value of using the framework decreases and I am better off writing a React app and making my own database and server.
Going back to the statistics, this popularity doesn’t come without a price.
Let’s be clear: focusing on the pros is great, but WordPress’s widespread use also makes it a prime target for malicious actors, I’ll just call them hackers.
Your WordPress Site is the Hottest Party in Town (For Hackers)
Does that means that WordPress is unsafe? Vulnerable? Not really, I mean the developers do patch a lot of security issues. However these vulnerabilities aren’t exclusive to WordPress; they’re inherent risks within open-source software ecosystems and any highly popular platform. Ok, the vulnerabilities listed before actually are exclusive to WordPress, but I do hope you get my point.
As a common sense thought, outdated WordPress versions pose a significant risk. When patches are released, they become an open book for hackers seeking to exploit older websites often running outdated versions of WordPress. This cascades into using older versions of plugins (that may will be vulnerable), older PHP versions and databases. If your site sits on dated hosting infrastructure, the entire ecosystem becomes vulnerable.
On top of that, poor site configurations can easily expose sensitive data.
As with the pro’s, we can discuss for weeks about the con’s. This may be a different subject altogether, but there is no reason to be alarmed by the cons and also getting too excited by the pro’s. As my highschool Informatics teacher said “software is never finished, only abandoned”. Software is constantly evolving, we get great new feature, security fixes, but sometimes a new update may break something that worked for years, and that great new feature may be a future security vulnerability.
The key to robust WordPress security is a layered defense. Each layer significantly reduces the potential attack surface, making it exponentially harder for hackers to succeed. A well-implemented layered approach should deter the vast majority of intrusion attempts.
Now, let’s address the first thing:
0. Monitoring & Logging
Monitoring tools are great, to watch for suspicious activity and provide early warnings. We can call this a pre-filter. It won’t fix any wrong doings, but is surely a game changer. There’s something tangible about seeing the hacking attempts, the 404 requests. It does make it real.
We recommend 404 error log plugin, and virtually any antivirus and firewall should have an exhausting monitoring dashboard.
Things like automated emails when a new log in happens, are just comforting!
The first layer of defense:
1. Antivirus and Firewall
This is the first and best layer. Because most improvement safeguards that we discuss, are implemented with the help of the Web Application Firewalls (WAFs). They persistently analyze incoming traffic, filtering out malicious activity before it reaches your WordPress site. Reliable providers like Cloudflare or Sucuri some good recommendations, to name a few.
Wordfence is a great all-rounder, and the free version is excellent.
The third layer of defense:
2. Safeguarding Against Automated Attacks
After we enabled the firewall and first layer of defense, in a span of a month we received almost 1000 attacks!
These attacks come in the form of malware scanning for known WordPress paths, environment variables, and of course, login pages. Brute-forcing with common usernames and passwords was a constant threat. This blog is relatively new, but the amount of automated attacks that has received is nonetheless impressive: over 50 humans that tried to log in and more than 600 automated probing attacks.
Some example of probings bots and humans used:
|
1 2 3 4 5 |
https://techsplicer.com/wp-admin/install.php?step=1&language=en_GB #Probing a fresh install https://techsplicer.com/xmlrpc.php #Probing post request and bruteforcing logins https://techsplicer.com//wp-login.php # Probing the auth page https://techsplicer.com/wp-content/plugins/root-file-manager/wp-file.php # Testing plugin paths |
On with the actionable tips:
2.a. Customizing Login URL
Don’t use the default “/wp-login” and “/wp-admin” paths, these are easy targets for brute force attacks. While this won’t stop a determined attacker, it deters a huge volume of automated attempts.
The “WPS Hide Login” plugin simplifies this process. I’ve seen automated attack attempts drop by more than 90% after implementing this change. Game changer!
2.b. Obscuring WordPress Metadata:
Remove version numbers and other identifying information that can be present in the metadata. Again, easy target for the attackers, if they see an outdated version, they know your site is likely vulnerable. I’m not sure how the automated tools are evaluating the DOM, because you cannot really hide the fact the site is a WordPress one, but the less public information, the better.
This can be done with All In One Seo Pack, or even using a custom PHP script that can be added in the theme’s functions.php:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
function remove_all_version_info() { // Remove Meta generator tag remove_action('wp_head', 'wp_generator'); // Remove RSS feeds add_filter('the_generator', '__return_empty_string'); // Strip 'ver' from scripts function remove_version_from_css_js($src) { if (strpos($src, 'ver=')) { $src = remove_query_arg('ver', $src); } return $src; } add_filter('style_loader_src', 'remove_version_from_css_js', 9999); add_filter('script_loader_src', 'remove_version_from_css_js', 9999); } add_action('init', 'remove_all_version_info'); |
Note: Please don’t just copy paste the script, this is more of an example.
3. Authentication Layer
We’ve filtered out a lot of the bad traffic. Now, let’s lock down that login door! Think of this as your apartment’s security system: strong passwords, multiple locks, and maybe even a hidden camera or two.
3.a Limiting Login Attempts
Block IP addresses after multiple failed logins to deter brute force attacks.
This is again where Wordfence seamlessly manage this functionality and shines like a star. This is a matter of personal preference, but here is my paranoid settings:
– Don’t even guess my username? You’re blocked. Sure, I might accidentally lock myself out, but I know how to fix it.
– One wrong password? Blocked! Strong passwords are essential, but this feels even safer to me. Wordfence lets you customize timeouts and limits if you prefer less extreme measures.
3.b Enforcing Robust Passwords
Complex, lengthy passwords make cracking exponentially harder. And password managers assist with creation and storage, you don’t have to remember passwords anymore. This step might seem redundant after my aggressive login blocking, but security, for me, security is about redundancy.
3.c Multi-Factor Authentication (MFA)
Hats off to Wordfence, because this article could’ve been just one about Wordfence. They provide a great feature to enable MFA to your preferred Autenticator app. Again, MFA was proven several times to not be entirely secure, but layer after layer, we are almost reaching 100% safety! Almost.
Beyond the Layers: An Ongoing Approach
Remember, stay vigilant about updating WordPress, themes, and plugins. Outdated versions are easily exploited.
Backup Strategy
Even with the best defenses, things can sometimes go wrong. That’s why regular backups are your safety net. Choose a reliable backup solution that stores your site data offsite. In a worst-case scenario, you can quickly restore your website and minimize downtime.
And stay safe!