How to run a WordPress security scan

Keep an eye out

With the growing availability of dedicated solutions, WordPress now makes up 31% percent of the internet. Being the most used open-source content management system (CMS) also makes you a favorite for attackers. More than 78 percent of reported compromises target the WordPress platform. Thus, an epidemic of less-than-secure sites has emerged — which can be made more secure by us developers and designers. Thankfully, regularly investing in a WordPress security scan can save your clients from disaster and provide extra business in addition to your own service offerings.

Why is a WordPress security scan so important?

Because WordPress is an open-source CMS, each line of code making up its elegant design is open to scrutiny and exploitation. If you were to look back at all of the updates WordPress has published, nearly every one included a security patch. What this should tell administrators, developers and business owners is these sites need regular maintenance in order to keep them secure — and most importantly online.

If a WordPress site is neglected, a compromised business becomes inevitable.

 

That being said, a regular WordPress security scan is far less work than trying to repair a site after the damage has already been done. In fact, if you’ve noticed that your site has been compromised, oftentimes it’s easier to recreate the site from scratch than auditing the entire server to determine which backup (if any) is clean of malware.

Fortunately, there are tools and procedures that can make this process easier and faster, and can even be included in your service offerings.

How can a WordPress security scan fit into your service offerings?

In my professional experience, most developers building sites for clients don’t offer to maintain or secure the website. Business owner tend to be in the dark about the health of their sites, indefinitely, because they were never made aware that they should regularly check on WordPress site security. The website becomes neglected, and eventually, that $3,000 investment gets demolished.

Offering maintenance services provides a steady flow of income to your own business by increasing the longevity and value of your clients’ businesses. This creates predictable work as well as a recurring revenue stream, which translates simply to more money for less work.

Additionally, this tactic will help strengthen business relationships with clients by keeping your brand fresh in their minds and reminding them of your value. In a freelance business, new work is often generated through existing customers or referrals stemming from a fantastic experience. Showing your clients that you are invested in their success will encourage them to invest in yours.

How to run a WordPress security scan: The checklist

OK, so we’ve talked about why it’s important to keep your client’s safe in the wild. We also discussed how to turn a disaster scenario into a win-win for everyone. But by now you should be wondering how to implement these new services into your product line. Hold onto your hats because you’re about to receive a checklist on how to generate revenue with an hour of your time!

  1. Update core files, plugins and themes.
  2. Remove unused plugins and themes.
  3. Install an SSL certificate.
  4. Enforce strong passwords.
  5. Install a security plugin.
  6. Use captcha on forms.
  7. Limit login attempts.
  8. Turn off file editing.
  9. Change security keys.
  10. Secure core files with an .htaccess.
  11. Disable XML-RPC.
  12. Audit file permissions.
  13. Disable PHP error reporting.
  14. Have a backup plan.

Ready? Let’s dive in!

1. Update core files, plugins and themes

Earlier I mentioned WordPress updates almost always involve security patches. This should always be the first step in securing your clients’ sites — and the steps couldn’t be simpler. All you have to do is log in to the wp-admin dashboard, hover over the dashboard button on the sidebar, and then in the dropdown menu click Updates. Select the items you want to update — which should be every one listed. You can make this process even easier by automatically updating core files, plugins and themes by adding this line of code to the wp-config.php file:

// Enable automatic updates for all
define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

Automatic updates can drastically change how a theme or plugin works. It actually might break some occasionally, but this might be favorable compared to leaving vulnerabilities in the site.

2. Remove unused plugins and themes

One of the greatest features of WordPress is its ability to download and run plugins, potentially improving the functionality of your website. That being said, it is possible to have too much of a good thing.

The quality of code across plugins and themes can vary, as some are created by businesses and others by hobbyists — and neither are perfect.

 

With each plugin installed on your WordPress site, the more likely the site is to be hacked, as new vectors are opened with each installation. It is not enough to simply deactivate plugins that you aren’t using. You actually have to delete them in order to remove the vulnerable code from the server. Removing unused items is equally important for performance, and should be part of any WordPress security scan. The fewer active plugins, the safer and faster the site will run.

3. Install an SSL certificate

It should be painfully obvious by now that every website should have an SSL certificate, and the list of benefits merits its own article.

Put simply, adding SSL installations to your service offerings empowers your client, secures their traffic, protects users against phishing, and can boost Google rankings.

HTTPS Speed TestInstalling these certificates is incredibly quick and easy. The steps are slightly different depending on the platform, but you can find most use cases in the GoDaddy Help Center. With the certificate installed, you can change the WordPress Address and Site Address in WordPress by going to General Settings and changing the protocol from HTTP to HTTPS. Click Save Changes and the installation is complete.

4. Enforce strong passwords

The most used passwords used in 2016 ranged from 123456 to password — which are painfully obvious, insecure and pretty much guarantee that the account will be accessed by an unauthorized user. According to Symantec, a strong password contains a mixture of at least eight digits, punctuation, and upper- and lowercase characters.

Your WordPress security scan should cover a few obvious things. You should never use the same password twice. It is also important your password doesn’t include words that can be found in a dictionary or a proper noun, as they are especially prone to the appropriately named dictionary attack.

5. Install a security plugin

Security plugins fall into a gray area and can just as easily lead you down a path to destruction as they can help secure your site. It’s important to know which security plugins work best.

These also offer firewall features in case you don’t already have a firewall implemented, which will keep your site protected from repeat offenders. The opposite side of this coin reveals sometimes these security plugins come at the cost of website performance.

As the developer, it’s important to determine whether to use a security plugin by comparing plugin features against systems already running on the server, as well as being mindful of available hardware resources such as memory or processing power.

6. Use captcha on forms

A hacker doesn’t need to compromise login access to deface sites and spread malware. If your WordPress site has a contact form without a captcha, you can bet that eventually it will be used to send as many spam and malicious emails as your server can handle. Additionally, Captcha tools also prevent the brute force attack of your admin accounts.

I prefer Google’s ReCAPTCHA, so I decided to use Google Captcha by BestWebSoft, but as you perform your own WordPress security scan you can decide on a plugin.

7. Limit login attempts

While we are on the topic of brute force attack, let me offer more protection from bots and hackers. The plugin Limit Login Attempts will keep your admin page protected with a customizable limit to the amount of failed logins that are allowed before a user is blocked from submitting a login form. You can also add a whitelist in case a user tends to forget their password.

Some hosting providers already offer this as a built-in feature — like with GoDaddy’s Managed WordPress — so it’s a good idea to do your research before attempting the install.

8. Turn off file editing

As you handle your WordPress security scan, you’ll notice WordPress allows you to edit your theme and plugin files directly from the admin panel. This exposes a vital vulnerability that can have unintended consequences.

It’s best to disable it to prevent hackers or other users from defacing the site intentionally or otherwise.

 

Thankfully, the remedy involves another change to your wp-config.php file. Just add this to the file on its own line:

// Disable file editting
define('DISALLOW_FILE_EDIT', true);

9. Change security keys

The security key stored in your wp-config.php file encrypts login session stored in your cookies. Changing these keys will invalidate all sessions, logging all users out of the dashboard, but also preventing hackers from hijacking open sessions. Changing these keys is as simple as copying and pasting.

First, use the WordPress security key generator API to get your new secret keys, and then copy them. You’ll find a block of code that looks similar, which you can replace with the new block that you have copied. It will look like this:

define('AUTH_KEY',         'HeW#zltmGurr@u{B97hDiOr;3@<1>-^bbtua-:bC&K4`]*r 6V<-s-GtTq?lLL|h');
define('SECURE_AUTH_KEY', 'B >t.QYHTKXRv/)ewR 5$iswZrLM}kAE#15?:2lu]zPd!KuB78?4fopw3QsHtx#4');
define('LOGGED_IN_KEY',    'gI:T2,v7|E[.Q&[yGK|$a+s1;&$8-[?|6dE+FX|9|Ex|N[EPiQ0YzoXas=.7`4;&');
define('NONCE_KEY',        'Z_-$xVrv0+VqtoVl#8|s/zeOlm^h# zHh(3me1X/S(l[(h;-+KI&cyDuLbm<!DR.');
define('AUTH_SALT',        '-~i[ahut&xhfTLlnk+u^[GC2?:324X/Lo*<i{|K75j)6HI<y1<Vc$|(,-xZ+{ O]');
define('SECURE_AUTH_SALT', 'B|M9s9a*iwp44|ldOHJlG9.#-Hb$t?kY|st;D9 )]FALOWt[/fYrtanxrjoxfD(z');
define('LOGGED_IN_SALT',   'z_ Drd6Rip3upj:P*|2UsToIkVtaG|Nk3JKO yNq=xQZpVy7u!d@.TO8P:b5#s*H');
define('NONCE_SALT',       '5/af{*Wq82Gzq56&$b)<]X=-3#NW3x++~ D|PD-oCs=(#_y-~Z=w[]W9#jBfgJ *');

10. Secure core files with an .htaccess

Utilizing the .htaccess file is probably one of the most powerful tools in a WordPress security scan. We’ll start with securing the core files from being accessed from the browser, as these do nothing for a legitimate viewer and are usually only accessed from the browser to find and exploit vulnerabilities. If you’re interested in understanding how the Apache Web Server and .htaccess file work, I highly recommend checking out htaccess-guide.com.

But as a quick fix, you can add this block of code from the WordPress team before or after the BEGIN/END wordpress tags:

# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

11. Disable XML-RPC

Most users don’t utilize the functionality behind XML-RPC, which lets you make blog posts and interact with some plugins. This type of functionality is good if you have an automated feed that posts new content to the site, but it’s highly sophisticated and rarely taken advantage of. In most cases, just disable it to deny hackers a way to bruteforce user passwords. In order to disable it, you’ll just need to add another block of code to your .htaccess file:

#disable xmlrpc

order allow,deny
deny from all

12. Audit file permissions

According to WordPress, developers and admins should avoid 777 file permissions at all costs. Holding files with this type of permission allows anyone on the machine to read, write and execute any file with 777 permissions. Instead, WordPress suggests that you use 755 permissions for folders and 644 permissions for files. Because WordPress files constantly update, change and make new additions, regularly audit the website files as part of your WordPress security scan, looking for bad permissions in order to maintain a secure environment.

If you want to quickly run an audit, you can run this command from SSH to view all files in the current working directory that do not follow the WordPress guidelines for file permissions:

find . -type f ! -perm 0644; find . -type d ! -perm 0755

13. Disable PHP error reporting

Disabling PHP error reporting prevents hackers from gaining vital information about your website and the environment it’s on. A common technique in hacking is to view a file displays an error in order to identify the operating system, website path on the server, and even what applications are running.

As an example, suppose you access a file on the website that returns this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/jchilcher/public_html/wp-content/plugins/twitter-profile-field/twitter-profile-field.php:28) in /home/jchilcher/public_html/wp-includes/option.php on line 571.

This error already tells me the server is using Linux with cPanel, and it’s the main domain for this cPanel account and the website is using the twitter-profile-field plugin. I now know where to start looking for vulnerabilities and where to exploit them. The fix to this problem is as easy as the rest. Create or modify the php.ini for the site and ensure that the directive display_errors is off. You can do this by adding the line:

display_errors = Off

Once your settings have gone into effect, any error that would normally display on a page will be gone.

14. Have a backup plan

Lastly, we have what I feel is the most important yet neglected task involved with a WordPress security scan. When I say backup plan, I mean it. If the worst case scenario becomes a reality and your website becomes a host to malware, you should already have a plan on how you will get the website back. In most cases, the clients that I have who refuse to regularly back up their sites end up regretting it. Without a clean backup, your hacked site might never be clean again without having to start all over.

GoDaddy Website Security

If you aren’t already familiar with malware blockers, you should learn more about them. Essentially, GoDaddy’s Website Security will scan the website for malware and uptime every 12 or 24 hours, your choice. Website Security also includes a Web Application Firewall (WAF) in order to prevent malware from being injected before the request can even reach the server. It couldn’t be easier to set up, and will do the most of the heavy lifting for you — making this a no-brainer add-on for your clients.

Closing thoughts on your WordPress security scan

The instructions I provided are by no means a comprehensive list of security tools and methods and will not make your website bulletproof. Security in technology is an ever-growing field. New methods of protection are being developed constantly. By reducing avenues of attack and auditing files through a regular WordPress security scan, you can at least stay on top of the game and ensure that if someone is going to attack you, it won’t be easy.