The basics of securing WordPress

With great popularity comes greater risk

Editor’s note: The following article is curated from the GoDaddy community. We’ve made some light edits for formatting and clarity. Looking for help with GoDaddy products or getting your business online? Join the community to get answers from other GoDaddy customers

WordPress is the world’s most popular software solution to running a website. Over 25% of the websites on the Internet  now use WordPress as a way to publish and manage their content. The simplest blog to the largest newspaper sites to huge online shops use WordPress.

Securing WordPress is like securing a PC.

Popularity seems to breed contempt, and just like the venerable Microsoft Windows XP in the the early 2000s, WordPress is now facing a serious challenge: keeping WordPress sites secure and free of spam, malware, viruses and other nasties.

Windows XP was designed just as the Internet was picking up speed in 2001. A networked PC was a breeding ground for various attacks and viruses. And because more than 90% of PCs used some form of Windows, virus writers focused on Windows, and specifically Windows XP as a target.

The story goes that if you want to get an infection, just install Windows XP and put it on the Internet — your PC will get some sort of virus or malware in just a few hours of operation, providing you had no antivirus installed. Windows XP is now a relic and mostly gone, thank goodness.

So here we are in 2017, the cloud is all the rage and now many applications are actually websites in disguise. They operate much more smoothly, some run inside smartphone apps, and many use WordPress, a modern “operating system” for websites and many web applications.

And sure enough, as WordPress gets popular, just like good old Windows XP, it is now also a large target of online attacks. These attacks happen pretty much right away when you put up a WordPress website and start building content. You might get a spam comment on a blog post or an attempt to login as an administrator.

Although these attacks may not necessarily infect your PC or smartphone, a successful attack on WordPress can do something much worse — it can deface, mutilate or even bring your website down so it is inoperational or worse starts attacking other websites. Your work, and maybe even livelihood can be curtailed if your website goes down.

Wordfence, a popular security plugin to detect and block attacks, records over 50,000 attacks per minute. An interactive map on the Wordfence website shows an animated attack map.

These attacks, many of which are blocked, can be very destructive.

 

An attack surface can be simply described as a potential weakness in the code or infrastructure of a piece of software. The best analogy is a structural weakness in a building or bridge — if the weakness is taken advantage of, the whole structure can become vulnerable and even come crashing down.

As recently as March 2014, an attack on over 160,000 WordPress-powered websites was used to crash a large website. Many companies are doing their best to prevent these attacks, but WordPress administrators must be aware of the multiple areas of vulnerabilities. Some of these have nothing to do with WordPress but rather the server or host that the software runs on.

Let’s enumerate these “attack surfaces” and see if we can learn some precautions that can be taken.

1. The open source code of WordPress

WordPress is open source, so it is likely to be attacked by hackers who know the code very well. Since all the code is public and available for review, hackers can look for vulnerabilities. Thankfully since many eyes improve the core WordPress system regularly, patches are regularly released.

Lesson learned: Keep your WordPress core up to date with the latest releases. This means you need to be confident of your update schedule and can perform it as necessary. Keeping WordPress up to date is critical. GoDaddy Managed WordPress hosts perform automatic updates to WordPress automatically.

2. Insecure WordPress user accounts

WordPress is sometimes installed with a default administrative users called “admin”. This user is one of the biggest attack surfaces as it is easy for hackers to attempt to login to your administrative website using the default username and a long list of passwords that are typical for admin users. Once logged in with the admin user, your website can be damaged and even be turned on other websites very quickly. Just about every WordPress of any popularity is regularly probed by “bots” to test the admin user to see if it can be logged in. The script to hack in with admin is very easy:

  • Step 1: load up domainname.com/wp-login.php
  • Step 2: try to login with admin as the username, admin as the password
  • Step 3: repeat step 2 with a dictionary attack

Alternate attacks use the domain name as the user name.

Lesson learned: Create a new administrative user as soon as WordPress is installed, and REMOVE the default admin user. You will have to logout from the admin user, and login as the newly created administrative account in order to delete the original admin user. Do not create usernames that have anything to do with your name or your website. GoDaddy Managed WordPress never creates a user called admin or administrator even by default.

There are also special forms of authentication called “two factor authentication” which can be activated with WordPress plugins. This authentication scheme requires a second password to be provided which is usually generated on a limited, timed basis. There are many services and companies including Google, Microsoft and Apple which support two-factor authentication (aka 2FA). One popular approach is using the “Google Authenticator” app on a mobile device which changes the secondary 6 digit password every 60 seconds.

3. Compromised web hosting

Most WordPress websites run on servers that can be accessed via a username and password completely outside of WordPress. Programs like FTP/SSH/MyPHP Admin are used to get access to the files and database that make up the WordPress directory and code tree. Weak usernames and passwords on any of these systems create huge vulnerabilities and are tested regularly by hackers for a way in.

Lesson learned: Ensure strong username/password pairs are setup for all access to the host. In most cases FTP/SSH access can be turned off altogether if no editing of files needs to be made, but sometimes this is not practical.

4. Insecure WordPress plugins

One of the main reasons WordPress has become so popular is of the extraordinary community of developers who have created functionality extensions to WordPress, most commonly known as plug-ins. Plugins can greatly alter the core functionality of WordPress, and just about all WordPress websites have plugins preinstalled, including the “Hello Dolly” test plugin. Unfortunately these plugins sometimes are poorly coded and have huge security vulnerabilities.

Lesson learned: Install and update plug-ins that have excellent reviews and are regularly maintained. Plug-ins that have not been maintained in more than a year should be suspect. It’s best to favour core WordPress functionality every time over a plug-in, when possible. Future versions of WordPress will most certainly make certain plug-ins obsolete, so keep track of the core WordPress functionality.

5. Insecure WordPress themes

WordPress themes provide designers with unlimited control over the look and feel and functionality of a website. Some themes are quite complex and require deep knowledge of WordPress, but unfortunately many are also poorly designed. Some even come bundled with plug-ins that have vulnerabilities.

Lesson learned: See #3 above — the same lessons apply to themes.

6. Insecure WordPress installation

Finally WordPress itself can be made more secure. The database that WordPress uses can be installed with table names different than the standard database. This is usually done in Managed WordPress installations where WordPress is installed with many security precautions usually not taken in 1-click installs available on shared hosts.

There is also a feature in WordPress that enables editing of files called the Editor (available under the Appearance menu). This functionality is super-useful to edit WordPress files like functions.php and make many customizations, but unfortunately it also opens up the WordPress core files for unauthorized editing.

The WordPress Codex describes two WordPress directives that disable file editing and updating functionality.

Editing the wp-options.php file with the directive DISALLOW_FILE_EDIT will turn off the Appearance Editor:

[pre]
define( ‘DISALLOW_FILE_EDIT’, true );
[/pre]

The directive DISALLOW_FILE_MODS prevents updates to files to occur which prevents updates of any kind from occurring. This can be set as an extra precaution and turned off to apply updates and patches to core, plugins and themes:

[pre]
define( ‘DISALLOW_FILE_MODS’, true );
[/pre]

As future WordPress release are planned and delivered, security will continue to take a larger role in the maturation of the platform. It is my hope that experts continue to contribute to WordPress security that has made so many people’s lives rich and fulfilling.

WordPress Hosting from GoDaddy is optimized for WordPress websites. Find out more about GoDaddy’s WordPress Hosting plans

Already a WordPress Hosting customer? Sign in to work on your site

Image by: Visual hunt

Alex Sirota
Alex is a pioneer in using the cloud to meet the needs of small and medium sized business (SMBs). He has a BSc in computer science from the University of Michigan and has worked as a product manager at two Internet startups. His company NewPath Consulting provides business-relevant technology advice and education to prepare SMBs for optimizing their business activities through the cloud.