WordPress Security: How to identify and eliminate threats
Excuses like “We are too small for an attack” or “We do not process sensitive data, such as financial reports” are no longer relevant. It has repeatedly been proven that all websites, regardless of their size, are vulnerable and can fall into the trap of hackers.
If you approach your website professionally, you should pay attention to the best practices of security for WordPress. We will share an exhaustive list of tips for protecting your WordPress site from hackers and malware.
As a website owner, you have the capability of improving the security of WordPress, even if you do not know how to code and do not want to get into the labyrinth of its complications.
We have prepared a step-by-step instruction and created navigation so that you do not have difficulties when walking through the material. You can quickly get to the right fragment of the text, and by the end of reading your website will be much more secure than the most resources on the web.
Why is security important?
A hacked WordPress site can severely damage your business and reputation. Hackers can steal user information, passwords, install malware and distribute Trojans among your users.
In 2017, Google reported that more than 55 million users were warned about visiting websites with malware. Every week, Google makes a list of more than 20,000 malicious programs.
If your site is your business, you have to pay more attention to its security. Only you are responsible for protecting your resource from intruders. As it stated in the WordPress Security Codex: “Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture by reducing the odds of making yourself a target, subsequently getting hacked.”
Take your time and go through the following best practices, as well as check out some of the industry-proven WordPress security strategies like using up to date WordPress software, strong credentials policy, and security-focused system administration.
Types of vulnerabilities
Common vulnerabilities in WordPress are the low security of themes, vulnerabilities of servers, databases, file permissions, FTP, and specific file components such as wp-admin, wp-config, and wp-includes. They are the most prone to attacks.
Numerous hacking incidents have shown how easy it is for intruders to use unprotected links in WordPress security services to their advantage. One vulnerability can expose your website to thousands of attacks. For example, in early February, cybercriminals launched a large-scale campaign where compromised WordPress sites redirected visitors to domains with a set of exploits.
Exploit is a piece of code that can use loopholes in your WordPress site and allow hackers to hack the system. In other words, it is a software that looks for unprotected elements on your website and attacks them.
Exploits are formed as a result of errors of programmers who do not pay proper attention to the security of the resource. When an exploit is discovered, you need to make a patch that removes this vulnerability.
In another series of attacks, hackers exploited a vulnerability in the XML-RPC file.
XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as to send requests or orders to websites remotely. If you do not want to give hackers an extra chance to hack your resource, you can simply delete it. When there is a need, you can restore it.
SQL injection is the most common way to attack a database by passing firewalls when hackers send special SQL requests to a website. These code injections can create new administrator accounts that can link to malicious or scam sites from your resource.
How to prevent SQL injections?
Error messages are mainly used to retrieve sensitive information about a website. So either they should be disabled, or custom error messages have to be created. Cybersecurity experts from WordPress development services say that SHA1 or SHA encryption should be used for all confidential information and passwords. Limiting the number of granted permissions will reduce the likelihood of such malicious attacks.
Brute Force Attacks
The brute force attack consists of attempts to get the correct combination of login and password by trial and error method. It is the easiest way that hackers try to access the login. This kind of attack can be executed in various ways, each method repeatedly trying to guess the combination of the login and the password. It is a common tactic used by bots since there are no restrictions on the number of attempts to log into WordPress. If the attack is successful, the sensitive information of your website and business can be in jeopardy. Even if it fails, still your system can be overloaded.
How to deal with brute force attacks?
The best way is to activate a lock policy that eliminates unlimited login attempts. Progressive delays can also be used when the account is locked for a certain period of time. Tools such as Captcha will help, although this will affect the usability of the website. Creating complex passwords to combat these types of attacks can also be helpful.
How to prevent cross-site scripting?
There are several methods to prevent XSS attacks:
- Do not allow unreliable data to access your HTML documents.
- Use the Sanitization API WordPress and the Escaping API WordPress (code cleanup functions to protect confidential information and not to display it publicly-for example, in a browser link address line).
- Before entering unreliable data into the URL request string, make sure that it is encoded in the URL.
- Before you place unreliable data in HTML pages, make sure that it is encoded in HTML, by replacing code syntax.
Web server and OS attacks
There are also certain security vulnerabilities on the web servers and operating systems. Such security threats are created when an error is recorded in OpenSSL, which makes it available to hackers to gain access to databases and confidential information. This severe vulnerability affects almost two-thirds of all websites.
How to prevent attacks on a web server?
- Perform regular security checks on the OpenSSL software.
- Perform server-side validation.
- Do not trust the inputs from the outside.
- Update the IPS and firewall signatures and enable the Heartbleed signatures.
- Cancel the existing SSL certificates and create new ones.
- Do not create new certificates with the old key.
Malicious programs are designed to destroy and damage a system or gain access to a database. Such software is a form of executable codes and scripts that penetrate the system without the user’s consent.
Whenever your WordPress site is hacked, take a look at the recently modified files. The most common malware infections include backdoors, downloadable disks, and malicious redirects.
How to deal with malicious attacks?
- Remove the malicious files manually.
- Restore the WordPress site from a backup.
- Always update WordPress and plugins.
- Delete the “admin” account and use a different unique username.
Detection of hackings
There is a low percentage of hacking attempts that are extremely difficult to detect, but in general, you can identify any attempts whether successful or not.
Indicators for detecting vulnerabilities:
- Sudden, unforeseen surges of traffic, especially from abroad (often not from your region, where the probability of finding your target audience is extremely low);
- Your domain is automatically redirected to a third-party site (often spam);
- Your homepage and internal pages suddenly changes or the content disappears;
- Bursts of outgoing bandwidth can indicate that your server is captured and used for DDoS attacks;
- Direct and organic traffic decline because search engines such as Google, Yandex, Bing and browsers (Firefox and Chrome) warn about the dangers of visiting your site by users.
If you notice one of the listed activities on your website, quickly conduct the security diagnostics of your WordPress website here. Just replace www.example.com with the domain of your website in the address bar. An alternative to the service is checking the reputation of the site with the help of the free URLVoid tool.
Eliminate security breaches
Carefully and objectively monitor your resource for the attempted hacks. In case there are security issues, you should start to eliminate violations.
If you are sure that your site has become a target of cybercriminals, it will be right to inform your visitors about it. Organize the automatic distribution of email to your users, because they can be vulnerable to hackers. Notify them that your site may be a victim of a security breach and that it is better to suspend visiting your site for a while. Specify the date to which the problem will be fixed.
If the attack has spread, it makes sense to turn off the site and work in the offline mode until you find and solve the problem. For the period of work, it is recommended to put “Site on Reconstruction” page. It will make it clear to users that the problem is temporary and will not scare them away forever.
Contact your web hosting
Web hosting companies work daily with thousands of websites and face all kinds of security problems on the Internet. Once you learn that the security of your site is at risk, contact the hosting company and explain your problem.
Most web hosting companies have IT security specialists. They can help to identify and correct malicious attacks. Even if your hosting company does not offer its help, its experts can contact other website owners who have faced a similar problem. It will help you to understand what you should do to solve the problem.
Good hosting providers take extra measures to protect its servers from common threats. But on shared hosting, you share resources with other website owners. It increases the risk of cross-site scripting attacks when a hacker can use a neighboring website to attack yours.
Using WordPress managed hosting provides a safer operation of your website because of its additional functionality like automatic backup, updates and more complex security configurations to protect your resource.
Get help from web security experts
Typically, the most vulnerable website files are media files, .php files and those that are stored in unsafe places. Hackers inject malicious code into these files and damage your website using backdoor attacks. Since these are typical risk zones, you first need to inspect them and, after that, go to other areas of the site to start the cleaning process.
Clearing malicious code from infected files requires you to download them from your server, remove the affected code and re-upload the clean files to the server.
Sometimes it’s not enough just to clean up infected files. Perhaps hackers have access to your files, and they will continue to make changes to them and delete code snippets. The correct practice is to compare the cleaned version of your infected files with the source files of your web developers to see if you have lost critical pieces of code.
Remember that usually, hackers install backend shells that allow them to hack your site even after removing all infected files. These shells often disguised as a regular file. If your site has been compromised, when you return to your backup, outsource the job to security services to ensure that your website is completely secure and can function further.
Cleaning up infected files is only part of the task of removing vulnerabilities. You need to make sure that hackers do not get access to your data again. The easiest, but effective way to do this is to change passwords. ALL of your passwords from:
- FTP account;
- Hosting account;
- WordPress admin panel.
You have to be sure that your new passwords are reliable and cannot be cracked using brute force methods. Remember, stealing passwords is the most common type of hacking WordPress websites. Therefore, we recommend that you create more complex passwords that have never been used before.
The main reason why newbies do not prefer using strong passwords is that they are hard to remember. Now there is a solution to this problem – just use the password manager.
An effective way to reduce risks is to have multiple roles to access your WordPress account. If you have guest authors, make sure that you understand the roles and capabilities of everyone before adding new users to your website.
How to Secure your WordPress site
Usually, maintaining website security is viewed as a complicated job and that it requires a staff of highly-paid professionals. In the case of WordPress, things are not that scary. We’ll show you how to protect your WordPress site without in-depth technical knowledge. You do not have to know how to code, perform complex actions, stand on your head or perform secret voodoo rituals.
Let’s get on it!
Step 1. Set the backup options
Backups are your shield from any WordPress attack. Remember, no website can be 100% secure. Even government websites get hacked from time to time. So your resource may also become a target.
Backups are designed to quickly restore a vulnerable website. Therefore, we recommend using ready-made WordPress plugins for this purpose. There are a lot of them: there are paid and free options.
The most important thing here is that backups need to be done regularly. There is one important rule – they need to be created on a third-party storage service (for example, in the Dropbox cloud, Amazon), and not in your hosting account.
The more often you update your website, the more often you need to make backup copies of it. If you make updates to the blog daily, we recommend that you make a backup at least once a day.
How to do it?
Use WordPress security plugins and services
Having a basic security infrastructure is a must for any website regardless of its scale. For example, a simple tool, Login Lockdown, for WordPress users is useful for preventing primitive attacks of logging in attempts using brute force.
Therefore, if you do not already have a firewall or security system protecting your site, activate them without any delay. Since our goal is to prevent the attack and not to restore after the damage is done, we suggest using a web application firewall (WAF) as a solution.
A firewall is a ready-made software solution that adds an extra level of protection and controls all traffic coming into your website, blocking a wide range of malicious threats.
It fights the most common and aggressive threats, including the Open Web Application Security Project, SQL Injections, Cross Site Scripting and Invalidated Redirects. A firewall or a firewall is often built into modern operating systems or included in paid antivirus systems.
Web application firewall (WAF) is the easiest way to protect a site and be sure of its security. It blocks all malicious traffic before it overtakes your resource.
Good hosting providers offer built-in WAF protection using the mod_security Apache server module with open source, but we understand that it is not enough to block latest detected threats. The module is rarely updated by web hosting who do not have enough resources to track the rapidly evolving threat landscape.
Therefore, users should take the task into their own hands, using the firewall provided by the cloud security providers. Such cloud-based WAFs are plug-and-play solutions that control all incoming traffic and autonomously process the entire threat detection and removal process to respond to new and existing threats quickly.
Besides, such cloud services typically come with CDN content delivery networks, DDoS failover services, and even load balancing solutions to improve performance, security, and availability.
As the best firewall for web applications for WordPress, we recommend Sucuri. The advantage of the Sucuri firewall is that it comes with a guarantee of removing malware. Developers guarantee that they will fix your website (no matter how many pages you have). Security specialists, usually, estimate their work at $250 per hour while you can get the full range of security with Sucuri for $199 a year.
Sucuri is not the only firewall vendor. His famous competitor that’s already stepping on his heels is Cloudflare.
What are the differences between Sucuri and Cloudflare?
Both services offer different plans, which come with a different set of features.
CloudFlare gained fame for the free CDN service. It specializes in preventing DDoS attacks. CloudFlare keeps your site accessible to users during an attack or with heavy traffic when your server stops responding.
The firewall also covers forms and protects your website from spam comments and spam registrations. CloudFlare also offers free SSL certificates in all of its paid plans. Free plans allow you to use only the CloudFlare certificates. To obtain a custom certificate, you must upgrade to a business or corporate plan.
Although CloudFlare has a free version that provides free CDN, most other functionalities, including the web application firewall require a transition to a paid plan.
CloudFlare does not offer a service for scanning servers to detect malware. It also does not provide a guarantee for removing malware.
Sucuri is one of the most reliable security services for monitoring websites. It offers comprehensive monitoring and scanning for malware, protection from DDoS and removal of malicious software.
Sucuri offers CloudProxy, a website firewall, and a load balancing services. It blocks suspicious traffic, infected code, bots and other threats. Sucuri regularly scans your website.
What to choose?
Sucuri obviously has more advantages because it offers the best combination of tools and services (firewall site + load balancing + malware cleaning/hack restoration).
CloudFlare offers a free CDN service for everyone. They do not charge for bandwidth, i.e., you can use their free CDN regardless of the amount of traffic.
However, the free plan does not come with a firewall for web applications. Your website can use the CDN, but it will not be properly protected from DDoS attacks, spam, etc.
To use a firewall, you need a Pro plan that costs $20 a month but this plan does not include advanced reduction of DDoS attacks and custom SSL. To get these features, you will need to purchase a business plan which costs $200 a month.
Sucuri does not offer a free plan. Their security plan starts at $199 per year, which turns out to be more affordable than CloudFlare’s pro plan. This basic plan includes full site monitoring, web application firewall, DDoS protection, malware removal and a free SSL certificate.
Rather than excluding significant features from lower-level plans, Sucuri uses time priority as an incentive for its more expensive plans. For example, the time to remove malware in a basic pricing plan is 12 hours, 6 hours for a professional plan and 4 hours for a business plan. At the same time, the actual cleaning time is faster than indicated in the plans.
Sucuri offers round-the-clock support for all plans. Their business plan subscribers can also use chat support.
What to choose?
Sucuri is an obvious choice for small businesses when it comes to prices. CloudFlare Pro costs $240 a year against Sucuri charging $199 per year with a wide range of features. To get the same functionality, you will need to go to the CloudFlare plan at $2,400 per year. The most expensive Sucuri plan is $499 per year.
Malware and infected code are the most common threats faced by website owners.
How do Sucuri and CloudFlare protect sites from these common threats?
A free version of CloudFlare is usually good as a content delivery network that will make your site faster to download.
However, if an attacker also breaks these barriers, Sucuri will offer to clean up your site (for free). If you now have a website affected by malicious software, Sucuri can also clean it.
What to choose?
To utilize a web application firewall with monitoring, anti-malware protection, and cleaning services, Sucuri is best suited. However, in the field of content delivery, it is better to use CloudFlare.
Step 2. Transfer to HTTPS if you have not already done so
One of the newest ranking factors that Google officially announced is the requirement to switch to HTTPS. This emphasis on website security shows that Google is serious about the fact that unreliable or hacked websites are downgraded in search engine rankings. According to Google itself, this is an attempt to make the Internet more secure.
HTTPS is a protocol for securing the confidentiality of data exchange between a user and a website. It ensures the security of transferring important information between sites and servers, in contrast to the old HTTP protocol.
HTTPS was previously widely used for financial transactions on e-commerce sites, to protect mailboxes. In other words, it was applied to any transactions requiring security and reliability.
By transferring your site to an HTTPS protocol, you will not just make it more secure; you will also increase your chances of gaining high positions in search results on Google and Bing thematic queries.
Step 3: Install WordPress security plugins
It is important to set up an audit and monitoring system that tracks every activity that happens on your site.
You need a security plugin to:
- monitor the integrity of files;
- track unsuccessful login attempts;
- scan the site for malware;
- eliminate any threats;
- protect your site from threats;
- have a universal assistant in the fight against all kinds of vulnerabilities;
The free plugin, Sucuri Scanner, can handle these tasks.
How to configure Sucuri Scanner?
- Create a free API key. It will help to keep trail records, check the integrity of the website, notify by e-mail when threats occur.
- Go to the Hardening tab in the Sucuri menu on WordPress dashboard. Mark each option and click the “Strengthen” button.
These settings help to block the risk zones that hackers often use for their attacks.
- Configure threat alerts by e-mail. To ensure that your e-mail does not clutter your mail, we recommend that you set up receiving emails only about critical actions such as registering new users, changes in plugins.
Wordfence Security is one of the most famous security plugins with more than 2 million active installations and a built-in firewall. It provides comprehensive protection of a website on all fronts:
- Universal site protection;
- Protection against new threats;
- Protection from brute force attacks;
- Detection of malicious traffic;
- Blocking intruders before they reach the site;
- Protection from bots;
- Blocking malicious networks;
- Protection of the input from brute-force passwords, DDoS-attacks;
- Scanning the site for threat detection;
- Scanning of backdoors;
- Scanning for Trojans, suspicious code;
- Scanning messages and comments.
To get a more reliable firewall, you will need to purchase a Premium version (from $99 for the year). Basic plugin features are available in the free version.
Send a request to Google, Bing, etc.
The negative result of being hacked is that many search engines, browsers, and security software identify your resource as problematic and issue alerts to users who want to visit the site. Thus, they try to ensure the safety of their users, prevent them from danger.
In order for your site to get to its feet as quickly as possible, contact Google, Bing, Yahoo, Mozilla, and other services to remove your site from their blacklist.
As with most other things that suddenly went wrong, just be careful and make sure that you took every possible precaution to protect your WordPress site from any attacks. If it was inevitable and you have been already hacked, do not be discouraged.
Just use the negative experience (which usually can be avoided) as an alarm bell, follow the steps described above and use any security measures to avoid such an event in the future.