The Most Common WordPress Security Threats

This is a guest post by:

Chris Teitzel is the Founder and CEO of both Lockr, which helps to increase website security by providing secure storage for API and Encryption keys; and Cellar Door Media, a premier development and business technology consulting company. Find him on Twitter and Linkedin.

 

WordPress has a pretty good record for security considering its wide user base, but it has its risks as well. Having a
security conscious mindset from the beginning, in regards to your website is necessary, as without one a site exposes it to serious dangers. Careful treatment of your website and how it is set up and maintained is critical to keep it safe. Here are
some of the risks which a large number of sites face, and tips on how to avoid them.

Unlimited Login Attempts

By default, WordPress lets anyone try to log in repeatedly, without any limit. This allows “brute force” attacks in which an intruder automates repeated logins, trying a long list of likely passwords, such as dictionary words or other forms of common known phases. If users are careless — and some always are — or the intruder’s list contains a lucky guess, then eventually an uninvited person will gain access to an account.

The remedy is to lock out IP addresses that make too many unsuccessful login attempts. The Login Lockdown plugin will do this. It lets you pick the number of failed attempts before an IP address is locked out, and how long it has to wait before trying again. As a bonus, it lets you change the message on a failed login so the intruder doesn’t know if the password is wrong, or if the account even exists. This keeps attackers from zeroing in on login names that are in use.

Default Admin Account

Brute force attacks are most likely to go after the “admin” account. WordPress sets the account name by default, and it has complete control of the site, so it’s an easy and attractive target. Limiting login attempts will reduce the threat, but you can decrease it further by not having an account with that name.

The great news is no plugins are necessary to do this. From the control panel, create a new account; you can give it any name you like. Give it the administrator role. Next, log out of the admin account and into your newly created account. From there, delete the original admin account. As always, make sure your to give the new admin account a strong password! Detailed instructions on how to do this, along with a couple of alternative ways, are available here.

No SSL Access

If you set up a WordPress account on a cheap hosting site, it might not offer you secure SSL/TLS access. Because of this all interaction with your site is over unencrypted HTTP instead of secure HTTPS. This means anyone can eavesdrop on all login attempts and steal the passwords.

The fix for this is to upgrade your site’s hosting plan or provider to one that gives you an SSL certificate, or the ability to use your own. If your host offers you one but you haven’t yet taken advantage of it, set it up right away. The security provided by SSL/TLS is well worth the cost and effort.

If you have a low-value site and you don’t want to spend any extra money on a dedicated certificate, there’s still a way to utilize login security and improve your login security. By using a DNS service such as Cloudflare, you can have it provide the SSL connection to the user without having to get a custom certificate. Be sure to use their Full or Origin CA methods for the highest level of security. Additionally, the Jetpack plugin gives you another way to log in, if you have a WordPress.com account. (It’s free, and you can get one even if you don’t want to start a blog there.) Jetpack will link your site to WordPress.com, and then you can login just by clicking a button. As long as you’re already logged in to WordPress.com, you don’t have to enter the password for your own site.

SQL Injection And Cross-Site Scripting

A huge proportion of the major security flaws in WordPress, its themes, and its plugins are due to two kinds of coding errors. The usual way to exploit these errors is to enter malicious data in a form which the site then unknowingly runs. SQL injection is the worst by tricking the server into issuing extra commands to the database. It can disclose, change, or delete information, which could capture confidential data,put spam on your site, or take over the admin user.

Cross-site scripting tricks the server into putting unauthorized JavaScript into its output. This can let the intruder spam your site or quietly redirect other browsers to a malicious website.

There’s nothing you can directly do about these vulnerabilities if you don’t write your own PHP code, but you can reduce your chances of letting buggy code onto your site. The most important thing is to use only reliable themes and plugins from companies or developers you trust. Don’t install a plugin from sites you haven’t heard of before or ones anyone can upload to without screening. Stick with trustworthy sources such as wordpress.org and woocommerce.com. Even there, be careful of unknown plugins that have had very few downloads or haven’t been updated in years. The most reliable code is usually code that a lot of people are using and that is regularly updated. Most of all, be sure to update your plugins and WordPress core whenever a security patch is released.

Most attacks that occur on plugins and core that have patches already available. Keeping the WordPress core and all themes and plugins up to date will help to keep them safe. Developers fix bugs and issue updates when they find out about them. Criminals know about bugs they can exploit in older versions.

The steps described here aren’t difficult, and they will significantly improve a WordPress site’s safety.