WordPress Security Basics | Total Security Software

This post is aimed at WordPress webmasters who create and manage their website themselves and who are concerned about the security of their WordPress installation. The article offers a - hopefully- understandable overview of the basics of the security of a WordPress installation as well as useful and less useful measures to achieve this.


WordPress Security


WordPress Security: What Can Happen Anyway?

First of all, a webmaster needs the clearest possible idea of ​​the challenges a website is subject to security. How can an attacker benefit from an insecure website?

When a website has reached a certain level of circulation, it becomes interesting for illegitimate use. Basically, cybercrime is a very lucrative branch of organized crime with gangs and specialists operating worldwide and across the Internet. This applies to the security of websites as well as the security of operating systems and personal data such as logins for accounts.

An insecure website that is "hacked" in some way, as the Internet popularly calls it, can be abused in a variety of ways.

·         The website itself can contain interesting data. These can be databases with customer lists and accounts, and much more, such as trade secrets.

·         The website can be used to send spam emails, to support attacks on other systems or to let them automatically distribute malware to visitors.

·         The website can serve as a hiding place for illegal data, for example downloading cracked programs or prohibited pornography.

·         The website can be misused to influence search engines (black hat SEO) by linking or forwarding to fraudulent or even legitimate content on the Internet such as shops etc.

·         The website can also simply be destroyed or filled with obvious third-party content (defacing), e.g. by cracker groups or terrorist organizations or simply in the course of vandalism against a random and simple target or an unpleasant competitor.

·         The vast majority of websites are operated by large hosters in virtual servers together with dozens of other websites. A successful break into a website can also pose a security risk for other websites on the same web server.

So it is obviously important as a webmaster to deal fundamentally with security issues.

How Do Attacks on The Security of A Website Take Place?

Any website can potentially be the focus of attacks. In fact, it is so normal and inevitable that a website that is not attacked in any way is sure to eke out an unsuccessful shadowy existence with no visitors on the Internet. Attacks even “ennoble” a website to a certain extent: If a website is attacked, it means that it has become noticeable on the Internet.

The vast majority of attacks on the security of a website are nothing to worry about. They are not targeted and permanent attacks. As with most attacks on operating systems (malware) or account data (phishing), there are massive and automated attempts to exploit simple security gaps. The idea that someone is sitting in a dark room somewhere in the world (possibly with a hood pulled over their face) and trying to crack your website exactly is completely absurd. There are 1.83 billion websites and 4.7 billion internet users ( numbers from here). To attack any website, you need automatisms that simply try to crack websites unattended. Attention is paid to efficiency: attacks are carried out on frequent and easily exploitable security holes. Not every security hole that makes it into the relevant news is easy and efficient to use and widespread. Then it's just not worth taking advantage of.


As far as the security of websites with WordPress or another content management system is concerned, it is important to understand that such websites are not just static products such as a page in a magazine, but are usually the result of programming, are actually programs rather than documents. WordPress websites, for example, consist of a large number of individual PHP files. PHP is a programming language that uses content stored in a database as well as HTML and CSS information to create the website that you see in the browser. This website does not exist as a fixed document but is regenerated every time it is accessed. You can already see this from the fact that a page or post in WordPress, while you are working on it in the editor, In no way does the finished website look like it will later appear in the browser - different from, for example, a letter in a word processor. In fact, you only enter data in the editor that is saved in the database and you give some display instructions, for example by adding something as a heading, paragraph, or list or perhaps a word as Mark in bold.


Programs run on a computer, including the website: partly on the server that provides the website, partly in the browser, and thus on the visitor's computer. It is possible to abuse such programs. An example that is easy to understand: when the first websites with PHP came up, forms were also created in PHP that visitors to the website could fill out and submit. As always, when a new technology emerges, some people look for ways to abuse it. In the case of earlier forms, it was often possible to simply enter additional PHP code instead of just entering the desired text and to rewrite the program in this way. For example, it was often possible to misuse a form with an entered PHP fragment to Send a request text not only to the owner of the website but also to thousands of other people. And the request text was usually a spam message, perhaps with links to other dodgy offers.

Forms providers are still making attempts in this direction to this day. We call this form spam.

It is more serious if a component of the website is programmed insecurely. In the case of WordPress, in addition to the system itself, this can particularly affect plugins and themes that expand the possibilities of WordPress. While WordPress as the most widespread content management system on the Internet is itself a very established product, which accordingly has a tried and tested security, many plugins and themes are not necessarily the result of clean programming. If an easily usable security hole is found in a widespread plugin or theme, it quickly becomes very interesting for abuse. Before long, massive attacks on such vulnerabilities were being launched across the Internet.

This is very easy to see if you look at the type 404 errors that appear on a web page over time. For example, the Rank Math SEO plugin I use contains a monitor function for 404 errors. A 404 error always occurs when a call is made via the address of the website that has no destination, which is why it cannot be processed. As part of the SEO plugin, such a monitor has the task of making errors in the internal linking visible, but as a by-product, it also shows a lot of attacks running into the void.

The Security of The Login Area

In the upper area, you can clearly see that an attempt was made to call up the wp-login.php file in different places. The top three attempts are only one second apart. A bot, i.e. an automatic mechanism, checked whether it could find the wp-login.php file in the wp, blog, and WordPress subdirectories. He did not succeed in doing this because these files do not exist there or it is forbidden to call them up, which is why an error 404 occurred and is listed in this log.

When a way to log in is found, such bots usually try a combination of common usernames like admin or actual website usernames along with weak passwords like 123456. The actual user names can be read from the website, lists of weak and widespread passwords are available on the Internet. After a few hopefully unsuccessful attempts, such a bot gives up and looks for another target.

WordPress users often resort to methods of hiding their login so that such attempts will come to nothing, but they do anyway if the password used is not completely insecure. Since the password does not wear out, it does not matter whether there are attacks on the login or not. Beginners in particular often worry themselves unnecessarily, for example by setting up a notification in a security plug-in if unsuccessful login attempts have taken place. These notifications are completely pointless and just annoying. If you have a sensible password, you can safely ignore any attack on your login. The only danger here is from the direction of phishing which means that somehow an attempt is made to obtain the correct password directly from its owner.

The security of plugins and themes

Two further calls in the list shown concern the Uplisting and Super-Forms plugins. These are existing and legitimate plugins - but I don't use either of them. Here it is checked (also presumably by a single bot within two seconds) whether these plugins are available. An attempt may be made to exploit a loophole contained therein - the 404 Monitor is set here so that it does not save the parameters of the call. So it would be possible that the actual call is another one? as a sign of the beginning of a parameter sequence, followed by a manipulated call to exploit the security hole.

According to the website wpscan.com, versions of the Listing plug-in before version number 1.7 have a security hole that allows, among other things, unauthorized database entries and account creation. The date of the entries for the security vulnerability is January 28, 2021, so it was almost a week ago at the time of this writing. Obviously, this loophole is already being actively exploited. According to wordpress.org, Listing was updated to version 1.7 two weeks ago.


Above all, this shows one thing: It is extremely important to install updates for WordPress, plugins, and themes as soon as possible if they are available. Especially when it comes to updates for security reasons, which is usually stated.

Another measure against the exploitation of such security loopholes can be firewall rules. An example of such rules is the Perishable Press 7G firewall rules. These are rules that are entered in the server's .htaccess file. These rules define unauthorized access to URLs with parameters that are prohibited based on this definition. That sounds complicated at first, but the only important thing to understand is the following: As already mentioned above, there are manipulated parameter sequences that an attacker could attach to website addresses (URLs). Firewall rules like these are there to make such calls impossible. In this way, you can also prevent attacks that exploit loopholes that have not yet been closed. On the other hand, certain gaps can also be used in other ways, for which the firewall is of no importance so that an existing firewall does not release you from installing updates.

Firewall rules are part of many security plugins so that you do not have to enter them manually, and there are also application-level firewalls such as Ninja Firewall, which implements such rules as an application upstream of WordPress.

Further security measures

We have already learned about three measures to increase the security of a WordPress website:

·         Secure passwords

·         Timely updates

·         Implementation of a firewall

There are other measures that are more or less important that I would like to list here.

Backups

The mother of all security measures: backups. No backup, no pity. When backing up a WordPress website, it should be noted that two different

elements need to be backed up, namely the files on the webspace and the database. The latter can even be on a completely different computer. It is therefore not saved by backing up the files on the webspace.

There are many plugins for automated WordPress backup. A backup mustn't be only stored on the web space itself, but also outside of it, for example on cloud storage. Should someone succeed in compromising the webspace, an existing backup could also be compromised.

Uninstall Unused

Especially when setting up or converting a WordPress website, you may install many different themes and plugins that you don't need after all. It is important to uninstall such items. Even inactive, but installed themes or plugins can be vulnerable to security holes. If you want to be particularly thorough, you can use FTP access to the webspace to check whether the files for the themes and plugins have actually been deleted.

Some plugins are only necessary temporarily, e.g. generators for child themes or import tools for website templates. Such plugins should also be removed after use.

It is particularly important to immediately remove any external scripts used to edit the database. The database processing script from Interconnect / IT, for example, is very popular and is used to replace entries in the database with others. This script is usually copied into the WordPress installation on the webspace via FTP and called there. If it were to be left there after use (which the manufacturer expressly and comprehensively warns of), an outsider could easily use this script to make changes to the database. For example, he can create a new user.

 

I would even recommend saving the script for the period of use in a directory with a self-selected and non-descriptive name, under no circumstances in, for example, / search-replace-DB, as tried in third place in the picture. Such an attempt can take place the very moment you are using the script.

Alternatively, this database processing function is also available as a “Better Search Replace” plug-in. This plugin should also be uninstalled after use.

Security Plugins

There are numerous security plugins for WordPress. Some fulfill a specific task, e.g. hiding the login (largely pointless), others are comprehensive suites with many tasks. Basically, many of the functions offered have little or no useful use. You can, on the other hand, exclude yourself from your website if you are inattentive or let yourself be completely unsettled by feedback from the plugins by email. Under no circumstances can such plugins replace the measures mentioned so far, and it is also not enough to install a security plugin and then think that you are safe. Security plugins require extensive settings and a basic understanding of the security problem, as this article aims to convey. Last but not least, a security plugin itself can become a security hole. In contrast to all of the measures listed above, I do not consider additional security plugins to be essential.

Above all, I warn against transferring the truism that you need a virus scanner from the reality of the Windows operating system (and only there) to the world of websites. Malicious software in the strict sense of the word represents only a tiny fraction of the real threat, and there is next to nothing that virus scanners can scan for.

However, some plugins provide useful support for security measures, even if they are not actually security plugins themselves. Finally, I would like to mention a few that I use frequently myself:

·         Antispam Bee: a plugin against comment spam that, in contrast to the Akismet included with WordPress can be used in a GDPR-compatible manner.

·         Honeypot for Contact Form 7: in contrast to Recaptcha from Google and similar stumbling blocks for bots, which are either annoying (math tasks, search images, click the field “I'm not a robot”) or are not GDPR-compatible (Recaptcha 3 observes the user's behavior the entire website to identify him as a person), this plugin for the popular Contact Form 7 form plugin extends the forms with honeypot fields. These are fields that are given as interesting a name as possible (eg "website", "email") so that a bot would fill them out, but which are not even displayed in a browser. As soon as such a field has content, the form plugin does not even send the form content because it has to come from a bot. It is advisable to define two or three honeypot fields at once,

·         Mail on Update: This plugin regularly checks whether there is an update for one of the other installed plugins, and then sends an email to defined addressees. Unfortunately, the plugin does not observe themes and WordPress itself, in the same way, you still have to take care of them yourself.

·         Vendi Abandoned Plugin Check: this plugin checks all installed plugins (but neither WordPress nor themes) to see when there was the last update. It enters the time since the last update in the list of plugins and highlights the time in red where a year or more has passed since the last update. With such plugins, there is a high probability that maintenance will no longer be carried out, so that any security gaps discovered or technical changes to WordPress itself could lead to problems. Even before the installation of plugins, this plugin also highlights in red in the list of available plugins those that have not received any updates for a long time before they are even installed.

·         wpscan: This plugin requires free registration on the website of the same name to create a token. The plugin enables an automated query of the wpscan.com database based on the current WordPress version and the versions of the installed plugins and themes. The free version allows 25 queries a day. You can define in the plugin which elements should not be queried if you have more plugins and themes or if you want to query more than once a day. Of course, you can also choose one of the paid plans to get more daily traffic. Manual and individual scans are also possible. The plugin sends an email if you save an address in it as soon as a security hole becomes known. In this way, you can switch off a plugin if necessary, as long as its security problem has not been resolved. It is better to temporarily stop the plugin from working than to take a risk.

All of the plugins mentioned are available free of charge. Who else knows useful plugins for improving security? Comments are open for suggestions and descriptions.

Be Careful with Automated Updates

WordPress has been offering the possibility of automated security updates for WordPress itself for a long time. This concerns version jumps after the second point, for example from 5.5 to 5.5.1, but not from 5.5 to 5.6. These updates are generally technically harmless and can be imported quickly and automatically.

The situation is different with the function of automatic updates of plugins introduced since WordPress 5.5. These (but not all) can be configured individually for automatic updates. However, this can end badly if the function of the website is impaired by an error in the unattended and automatically renewed plug-in. I myself recently saw that a plugin update in conjunction with the presence of a certain other plugin resulted in the website becoming completely unusable. If such an undesired effect of an update goes unnoticed, it can have serious consequences. Therefore, I advise against using this function except in temporary exceptional cases (e.g. during vacation).

Last but Not Least: My Maintenance Service

If, after reading this post, you are unsure whether you really want to deal with the topic of the security of your WordPress site in more detail, I would be happy to offer you my maintenance service for WordPress websites. For a small monthly fee, I will take care of the maintenance of your WordPress website including updates, backups, etc. as described above, so that you can spend your time with your core business instead of looking after your website.


Use updated security software like total security software to protect your data from external fraud activities.

Comments