- Get link
- X
- Other Apps
This post is aimed at WordPress webmasters who create and manage their website themselves and who are concerned about the security of their WordPress installation. The article offers a - hopefully- understandable overview of the basics of the security of a WordPress installation as well as useful and less useful measures to achieve this.
WordPress Security: What Can Happen Anyway?
First
of all, a webmaster needs the clearest possible idea of the challenges a
website is subject to security. How can an attacker benefit from an
insecure website?
When a website has reached a certain level of circulation, it
becomes interesting for illegitimate use. Basically, cybercrime is a very
lucrative branch of organized crime with
gangs and specialists operating worldwide and across the Internet. This
applies to the security of websites as well as the security of operating systems and
personal data such as logins for accounts.
An insecure website that is "hacked" in some way, as the Internet
popularly calls it, can be abused in a variety of ways.
·
The website itself can contain interesting data. These can
be databases with customer lists and accounts, and much more, such as trade
secrets.
·
The website can be used to send spam emails, to support attacks
on other systems or to let them automatically distribute malware to visitors.
·
The website can serve as a hiding place for illegal data, for
example downloading cracked programs or prohibited pornography.
·
The website can be misused to influence search engines (black hat SEO) by linking or forwarding to fraudulent or even
legitimate content on the Internet such as shops etc.
·
The website can also simply be destroyed or filled with obvious
third-party content (defacing), e.g. by cracker groups or terrorist
organizations or simply in the course of vandalism against a random and simple
target or an unpleasant competitor.
·
The vast majority of websites are operated by large hosters in
virtual servers together with dozens of other websites. A successful break
into a website can also pose a security risk for other websites on the same web
server.
So
it is obviously important as a webmaster to deal fundamentally with security
issues.
How Do Attacks on The Security of A Website
Take Place?
Any website can potentially be the focus of attacks. In fact, it is so normal
and inevitable that a website that is not attacked in any way is sure to eke
out an unsuccessful shadowy existence with no visitors on the Internet. Attacks
even “ennoble” a website to a certain extent: If a website is attacked, it
means that it has become noticeable on the Internet.
The vast majority of attacks on the security of a website are
nothing to worry about. They are not targeted and permanent attacks. As
with most attacks on operating systems (malware) or account data (phishing),
there are massive and automated attempts to exploit simple security gaps. The
idea that someone is sitting in a dark room somewhere in the world (possibly
with a hood pulled over their face) and trying to crack your website exactly is
completely absurd. There are 1.83 billion websites and 4.7 billion
internet users ( numbers from here). To attack any website, you need automatisms that simply try to crack
websites unattended. Attention is paid to efficiency: attacks are carried
out on frequent and easily exploitable security holes. Not every security
hole that makes it into the relevant news is easy and efficient to use and
widespread. Then it's just not worth taking advantage of.
As far as the security of websites with WordPress or another
content management system is concerned, it is important to understand that such
websites are not just static products such as a page in a magazine, but are
usually the result of programming, are actually programs rather than documents. WordPress
websites, for example, consist of a large number of individual PHP files. PHP
is a programming language that uses content stored in a database as well as
HTML and CSS information to create the website that you see in the browser. This
website does not exist as a fixed document but is regenerated every time it is
accessed. You can already see this from the fact that a page or post in
WordPress, while you are working on it in the editor, In no way does the
finished website look like it will later appear in the browser - different
from, for example, a letter in a word processor. In fact, you only enter
data in the editor that is saved in the database and you give some display
instructions, for example by adding something as a heading, paragraph, or list
or perhaps a word as Mark in
bold.
Programs
run on a computer, including the website: partly on the server that provides
the website, partly in the browser, and thus on the visitor's computer. It
is possible to abuse such programs. An example that is easy to understand:
when the first websites with PHP came up, forms were also created in PHP that
visitors to the website could fill out and submit. As always, when a new
technology emerges, some people look for ways to abuse it. In the
case of earlier forms, it was often possible to simply enter additional PHP
code instead of just entering the desired text and to rewrite the program in
this way. For example, it was often possible to misuse a form with an
entered PHP fragment to Send a request text not only to the owner of the
website but also to thousands of other people. And the request text was
usually a spam message, perhaps with links to other dodgy offers.
Forms
providers are still making attempts in this direction to this day. We call
this form spam.
It
is more serious if a component of the website is programmed insecurely. In
the case of WordPress, in addition to the system itself, this can particularly
affect plugins and themes that expand the possibilities of WordPress. While
WordPress as the most widespread content management system on the Internet is
itself a very established product, which accordingly has a tried and tested
security, many plugins and themes are not necessarily the result of clean
programming. If an easily usable security hole is found in a widespread
plugin or theme, it quickly becomes very interesting for abuse. Before
long, massive attacks on such vulnerabilities were being launched across the
Internet.
This
is very easy to see if you look at the type 404 errors that appear on a web
page over time. For example, the Rank Math SEO plugin I use contains a
monitor function for 404 errors. A 404 error always occurs when a call is
made via the address of the website that has no destination, which is why it
cannot be processed. As part of the SEO plugin, such a monitor has the
task of making errors in the internal linking visible, but as a by-product, it
also shows a lot of attacks running into the void.
The Security of The Login Area
In the upper area, you can clearly see that an attempt was made to call up the
wp-login.php file in different places. The top three attempts are only one
second apart. A bot, i.e. an automatic mechanism, checked whether it could
find the wp-login.php file in the wp, blog, and WordPress subdirectories. He
did not succeed in doing this because these files do not exist there or it is
forbidden to call them up, which is why an error 404 occurred and is listed in
this log.
When
a way to log in is found, such bots usually try a combination of common
usernames like admin or actual website usernames along with weak passwords like
123456. The actual user names can be read from the website, lists of weak
and widespread passwords are available on the Internet. After a few
hopefully unsuccessful attempts, such a bot gives up and looks for another
target.
WordPress users often resort to methods of hiding their login so
that such attempts will come to nothing, but they do anyway if the
password used is not completely insecure. Since the password does not wear
out, it does not matter whether there are attacks on the login or not. Beginners
in particular often worry themselves unnecessarily, for example by setting up a
notification in a security plug-in if unsuccessful login attempts have taken
place. These notifications are completely pointless and just annoying. If
you have a sensible password, you can safely ignore any attack on your login. The
only danger here is from the direction of phishing which means
that somehow an attempt is made to obtain the correct password directly from
its owner.
The security of plugins and themes
Two
further calls in the list shown concern the Uplisting and Super-Forms plugins. These
are existing and legitimate plugins - but I don't use either of them. Here
it is checked (also presumably by a single bot within two seconds) whether
these plugins are available. An attempt may be made to
exploit a loophole contained therein - the 404 Monitor is set here so that it
does not save the parameters of the call. So it would be possible that the
actual call is another one? as a sign of the beginning of a parameter
sequence, followed by a manipulated call to exploit the
security hole.
According to the website wpscan.com, versions of the Listing plug-in before version
number 1.7 have a security hole that allows, among other
things, unauthorized database entries and account creation. The date of
the entries for the security vulnerability is January 28, 2021, so it was
almost a week ago at the time of this writing. Obviously, this loophole is
already being actively exploited. According to wordpress.org, Listing was updated to version 1.7
two weeks ago.
Above
all, this shows one thing: It is extremely important to install updates for
WordPress, plugins, and themes as soon as possible if they are available. Especially
when it comes to updates for security reasons, which is usually stated.
Another measure against the exploitation of such security
loopholes can be firewall rules. An example of such rules is the Perishable Press 7G firewall rules. These are
rules that are entered in the server's .htaccess file. These rules define
unauthorized access to URLs with parameters that are prohibited based on this definition. That sounds complicated at first, but the only important
thing to understand is the following: As already mentioned above, there are
manipulated parameter sequences that an attacker could attach to website
addresses (URLs). Firewall rules like these are there to make such calls
impossible. In this way, you can also prevent attacks that exploit
loopholes that have not yet been closed. On the other hand, certain gaps
can also be used in other ways, for which the firewall is of no importance so
that an existing firewall does not release you from installing updates.
Firewall
rules are part of many security plugins so that you do not have to enter them
manually, and there are also application-level firewalls such as Ninja
Firewall, which implements such rules as an application upstream of WordPress.
Further security measures
We
have already learned about three measures to increase the security of a WordPress
website:
·
Secure passwords
·
Timely updates
·
Implementation of a firewall
There
are other measures that are more or less important that I would like to list
here.
Backups
The mother of all security measures: backups. No backup, no pity. When backing up a WordPress website, it should be noted that two different
elements need to be backed up, namely the files on the webspace and the
database. The latter can even be on a completely different computer. It
is therefore not saved by backing up the files on the webspace.
There
are many plugins for automated WordPress backup. A backup mustn't be only stored on the web space itself, but also
outside of it, for example on cloud storage. Should someone succeed in
compromising the webspace, an existing backup could also be compromised.
Uninstall Unused
Especially
when setting up or converting a WordPress website, you may install many
different themes and plugins that you don't need after all. It is
important to uninstall such items. Even inactive, but installed themes or
plugins can be vulnerable to security holes. If you want to be
particularly thorough, you can use FTP access to the webspace to check whether
the files for the themes and plugins have actually been deleted.
Some
plugins are only necessary temporarily, e.g. generators for child themes or
import tools for website templates. Such plugins should also be removed
after use.
It is particularly important to immediately remove any external
scripts used to edit the database. The database processing script from
Interconnect / IT, for example, is very popular and is used
to replace entries in the database with others. This script is usually
copied into the WordPress installation on the webspace via FTP and called
there. If it were to be left there after use (which the manufacturer
expressly and comprehensively warns of), an outsider could easily use this
script to make changes to the database. For example, he can create a new
user.
I would even recommend saving the script for the period of use
in a directory with a self-selected and non-descriptive name, under no
circumstances in, for example, / search-replace-DB, as tried in third place in
the picture. Such an attempt can take place the very moment you are using the script.
Alternatively,
this database processing function is also available as a “Better Search
Replace” plug-in. This plugin should also be uninstalled after use.
Security Plugins
There
are numerous security plugins for WordPress. Some fulfill a specific task,
e.g. hiding the login (largely pointless), others are comprehensive suites with
many tasks. Basically, many of the functions offered have little or no
useful use. You can, on the other hand, exclude yourself from your website
if you are inattentive or let yourself be completely unsettled by feedback from
the plugins by email. Under no circumstances can such plugins replace the
measures mentioned so far, and it is also not enough to install a security
plugin and then think that you are safe. Security plugins require
extensive settings and a basic understanding of the security problem, as this
article aims to convey. Last but not least, a security plugin itself can
become a security hole. In contrast to all of the measures listed above, I
do not consider additional security plugins to be essential.
Above all, I warn against transferring the truism that you need
a virus scanner from the reality of the Windows operating system (and
only there) to the world of websites. Malicious software in the strict
sense of the word represents only a tiny fraction of the real threat, and there
is next to nothing that virus scanners can scan for.
However, some plugins provide useful support for security measures, even
if they are not actually security plugins themselves. Finally, I would
like to mention a few that I use frequently myself:
·
Antispam Bee: a plugin against comment spam that, in contrast to
the Akismet included with WordPress can be used in a GDPR-compatible manner.
·
Honeypot for Contact Form 7: in contrast to Recaptcha from
Google and similar stumbling blocks for bots, which are either annoying (math
tasks, search images, click the field “I'm not a robot”) or are not GDPR-compatible
(Recaptcha 3 observes the user's behavior the entire website to identify him as
a person), this plugin for the popular Contact Form 7 form plugin extends the
forms with honeypot fields. These are fields that are given as interesting
a name as possible (eg "website", "email") so that a bot
would fill them out, but which are not even displayed in a browser. As
soon as such a field has content, the form plugin does not even send the form
content because it has to come from a bot. It is advisable to define two
or three honeypot fields at once,
·
Mail on Update: This plugin regularly checks whether there is an
update for one of the other installed plugins, and then sends an email to
defined addressees. Unfortunately, the plugin does not observe themes and
WordPress itself, in the same way, you still have to take care of them yourself.
·
Vendi Abandoned Plugin Check: this plugin checks all installed
plugins (but neither WordPress nor themes) to see when there was the last
update. It enters the time since the last update in the list of plugins and
highlights the time in red where a year or more has passed since the last
update. With such plugins, there is a high probability that maintenance
will no longer be carried out, so that any security gaps discovered or
technical changes to WordPress itself could lead to problems. Even before
the installation of plugins, this plugin also highlights in red in the list of
available plugins those that have not received any updates for a long time
before they are even installed.
·
wpscan: This plugin requires free registration on the website of
the same name to create a token. The plugin enables an automated
query of the wpscan.com database based on the current WordPress version and the
versions of the installed plugins and themes. The free version allows 25
queries a day. You can define in the plugin which elements should not be
queried if you have more plugins and themes or if you want to query more than
once a day. Of course, you can also choose one of the paid plans to get
more daily traffic. Manual and individual scans are also possible. The
plugin sends an email if you save an address in it as soon as a security hole
becomes known. In this way, you can switch off a plugin if necessary, as
long as its security problem has not been resolved. It is better to
temporarily stop the plugin from working than to take a risk.
All
of the plugins mentioned are available free of charge. Who else knows
useful plugins for improving security? Comments are open for suggestions
and descriptions.
Be Careful with Automated Updates
WordPress
has been offering the possibility of automated security updates for WordPress
itself for a long time. This concerns version jumps after the second point, for
example from 5.5 to 5.5.1, but not from 5.5 to 5.6. These updates are
generally technically harmless and can be imported quickly and automatically.
The situation is different with the function of automatic updates of plugins
introduced since WordPress 5.5. These (but not all) can be configured
individually for automatic updates. However, this can end badly if the
function of the website is impaired by an error in the unattended and
automatically renewed plug-in. I myself recently saw that a plugin update
in conjunction with the presence of a certain other plugin resulted in the
website becoming completely unusable. If such an undesired effect of an
update goes unnoticed, it can have serious consequences. Therefore, I
advise against using this function except in temporary exceptional cases (e.g.
during vacation).
Last but Not Least: My Maintenance Service
If, after reading this post, you are unsure whether you really
want to deal with the topic of the security of your WordPress site in more
detail, I would be happy to offer you my maintenance service for WordPress websites. For
a small monthly fee, I will take care of the maintenance of your WordPress website including updates, backups, etc. as described above, so that you can
spend your time with your core business instead of looking after your website.
Use updated security software like total security software to protect your data from external fraud activities.
Comments
Post a Comment