SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Around 17 million websites are already powered by WordPress - are they secure?
Thu, 20th Apr 2017
FYI, this story is more than a year old

Wordpress, the most popular and most used content management system, is also a great tool for businesses and individuals. Around 17 million websites are already powered by WordPress. This means that approximately 27% of the web is being powered by the service. Besides, over 76% of all blogging websites used WordPress.

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to your WordPress security.

There are over 1 million new strains of malware created every day. One identified infection can get your website blacklisted by Google. Only 2 months ago, WordPress revealed a security flaw in their service which allowed unauthenticated attacker to modify all pages on un-patched websites and redirect visitors to malicious exploits and attacks. Thankfully, you can learn how to scan hidden malware on your WordPress site.

While WordPress core software is very secure, and it's audited regularly by hundreds of developers, there is a lot that can be done to tighten the security of your WordPress website. The following tips will help you achieve just that.

1. Don't use the default username

This is perhaps the easiest baseline step to improve your security as a WordPress user. Most people prefer using the default username, i.e. "admin" for their WordPress account without understanding the security repercussions they may face because of it.

Most hacking attempts target your wp-admin/wp-login access points using a combination of admin and a password, something most commonly referred to as Brute Force attacks. Common sense obviously dictates that once you remove admin, you'll kill the attack outright.

For the everyday automated Brute Force attack, removing the default admin or administrator username will already help a lot. You're at least making it a bit harder for the hacker to guess the username.

2. Choose a complex password

Remember the abbreviation, CLU: Complex. Long. Unique. ‘123456' isn't a password. ‘qwerty' is like writing your security code on your bank card. ‘letmein'; seriously? Remember, you're never as unique as you think you are.

Choosing a strong password can save you from countless threats. A complicated password – which is based on a combination of numbers and letters – makes it difficult for cybercriminals to hack your account and is always recommended by cyber security experts. Changing your passwords after every few months is also recommended.

3. Use two-factor authentication

Even if you're not using “admin” and are using a strong, randomly generated password, hackers can still create problems. To address this, features like Two-Factor Authentication play a pivotal role in reducing the risks of these attacks. Two-Factor authentication is a recognized standard today for enhanced security at your access points. There is a plug-in for that: Google Authenticator.

4. Grant least privileges

The concept of Least Privilege is simple; only grant permissions to: Those who need it, when they need it and only for the time during which they need it.

If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. You don't have to do much here, other than employing best practices.

Contrary to popular belief, not every user accessing your WordPress needs to be categorised under the administrator role. Assign people to their appropriate roles, and you'll greatly reduce any security risks.

5. Disable file editing

In case a hacker gets accesses your account, the easiest way to save your files would be to go to Appearance; Editor in WordPress. To improve your WordPress security, you can disable the writing of your files via the editor. To do that, open wp-config.php and add this line of code:

1 define('DISALLOW_FILE_EDIT', true);

This will allow you to edit your templates through your favorite FTP application, but you won't be able to do it via WordPress.

6. Limit login attempts

For optimum WordPress security, you must limit the number of login attempts from a certain IP address. Or you can start using a dedicated IP address, using a premium VPN service, to limit any login attempts.

7. Stay up-to-date

Staying up-to- date seems easier to claim, but for website owners, it's more difficult than one can imagine. Websites are complex things, and they have 150 different things going at any given time, which makes it difficult to apply changes quickly. A recent study shows that 56% of WordPress installations were running out-of-date versions of core.

Updates need to extend beyond WordPress core. The same study shows that a very large percentage of website hacks succeed because of out-of-date, vulnerable, versions of plug-ins.

That's it! We hope that the above mentioned tips help you out in increasing your WordPress website security.

Article by Anas Baig, cyber security expert. He is currently working as a security consultant. He is a computer science graduate specialising in internet security, science and technology. He is also a security professional with a passion for robots - IoT devices.