WordPress dominates the global market of content management systems (CMS). Its tremendous popularity makes it a lure for malicious actors. The WordPress Core in its current state is fairly secure by design, which explains the relatively small number of hacks exploiting it.
However, cybercriminals are increasingly adept at piggybacking on flaws related to WP plugins, themes, hosting providers, and website owner’s security hygiene.
Who is Targeting WordPress and Why?
Most incursions zeroing in on WordPress sites are orchestrated through the use of automated tools such as crawlers and bots. These entities are constantly scouring the Internet for crudely secured websites. If they pinpoint a documented vulnerability, they take advantage of it in a snap.
Here’s a little bit of wiki information: spam accounts for roughly 50% of all emails sent. Malefactors may gain a foothold in your server via a security loophole in a plugin or an outdated version of the WordPress engine to repurpose the server for generating spam.
Siphoning Off Server Resources
Cybercrooks may infiltrate poorly secured WordPress sites, access the underlying servers, and harness their processing power to perform coin mining surreptitiously.
Black Hat SEO
One of the growingly common WordPress hack scenarios is to gain unauthorized access to a website’s database and furtively embed keywords and hyperlinks related to another site. This is a shortcut to boosting the rankings of an attacker’s site on search engines.
Info-Stealing Foul Play
Seasoned hackers know the true value of data, especially in such areas as e-commerce and user behavior patterns. Felons can rake in hefty profits by retrieving this information and selling it to interested parties on the Dark Web.
Your Top Priority
WordPress security should be every webmaster’s top priority as remediating a hacked WordPress site is easier said than done. You have to assess every single line of code to spot dodgy content, eliminate it, and re-enter valid strings. Another thing on your to-do list is to change all authentication details, including database and server passwords.
Another facet of the issue is that the search rankings of a compromised website may deteriorate dramatically down the road, which translates to fewer visitors and lower monetization. An extra thing to consider is that people won’t go to a site unless they trust it. A breach will most likely impact your reputation, which takes a lot of time and effort to restore.
The CIA Triad
In information security terms, the CIA acronym stands for “confidentiality, integrity, and availability”. This model is the stronghold of every digital security initiative. When it comes to WordPress, the anatomy of CIA is as follows:
Area 1: Confidentiality
- Sensitive Data
WP plugins, themes, and global variables are a Pandora’s box filled with confidential information or breadcrumbs leading to such data. If you slip up and, for instance, set the value of WP_DEBUG parameter to “true” rather than “false”, this will unveil the path to your websites’ root directory.
Author pages can also be verbose in this context because they often include usernames and email addresses. An attacker may try to guess or brute-force an author’s password. If it isn’t strong enough, a site compromise is imminent.
- User Credentials
To its credit, the WordPress platform takes password strength seriously, helping users avoid the scourge of weak credentials. However, these efforts might not be enough. An additional technique that can make an attacker’s life harder is to enable two-factor authentication. Restricting the number of failed sign-in attempts is worthwhile, too.
Area 2: Integrity
- Data Verification
WordPress is committed to handling data securely and does a lot to ensure this. But, these mechanisms don’t work beyond its core, so web developers should get the hang of validating the rest of the code.
Using a site’s database directly could be a less secure approach than leveraging features like “update_post_meta”. The latter can fend off SQL injection, a sketchy tactic aimed at executing harmful code via forms embedded in a web page.
This tactic can become a launchpad for depositing dangerous strains of Windows and Mac malware onto visitors’ computers. To thwart SQL injection raids when running a complex query or when handling a custom table, it’s best to apply the WPDB class combined with the “Prepare” function for all queries.
- Query Sanitation
Queries related to WordPress site management are generally secure as long as SSL is turned on and you resort to trustworthy hosting services. This isn’t a bulletproof ecosystem, though. It’s in your best interest to monitor user intentions and ascertain that an incoming query comes from a registered user.
WordPress employs what’s called nonces to verify actions initiated by users. These security tokens are formed alongside every user-originated request. Since they are paired with specific URLs, they are subject to mandatory inspection on the receiving side before the request is executed.
- Third-Party Code
Most WordPress compromise incidents revolve around vulnerable plugins, themes, and unpatched versions of the WordPress engine. In other words, the less third-party code the smaller the attack surface.
In case you can’t do without a specific WP component of that sort, be sure to do your homework and scrutinize it first. The things you should pay attention to include the user feedback, the date its latest build was released, and the PHP version it supports. Additionally, check expert reviews on well-established security resources such as Wordfence.
Area 3: Availability
As far as the WordPress engine is concerned, it gets security updates automatically. However, the process isn’t as hassle-free with themes and plugins. You may have to check for updates and install them manually. Furthermore, it might be a bumpy road because you can’t be sure that these third-party entities work flawlessly until they are tested extensively. Users often go through a lot of trial and error with them.
- User Roles and Privileges
Sensitive data should be safe as long as it’s in the right hands. Therefore, you need to diversify access permissions to ascertain that each user can’t access more information than they actually need. A great way to manage privileges is to create user roles. This technique will also prevent third-party components from tweaking the WordPress Core files.
WordPress works with email at the level of the server it’s installed on. To protect it from snoops, you should consider using the SMTP communication protocol. There are numerous plugins that facilitate the process of sending emails via a tamper-proof SMTP connection. You will need to add a new Sender Policy Framework (SPF) record, which requires access to the domain name’s DNS settings. The above-mentioned record is tasked with ensuring that the domain allows the SMTP service to send emails.
The importance of keeping tabs on data integrity stems from the fact that attackers will be able to modify the code if they manage to access the server. Thankfully, this issue can be addressed by means of specially crafted plugins. For example, the security plugin by Sucuri is a good choice. It checks your entire file database for a plethora of harmful code samples.
If you’re using a trusted hosting provider, it most likely performs the whole backup routine for you. Even if your provider doesn’t offer an automatic backup feature for your site, there are plenty of alternative options to choose from. For instance, some services can back it up to cloud storage like Amazon S3 or Dropbox.
- Hosting services
Low-quality hosting services are a common source for adverse scenarios where WordPress websites run obsolete PHP versions. There tends to be a big gap between managed hosting and one that simply provides a directory with database access. Therefore, you would always be better off finding a reputable managed hosting for your WordPress site. Although this could be a pricey option, you can rest assured that the security will be at a decent level.
Whereas the WordPress engine itself is getting regular updates that deliver patches and improvements, the ecosystem around it isn’t nearly as secure. The good news is, if you follow safe practices when installing themes and plugins, adding new user roles, and writing new code, your website should be on the safe side.
Author bio: David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. LinkedIn.