Part I of guest Kim Crawley's multi-part series presented a multi-tiered strategy for protecting sites that run the popular open source WordPress content management system. In Part II, Kim examines plug-ins you can add to further improve WordPress security.
In How to Protect Your WordPress Site from Hackers, I explain that securing your web site's OS, web server, WordPress CMS, and PHP content will reduce your risk of falling victim to the kinds of attacks we describe in How Hackers Target and Attack Your Site. There are also a number of WordPress plug-ins and configuration choices that I recommend you install. When used properly, these can harden your WordPress site very effectively.
(Note: Only install plugins offered through your admin panel or under the plug-in directory at http://wordpress.org. Officially released plug-ins are audited for security and scanned for malware. Third party plug-ins may be secure, but it’s best to not to take the risk.)
Follow these five steps to further secure your WordPress site from attack.
Scan for Vulnerabilities
In Part I, I mention the Exploit Scanner plug-in. Run this plug-in regularly against your site to check for vulnerabilities and compromise attempts. Use WP Security Scan along with Exploit Scanner. WP Security Scan will check file permissions, database security settings, and dangerous default settings. The plug-in reports vulnerabilities it finds, and gives specific advice for how to mitigate these.
Keep in mind that attackers are very familiar with WordPress default settings. In Part I, I recommend changig as many WordPress default settings as possible. One often overlooked default setting is URL generation: hackers can identify yours as a WordPress site by the strings common to default generated URLs. To evade this kind of site fingerprinting, consider using the Stealth Login plug-in to create custom URLs for logging in and out of your site.
Secure your Admin Panel
Attackers want to gain access to your Admin panel. Use Login Encryption to encrypt your login credentials. The plugin uses both the DEA and RSA encryption algorithms to encrypt usernames and passwords and in doing so, protects your site from man-in-the-middle (MITM) attacks that look capture "plain text" credentials.
Protect User Logins
Configure the Limit Login Attempts plugin to prevent brute-force attacks. With this plug-in, you can set a maximum number of login attempts, and also set the duration of lockouts in between. The User Locker plugin works in a similar way: you can set a maximum number of invalid authentication attempts before the account is locked.
Another excellent plug-in for securing your site’s login is Chap Secure Login. By using that plugin, all of your login credentials, except for usernames, will be encrypted with the Chap protocol and SHA-256 algorithm.
Take Measures to Thwart Spambots
WordPress sites are frequently targeted by spambots. First and foremost, moderate comments posted to your site. I have to spend a lot of time reviewing comments on my site, and the majority of my pending comments have to be marked as spam. Some comment spam simply attempts to increase linked traffic to an affiliate site, but other comments can include malicious, scam, or phishing URLs.
Install Bad Behavior on your site and log your site’s HTTP requests so that you can better troubleshoot spambot issues. The plug-in can also be used to block access to your site the next time a discovered spambot visits. Use User Spam Remover in combination with Bad Behaviorto remove unused user accounts on your site. You can customize how you define "unused user account" and you can also configure a whitelist.
Add Layers of Protection
Some plug-ins are useful to detect or block suspicious activity. Add Block Bad Queries block malicious queries made to your site. This plug-in looks for suspicious strings such as eval( or base64 in request URIs, and also looks for request strings that are suspiciously long.
Add an anti-malware shield to your site. AntiVirus plugin scans for viruses, worms, rootkits, and other forms of malware. Remember, as with desktop antivirus software, it's important to keep the virus definitions updated.
Closing Remarks
Keeping your WordPress site hardened for security is an ongoing responsibility, just like all other areas of IT and development security. You can’t just configure a number of settings or programs and then forget about it. Your WordPress site should be on a schedule for malware and vulnerability scanning, and logs should be kept and analyzed.
By keeping your WordPress site secure, you’re doing your part to prevent malicious activity that could not only harm websites, but also web servers and user’s PCs, tablets and smartphone devices. As WordPress is such a common CMS on the web, knowledge about the design and configuration of the console is readily available, and certain hacks could work on perhaps millions of websites. Fortunately, knowledge about WordPress security is abundant, for much the same reasons. In the ongoing maintenance of your website and web server, always be security minded. You can then have proper control over your web content, and do your part to make the Internet a better place.
References:
Infographic : History of WordPress, N.S Gautham Raj
Hardening WordPress, wordpress.org
Exploit Scanner, wordpress.org
6 simple steps to hardening WordPress, Sam Devol
Hardening WordPress Security: 25 Essential Plugins + Tips, Daniel Smeek
How to Stop Your WordPress Blog Getting Hacked, David SEM Labs
Hardening WordPress Security, Brian Haddock
6 Tips to Secure WordPress from Hackers, John Phillips
Vulnerability Report: WordPress 3.x, Secunia.com
Great in dept post. I use Wordpress for many sites and thought I was secure by only updating to the latest versions. I guess there is other things to consider. I'm definitely going to try those 2 plugins.
Posted by: Anti DDoS | Thursday, 07 February 2013 at 02:14 PM