Top tips to prevent a WordPress hack

WordPress sites are notoriously defective when it comes to security, and are frequently the target of a WordPress hack. Be it due to an insufficient security expertise of the programmer, or the use of i of the many plugins available (of which the security cannot exist guaranteed).

With WordPress running on 1 in 5 sites on the Internet, information technology is no surprise that they are a very popular target for both experienced hackers and script-kiddies alike. In 2013 around ninety,000 WordPress sites were hijacked for use in a botnet. They are as well a popular target for malware.

This is why nosotros’ve taken some time to particular some measures which can be taken to address the bones security holes or malpractices that are normally present in thousands of WordPress sites and can assist preventing a WordPress hack.

1. Running the Latest Version of WordPress

Running the latest version of any software is probably outset the most obvious security measure that should be taken. Still, with over 86% of WordPress installations running outdated versions of WordPress, this point is still one that needs to exist stressed.

Each update of WordPress not but brings with information technology new features, but more chiefly, information technology brings with it bugfixes and security fixes, which help your WordPress site remain safe confronting mutual, like shooting fish in a barrel-to-exploit vulnerabilities.

WordPress (Core) Updates Screen

ii. Running the Latest Versions of Themes and Plugins

Running the latest version of WordPress solitary is not enough – your site’s plugins and themes could still contain vulnerabilities that can compromise the security of your WordPress site, which could in plough fall prey to a WordPress hack.

The Slider Revolution plugin is a good example of how outdated plugins and themes can compromise your site’s security. Slider Revolution is a very popular WordPress plugin which also happens to be used past a large number of WordPress themes sold on the Envato Market. The vulnerable plugin allowed malicious users to steal database credentials, which would then potentially allow total compromise of the WordPress site through it’due south database.

WordPress hack

Plugins Update Screen

Therefore, making certain that the themes and plugins yous are running are all updated to their latest versions is essential. By keeping your plugins and themes upwardly to date, you tin can brand sure your site is covered with the latest security updates.

WordPress hack

Themes Update Screen

Acunetix performs WordPress security scans, identifying WordPress installations, and volition launch version specific security checks to ensure your website is secure.

iii. Exist Selective When Choosing Plugins and Themes

WordPress allows you to extend and customize your site with thousands of plugins and themes. While extending your site’south capabilities and customization is important, information technology should not come up at the toll of your website’s security.

Even if your WordPress installation, plugins and themes are all upwards to engagement, it does not hateful that a site is non vulnerable to attack. Plugin enumeration allows attackers to observe what plugins your WordPress site is using. Past avoiding the installation of unnecessary plugins yous would automatically exist reducing your site’s set on surface.

When choosing which plugins and themes to use, exist selective. Before installing a plugin or theme, read about it (ideally on sources other than the plugin/theme programmer’s site). This prevents yous from installing malware such as the Tools Pack malware plugin.

Bank check how many downloads the plugin or theme has and when it was concluding updated by its authors. The more downloads and recent updates the plugin or theme has indicates that it is in wide use and that it is existence actively maintained by its authors, which means that if a vulnerability is constitute, it likely to exist fixed quicker.

4. Remove Inactive Users

Keeping inactive users on your WordPress site increases your attack surface. Users, especially Administrators and others which have the power to change content, are possibly i of the weakest points of any site because unfortunately, near users tend to choose weak passwords.

Popular:   Adobe Updates Creative Cloud Express With A New Content Scheduler

If you absolutely need to keep inactive users in your WordPress database, change their function to ‘Subscriber’ in social club to limit whatever actions that could be performed.

5. Security Configurations – Prevent Directory List

Heads up
– Depending on your webserver’southward configuration, activated plugins and/or themes, the following could break some functionality. It is strongly advised to try out any configuration in a testing/staging environs before changing whatever configuration on product servers.

Directory List occurs when the web server does not observe an index file (i.e. an index.php or alphabetize.html), if directory listing is turned on, the server volition display an HTML page listing the contents of the directory.

wp pt3 fig1

Directory List in Apache HTTP Server on a WordPress site

Disclosure of this information could make a site vulnerable to attacks past revealing information that can be used past an attacker seeking to exploit a vulnerability in a WordPress plugin, theme, or even the web server itself.

While it is not a WordPress-specific security measure out to disable directory listing, several WordPress sites running on default installations of Apache HTTP Server take directory list enabled.

In order to disable directory listing in Apache HTTP Server, you lot will need to add the following configuration in your WordPress site’s .htaccess file (this is usually located in your website’s root directory).

Options -Indexes

vi. Circuitous Security Keys

Heads upward
– Depending on your webserver’s configuration, activated plugins and/or themes, the following could interruption some functionality. It is strongly advised to try out whatever configuration in a testing/staging environs before changing whatever configuration on production servers.

WordPress makes use of a set of long, random and circuitous Security Keys. These keys consist of a number of encryption keys besides as cryptographic salts.

Security Keys ensure better encryption of data stored in the users’ cookies. There are a total of eight security keys that WordPress uses –

A Security Central functions similarly to a very strong password or passphrase and should contain elements that brand information technology harder to generate plenty options to crack. WordPress Security Keys besides brand use of cryptographic salts to further strengthen the security of the generated result.

You can either make your own random keys, or y’all can utilise WordPress’ online key generator to do this for y’all. Simply copy and paste the keys generated by the generator into your wp-config.php file.

seven. Restrict Access to wp-admin Directory

Password protecting your WordPress admin area through a layer of HTTP hallmark is an effective measure to thwart attackers attempting to guess users’ passwords. Additionally, if attackers manages to steal a user’south password, they will demand to get past HTTP authentication in order to gain admission to WordPress login course.

Basic HTTP Authentication

Basic HTTP Hallmark

– Basic HTTP Authentication requires that passwords be sent every bit clear text over the network. To such an extent, it is highly recommended that you make use of HTTPS to encrypt the transfer of information.

In Apache HTTP Server, you can achieve this by creating a .htpasswd file and calculation a few configuration directives described below.

file stores combinations of usernames and countersign hashes which the spider web server will utilise to authenticate users. You lot can create a
file using the
control line or using an online password file generator.

Several Linux distributions install the
utility together with Apache itself, still, most Debian and Ubuntu users will demand to install the
packet as follows.

              apt-go update apt-get upgrade apt-get install apache2-utils

In one case
is installed, run the following command to create a new
file with a unmarried user. The following command will create a new
file located at
with a username of
will then prompt you to enter and and so confirm the password of your choice.

              htpasswd -c /srv/auth/.htpasswd myuser

– It is highly recommended not to shop .htpasswd files in a web accessible directory. By default, all files with the
prefix are not served past Apache, however this should non be assumed.

Popular:   Most Ceos Just Dont Think Their Businesses Are Ready To Deal With Cybercrime

To enable basic HTTP authentication on the WordPress assistants area, you need to actuate the directive described below on the wp-admin directory and reference the .htpasswd file created before. Insert the post-obit lines into the advisable <Directory> department of your server’s Apache configuration file or in an .htaccess file within the wp-admin directory.

              AuthType Basic AuthUserFile /srv/auth/.htpasswd AuthName "WordPress Authenticated expanse." Require valid-user

directive is specifying that the authentication type. In this instance, Basic authentication is beingness configured.

directive specifies the total path to the
file. This file is the file that shall be used to store password hashes which the server shall afterward utilize to authenticate users with.

directive contains an arbitrary message which the browser will present to the user upon authentication. The Crave valid-user setting simply instructs Apache to allow any valid user to cosign.

– While this file can exist located anywhere on the filesystem, we strongly recommend that you not identify them in a web accessible directory. By default, all files beginning with
are not web-attainable in most default configurations of Apache, but this should non be assumed.

viii. Disable File Editing

By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface.

This is ofttimes the kickoff matter an attacker would await for if they manage to proceeds access to an administrative account since this functionality allows code execution on the server.

Inbound the following constant in wp-config.php, disables editing from within the authoritative interface.

ascertain('DISALLOW_FILE_EDIT', true);

9. Prevent WordPress Username Enumeration

In many WordPress blogs, information technology’s possible to enumerate WordPress users using an author’s  archive page. This works if WordPress permalinks are enabled and if the user has published ane or more posts.

You tin read almost WordPress Username Enumeration in greater item in the article WordPress Username Enumeration using HTTP Fuzzer

In club to forestall WordPress Username Enumeration you tin add together the post-obit rule to WordPress site’s .htaccess file (this is usually located in your website’southward root directory).

RewriteCond %{QUERY_STRING} author=d  RewriteRule ^ /? [L,R=301]

10. Enabling HTTPS for all logins and wp-admin

Strictly speaking, HTTPS is not a protocol in and of itself, simply it is rather HTTP encapsulated in TLS/SSL. TLS, or SSL, as it is commonly referred to, provides websites and web applications with encryption of data being transmitted and authentication to verify the identity of a host.

HTTPS is ordinarily synonymous with shopping carts and Net banking, merely in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa.

TLS/SSL may significantly consume server resource depending on the site’s traffic. Consequently, for virtually sites it is non required to serve the entire site using HTTPS. WordPress’s login grade and admin surface area, on the other hand, are probably the most sensitive areas of a WordPress site. It is therefore strongly advised that TLS/SSL is not only implemented, but enforced in such areas.

WordPress provides an easy way to enforce TLS/SSL on both
pages. This is achieved by defining two constants in your site’s

Notation - You must already have TLS/SSL configured and working on the server before your site will work properly with these constants set to true.

To ensure that login credentials are encrypted during transit to the web server, ascertain the following constant in

define('FORCE_SSL_LOGIN', truthful);

To ensure that sensitive data in transit (such as session cookies) is encrypted when using the WordPress administration panel, define the post-obit constant in

>define('FORCE_SSL_ADMIN', true);

eleven. Restrict Direct Access to Plugin and Theme PHP files

Allowing direct admission to PHP files can be unsafe for a number of reasons. Some plugins and theme files can comprise PHP files that are non designed to be chosen directly because the file would be calling functions that would have been divers in other files. This may cause the PHP interpreter to brandish errors or warnings which may pb to information disclosure.

Popular:   These Fake Windows 10 Updates Will Land You With A Ransomware Infection

Another reason for restricting direct access to PHP files is to prevent attackers from bypassing or avoiding security measures (such equally authentication) when code is split-upwardly into smaller files (which will then be included and used together with other lawmaking)

Some plugins and themes split-upward lawmaking into smaller files and include these files into larger pieces of code. An attacker may sometimes be able to call one of the smaller files directly and avert various security measures such equally input validation checks since. Most of the times this occurs because the validation would not performed in other files and not in the mentioned smaller modules.

Furthermore, if the
directive is enabled on the server (directive is disabled by default in PHP versions 4.2.0 and greater), with straight access to a PHP file, an attacker may be able to comport out several malicious actions including the ability to define PHP variables from GET/Mail service requests and to bypass various protection mechanisms.

The vast majority of plugins and themes would non require a user to make HTTP requests to PHP files directly, however, should there exist an exception, you can whitelist files and directories that require direct access to PHP files. The following rule will redirect any direct requests to PHP files to a page of your choosing (in the post-obit example the server volition respond with a 404 page and status code).

# Restrict admission to PHP files from plugin and theme directories  RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php  RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/  RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]  RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php  RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/  RewriteRule wp-content/themes/(.*\.php)$ - [R=404,50]

12. Prevent PHP files from executing

Since WordPress sites need to allow their users to upload new content, WordPress’ upload directory needs to be writable. To such an extent, your
directory should be considered a potential entry point.

The biggest potential threat is the uploading of PHP files. WordPress won’t allow users to upload PHP files within its administrative panel, withal, it may be the instance that a plugin or theme allows file uploads without using the designated WordPress APIs for doing so. This could outcome in a malicious PHP file being uploaded and consequently executed on the server.

The best arroyo to mitigate this potential security risk is to deny the web server from serving any PHP files in the
directory using the following rule.

<Directory "/var/www/wp-content/uploads/">  <Files "*.php">  Guild Deny,Allow  Deny from All  </Files>  </Directory>

13. Secure Your Debug Logs

During development of plugins or themes, likewise equally during deployment of a WordPress site, developers or arrangement administrators may enable debug logs to log whatsoever PHP errors that occur.

WordPress makes use of the WP_DEBUG constant which is defined in wp-config.php. The constant is used to trigger the
way throughout WordPress. The constant is set to be simulated by default.

Developers and administrators may also enable the WP_DEBUG_LOG and WP_DEBUG_DISPLAY companion constants to WP_DEBUG. WP_DEBUG_LOG creates a log file in the wp-contents folder, while WP_DEBUG_DISPLAY controls whether debug messages are shown inside the HTML of pages or not.

Any of the in a higher place will be useful while a theme, plugin or site is in development, still, if enabled on a product website, it might cause information disclosure – allowing malicious users to view errors and additional logging information. The WP_DEBUG constant should exist disabled on production systems by either removing the constant from the wp-config.php file, or setting it to false as follows.

ascertain( 'WP_DEBUG', simulated );

The above 13 tips should get yous started on preventing a WordPress hack. Acunetix can help automate the processs of WordPress Security past scanning for over 1200 vulnerable WordPress Plugins & Misconfigurations, checking for weak WordPress admin passwords, WordPress username enumeration, detecting malware disguised as plugins and more than.