How to secure WordPress from attacks
Information is power, and people like power, so there are people specialized on stealing your information. Internet is in an arms race between security experts and malicious agents, where every day new vulnerabilities are discovered, abused and patched.
It is never a problem of “if it happens” but a problem of “when will it happen”. You must always try to stay on top, so you and your customers’ information is safe.
There are some basic conditions to harden your websites. I will focus on listing them on the specific context of WordPress sites.
Secure internet communication
In the beginning of the internet, where everything was a plain html site, information was transmitted between server and client without any kind of encryption. This allows anyone in the channel to read your message in plain text. As web applications were born and a wide array of necessities were created, transmitting information in a secure way became mandatory. The method used for that was SSL (SecureSocketsLayer) which was later replaced by TLS(TransportLayerSecurity). The sites that use TLS are served over HTTPS:
Trying to avoid technical details, any information that is transmitted over https is encrypted and only the machines involved in the process can interpret it’s meaning. This depends on other factors (like cyphers, protocol version, etc) but if your browser is updated and shows the green lock, you can assume the information is safe.
Currently there is a huge movement to improve the security of the internet. Among those initiatives you can find:
- Browsers (starting with chrome) will start labeling sites served over http as insecure. That means that instead of the green lock, you will have a red one, along a warning to users.
- SSL certificates, required to serve sites over HTTPS can be acquired for free by using letsencrypt.
Migrating to HTTPS can be done in a matter of hours without too much trouble. There are plenty of resources on internet on how to do it for wordpress sites (running on apache or nginx).
There is no excuse to avoid doing that if you care about your site. As an extra, HTTPS matters when it comes to SEO too.
Always on the safe side
If you are using TLS on your server, your next step is to disable your HTTP version. You must force your HTTP site to redirect to the HTTPS version, and enable HSTS (HTTP Strict Transport Security) which tells your browser that it should interact with your site with HTTPS only.
Don’t serve what should not be served
If the http server is not correctly configured, it may be serving information that it should not. For example, if you leave the wordpress readme file in the folder, attackers can read it to know the version you are running and with that a whole set of vulnerabilities that can be used against you.
Another case is to enable directory listing. Attackers can list your folder structure and get information that can help them to find vulnerabilities on your server. Avoid making public files that can contain sensitive information.
WordPress core up to date
WordPress is very popular and that is a big reason to target it. There are vulnerabilities being fixed with every new version, and you should keep your site up to date because of that. A vulnerable site is not only compromising your server and your information, it can be used to attack your users or another servers.
Keep plugins to a minimum
Plugins are a great way to improve WordPress functionality, but they are written in PHP and have access to basically everything in the server. You must install only trusted plugins that provide a feature that you really need, because with every plugin comes a new way to attack your server. As with the WordPress core, keep them up to date to get the latest performance and security fixes.
Hide your wordpress version
If the attacker has no way of knowing your WordPress version, and your site is up to date, it will be really hard for him to figure out a way to attack you.
On the other hand, if the malicious agent knows that you are using an outdated version of WordPress (or of some plugin) he will know how and where to attack.
Remember that everything in your sever is a potential entry point for an attacker. Every component on your web stack is prone to be attacked.
Those components, just like WordPress itself, need to be updated constantly. Don’t configure a WordPress server, enable automatic updates and avoid going in again. Maintenance needs to be performed on a regular basis, but this cannot be done from WordPress admin. You must make sure that the versions for PHP and apache are up to date. It is normal to find sites using PHP 5.4, a version that is no longer supported and does not get security fixes. Avoid being the owner of one of those sites.
At the time of writing, PHP 7.1 is the latest version. Migrating from PHP5.4 to 7 should not be extremely complicated. WordPress is compatible, popular plugins are compatible. You just need to make sure that your own code is compatible. If there are plugins that cannot be upgraded, find some other plugin that provides the functionality. Having vulnerable code can be too dangerous.
To diagnose sites I use wpscan. This tool checks the information of the site, including the WordPress version, php version, apache version, robots.txt interesting entries, directory listing status, etc. It also lists the vulnerabilities that your site has, based on the version of WordPress and the plugins.
This tool is pretty easy to use, but if you are going to use it to test big sites you need to configure it further, to avoid issues on the server you are targeting because it sends a LOT of requests very fast.
Use SSL with HSTS, keep wordpress and it’s plugins up to date, keep your system packages up to date (including PHP and Apache) and verify that your configuration is working well with some diagnostic tool.