WordPress hack attacks are becoming more prevalent – almost like a multi-headed gorgon, hackers have many more sinister attack vectors as seen in these reports from FossBytes and ThreatPress . These reports describe not just one attack many different approaches to hacking which often involves 2 or 3 step before the main hack attack is triggered – be it ransomware, secrets siphoning, or crippling collaboration and work sessions.
FossBytes emphasizes the many ways hackers setup compromised users or entry points into a website. Hackers use Phishing by embedding in emails innocent-looking links to other pages that in turn spring the trap when users click potently infected links .Bait and Switch hacking relies on an attacker buying advertising space on websites which then shuttle clickers directly to infected pages. In contrast, Keylogging is often the infection installed by Phishing or Bait and Switch hacks. All the users keyboarding is logged and then transmitted to the hacker. Fake WAP-Wide Area Portals and ClickJacking hide or disguise the link so the victim clicks on a seemingly innocent target link which takes them to where malware lies in wait. As can be seen, all of the above hacking methods often require a two or three step process to set the hack trap up to zap unsuspecting users.
Suffice it to say, hackers are laying sophisticated traps to ensnare users websites or computing devices. WordPress and the broader CMS community are fully aware of the security dangers as well as working constantly to shore up the defenses against hacking. So a look at the State of Security is in order.
Personal experience on my own and client websites underline the hazards. Despite having firewalls and nontrivial passwords, 3 websites were hacked last year and 5 websites in the year to date. All have been recovered, within 2-3 days of the breach. But the alarming situation is that despite security precautions being at a high level., these intrusions have happened. What new security procedures short of Two-Stage-Authentication [clients are dead set against such methods] are required; hence our next topic.
Bulking-up WordPress Security
First, let us consider our current state of WordPress Security Here is our security checklist and our own settings on client and personal websites. Note that red remarks mean departures from the goals, green effectively full compliance and orange as partial support.
Basics of WordPress Security
- Web Hosting security provisions – Web Firewall with Log Reports plus Daily Backups for 30 days
- Keeping WordPress Updated: Core WP, all plugins and themes – Core always, others within 2 weeks
- Passwords and User Permissions – all non trivial, strict roles limits
- All passwords revised quarterly or sooner – External facing; internal system passwords
- High priority passwords protected with 2 Stage Authentication – Ugh!
- Make WordPress & all apps SSL/HTTPS/FTPS protected – Yes, all
- Install a WordPress Backup plugin – yes, either Duplicator or All-in-one WP Migration
- Best WordPress Security Plugins- See our review below
- Enable Web Application Firewall (WAF) – Yes
WordPress Security Measures requiring Developer savvy
- Change regularly WP usernames and passwords including “admin” username – Yes, here is how
- Disable theme and plugin file editing – Not yet, but here is how
- Disable eternal access to WordPress directories and files, Maybe and here is how
- Disable PHP File Execution – Not yet, here is how
- Limit Login Attempts –
- Add Two Factor Authentication –
- Change WordPress Database Prefix –
- Password Protect WP-Admin and Login –
- Disable XML-RPC in WordPress-
- Automatically log out Idle Users –
- Add Security Questions to WordPress Login –