Bulking-up WordPress Security

WordPress hack attacks are becoming more prevalent – almost like a multi-headed gorgon, hackers have many more sinister attack vectors as seen in these reports from FossBytes and ThreatPress . These reports describe not just  one attack many different approaches to  hacking  which often involves 2 or 3 step before the main hack attack is triggered – be it ransomware, secrets siphoning, or crippling collaboration and work sessions.

FossBytes emphasizes the many ways hackers setup compromised users or entry points into a website. Hackers use Phishing by embedding in emails innocent-looking links to other pages that in turn spring the trap when users click potently infected links .Bait and Switch  hacking relies on an attacker  buying advertising space on websites which then shuttle clickers directly to  infected pages. In contrast, Keylogging is often the infection installed by Phishing or Bait and Switch hacks. All the users keyboarding is logged and then transmitted to the hacker. Fake WAP-Wide Area Portals  and ClickJacking  hide or disguise the link so the victim clicks on a seemingly innocent target link  which takes them to where malware lies in wait. As can be seen, all of the above  hacking methods  often require a two or three step process to set the hack trap up to zap unsuspecting users.

In contrast,ThreatPress describes false crawler probings and 2nd stage attacks using compromised access gained by say Phishing and Bait  & Switch. For example, DNS Spoofing hacking  injects corrupt domain system data into a DNS resolver’s cache to redirect where a website’s traffic is sent. It is often used to send traffic from legitimate to malicious websites with lurking malware. XSS website hacking use malicious Javascript code that is embedded in hyperlinks. When the user clicks the link, it can steal personal information, hijack a web session, take over a user account, or change the code  on a page. XSS is a favorite method of hackers to infect WordPress. Thus WordPress firewalls are vital for basic security. CSRF-Cross-site request forgery is a common malicious exploit of websites occurring when unauthorized commands are transmitted from a compromised user that a web application trusts. use illegitimate crawler probes or or user-compromised entrances to a website.

Suffice it to say, hackers are laying sophisticated traps to ensnare users websites or computing devices. WordPress and the broader CMS community are fully aware of the security dangers as well as working constantly  to shore up the defenses against hacking. So a look at the State of Security is in order.

The Security Landscape

Accenture – Security breaches have increased by 11% since 2018 and 67% since 2014
Verizon –  In 2019  90% of malware originated through email first step hack.

Personal experience on my own and client websites underline the hazards. Despite having firewalls and nontrivial passwords, 3 websites were hacked last year and 5 websites in the year to date. All have been recovered, within 2-3 days of the breach. But the alarming situation is that despite security precautions being at a high level., these intrusions have happened. What new security procedures short of Two-Stage-Authentication [clients are dead set against such methods] are required;  hence our  next topic.

Bulking-up WordPress Security

First, let us consider our current state of WordPress Security Here is our security checklist and our own settings on client and personal websites. Note that red remarks mean departures from the goals, green effectively full compliance and  orange as partial  support.

Basics of WordPress Security

  • Web Hosting security provisions – Web Firewall with Log Reports plus Daily Backups for 30 days
  • Keeping WordPress Updated: Core WP, all plugins and themes – Core always, others within 2 weeks
  • Passwords and User Permissions – all non trivial, strict roles limits
  • All passwords revised quarterly or sooner – External facing; internal system passwords
  • High priority passwords protected with 2 Stage Authentication – Ugh!
  • Make WordPress & all apps SSL/HTTPS/FTPS protected – Yes, all
  • Install a WordPress Backup plugin – yes, either Duplicator or All-in-one WP Migration
  • Best WordPress Security Plugins- See our review below
  • Enable Web Application Firewall (WAF) – Yes

WordPress Security Measures requiring Developer savvy

  • Change regularly WP usernames  and passwords including “admin” username – Yes, here is how
  • Disable theme and plugin file editing – Not yet, but here is how
  • Disable eternal access to WordPress directories and files, Maybe and here is how
  • Disable PHP File Execution – Not yet, here is how
  • Limit Login Attempts –
  • Add Two Factor Authentication –
  • Change WordPress Database Prefix –
  • Password Protect WP-Admin and Login –
  • Disable XML-RPC in WordPress-
  • Automatically log out Idle Users –
  • Add Security Questions to WordPress Login –