WordPress is now one of the most popular blogging platforms in the internet. It is an open source platform and a large number of plugins and additional themes and features are available from different developers and companies. The software can be easily customised and new features, such as contact forms, ecommerce, surveys, membership areas can be added to the web site.
It is not a surprise that hackers target WordPress web sites. There are about 60 million WordPress web sites in the internet, and if a new vulnerability is discovered in the platform, all these sites will become vulnerable and can be compromised.
There are two most common ways how the hackers compromise the WordPress web site:
- Exploiting the well-known or new vulnerability in a plugin or a theme. As mentioned earlier, there is a huge number of plugins available for the WordPress and some of them are written by unskilled developers. According to http://www.cvedetails.com/ WordPress contains about 163 well-known security issues, some of them allow remote code execution.
- Discovering the admin password to the management interface. By default, /wp-admin/ directory is not protected by SSL encryption. This means that if an administration is logging in to the web site from insecure network, for example, WiFi Hotspot, his credentials can be easily intercepted. Also, if the password is not strong, the external hackers can easily brute force the password.
So how to secure your WordPress web site? The internet contains a number of articles on this topic. The official security guide can found on wordpress.com web site: http://codex.wordpress.org/Hardening_WordPress
To summarise some key points:
- Keep your wordpress blog and all the plugins up-to-date. Regularly check the WordPress platform for the updates and apply them as soon as possible. Install updates for the plugins as soon as they are available (obviously you need to test the new versions first and make sure they won’t break your web site). Subscribe to the latest news from the security web sites and monitor the vulnerabilities applicable to your plugins and the version of WordPress you are running.
- Configure the strong password policy for your admin account. The passwords should be at least 8 characters long and should be changes regularly. Also configure your web site to temporary block the admin account after 5 unsuccessful login attempts. Make sure that SSL is implemented to secure the admin credentials: SSL provides the encryption of the username and password so it will be very challenging for the hackers to intercept them.
- Limit the number of users with admin privileges to your web site. Review the user accounts on the regular basis and delete the accounts that were not used for a long time. Keeping the large number of users with admin privileges will increase your risk of being compromised. Even if you use SSL encryption for your web site, your users may use weak passwords or reuse the same passwords for different services.
The risks described above are just some of the risks the business owners inherit when they use the WordPress platform for their web sites. Although most of the risks can be remediated by implementing the appropriate control, the business owners need to be aware of them.
Lean Security can help to secure the WordPress web site. Lean Security is focusing on securing all your “Cloud” application and can monitor multiple Worpress web sites from single console. Our security consultants will perform the full security assessment of your environment and import critical parameters into the tool for constant security monitoring and compliance. Contact Lean Security for more information.