WordPress Security and Hardening

Bellingham WP’s WordPress Security and Hardening service has been developed to keep your website safe and secure from intrusion. This is accomplished through the implementation of several security practices aimed specifically at removing known (and plausible) sources of vulnerability.

If you recognize the importance of keeping your business asset secure, get in touch with us. In addition to answering your questions, we will review your website’s current WordPress security situation.

WordPress Security: Software Updates

All of the security in the world cannot save your website from out-of-date, vulnerable code. There are entire online databases which categorically list known WordPress software vulnerabilities, by version, for plugins, themes, and WordPress Core files. With the exception of some poorly supported themes and plugins, there is an army of developers working to keep your website safe and secure by identifying these vulnerabilities and patching the security holes.

However, for you to benefit from these security patches you must perform updates to your website’s WordPress software on a regular basis. This is why we always recommend Bellingham WP’s managed WordPress hosting services, which include regular WordPress software updates, scheduled daily and monthly backups which are stored off server for up to 12 months, and WordPress hosting.

While accessing WordPress is a commonly attempted point of intrusion, a typical hosting account has several of its own access points which can be exploited. FTP and cPanel are more common, to highlight a few. FTP is an acronym which stands for File Transfer Protocol. It is the most common way for a website’s files to be interacted with. If a hacker gains access to FTP they can, with great ease, install any number of malicious files or methods of back door access. With FTP access the hacker would also be able to access the wp-config.php file which contains username and password access information for your WordPress database. To sum up what this means succinctly, YIKES! The other point mentioned, cPanel (short for Control Panel), could be expressed as the brain of your hosting account. With cPanel access a hacker will be able to access and modify your domain’s email accounts, your WordPress website’s database, and your FTP accounts. That’s right, instead of needing to discover FTP credentials, with cPanel access a hacker can simply create their own FTP access account to login to your server.

WordPress Security: Login Hardening

By default, a WordPress installation creates an administrative user with the username ‘admin.’ For hackers, this is great news. It gives them an excellent starting point when attempting to gain access to your website with brute-force hacking techniques. A non-hardened WordPress installation requires only two pieces of information for someone to login, a username and password. If you fail to change the Admin username to something different, potential hackers have half of their hacking job taken care of for them.

Changed your default username from admin to something else? Good work. Did you disable user enumeration or otherwise obfuscate the usernames for administrative accounts? No? Then you’re just as vulnerable as you were before. My point in saying this is that there are many levels which must be addressed in order to secure a WordPress installation.

What is Brute Force Hacking?

Brute force hacking is the process of routinely and regularly attempting to login with a list of passwords. As a simplified example, if your password was the numeral 9, and a hacker were using a brute force hacking scheme which started with the number 1, it would take them nine attempts to crack your password and hack your account. Through the use of huge, HUGE, databases of potential passwords in the form of combinations of numbers, letters, and symbols, along with the automation benefits provided by custom scripting and automation, a WordPress installation being hacked is only a matter of time.

There are plenty of steps that can be taken to limit the effectiveness of brute force hacking techniques. As mentioned above, there are only two pieces of information required, by default, in order to login to the WordPress dashboard for a website. A username and password. If we add a ‘CAPTCHA’ to the login process, for example, the hacker must also solve the CAPTCHA for each login attempt. Another option would be to include a random math verification problem, forcing the hacker (or the hacker’s script) to answer the math question as a logic test.

Most brute force hacking attempts are successful due to the ability to make their login attempts at a very rapid rate, clearing incorrect login credentials rapidly. Therefore, another useful tactic is to limit the number of login attempts allowed. The only way to attribute the login attempt, however, is based on the IP address of the computer attempting to login. Unfortunately this can be easily spoofed or changed by the automation software attempting to hack. That being said, it is better to force the hacker to utilize a multitude of IP address than to allow them free attempted login access via as many IP addresses as they would like to use.

What else then, you ask? Well, what if the hacker wasn’t able to locate the login form at all? That’s right. We can move the login form to a different, non-default location. Although there are ways for hackers to determine the new location of the login form, again, it represents another hoop that they must jump through.

But wait… there’s more. We can password secure the login page. This creates a situation of dual-factor authentication. The hacker would need to then crack two passwords / sets of login credentials in order to gain access.

You want more options? Ok. We’ll enable a ‘Honeypot‘ on the login form. This is a hidden field which is not visible to humans, but is visible to scripted ‘robots.’ The typical behavior of a scripted login attempt is to fill in every field. If this field is detected to have a value entered, the login attempt is then known to have been performed by a non-human and is denied.

Still not enough? I get it, you want to be as secure as possible. How about we setup a login whitelist. We’ll define a list of IP addresses which belong to you, your office, or your employee’s networks and only allow them access to the login form. Anyone attempting to access the form from an IP not on the list will be blocked or redirected to a different URL.

These techniques are widely successful in reducing the hacking attempts of opportunistic hackers looking to get the best of the login system by uncovering an administrator account’s login credentials.

Ready To Be Secure?

Good. We’re ready to secure your WordPress website as well. Just get in contact with us so that we can answer your questions and get the ball rolling in the direction of security.