WordPress is the most popular Content Management System (CMS) worldwide, powering more than a third of all websites existing today. Its popularity also makes it an appealing target for cyberattacks, and it too has its share of security vulnerabilities.
While WordPress may have its own security issues, it isn’t the only platform that is targeted by cyber-criminals, with the theft of data becoming a highly lucrative business. From personal blogs to large business websites, no one has been safe from the potential threats posed by malicious actors.
Regardless of if your site is a small blog or a large business, you need to know how to secure your website. Top of any list should be installing a plugin like UpdraftPlus– The world’s most popular and highest rated WordPress backup plugin. In the event that you should ever find yourself a victim of an attack, you can at least rest easy in the knowledge that you have a secure backup in order to restore your site.
Here are some WordPress Security issues you should know about and how to address them:
1. The plugin system
Part of what makes WordPress so popular is its modularity. You can quickly and easily expand base features thanks to the plugin system. Unfortunately, not all plugins are created to the high standard of UpdraftPlus, and some can introduce new vulnerabilities to your WordPress website.
The ‘PWA for WP & AMP’ Plugin for example exposed over 20,000 WordPress websites to an access control vulnerability. Due to allowing arbitrary file uploads, attackers could remotely execute code and take over websites running this plugin. Users should be aware of two things from this example. The first is to limit the number of plugins used on your WordPress site where possible. The second is to ensure that all your applications – including plugins and WordPress version – are regularly updated. Updates sometimes add new features, but their main purpose is to address newly discovered vulnerabilities.
2. SQL injection attacks
Data is a new and highly valuable commodity, and one reason attackers target websites is to steal information held in the database. SQL Injections are a popular way of doing this, with attackers embedding SQL commands on websites that may compromise sensitive information.
If you’re wondering how this happens, think about the average form you’ll find on many WordPress websites. It allows users to provide information such as usernames and passwords for login. If an attacker inserts SQL code in these fields, the underlying database may process that code and perform unexpected actions. There are several ways you can work to prevent SQL injection attacks, but the most common is to implement strict input validation. For example, you can add the following code to your .htaccess file to ensure that all input is excluded from SQL queries;
# Enable rewrite engine
RewriteEngine On RewriteRule ^(.*)$ – [F,L] # Block MySQL injections RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=https://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\…/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ – [F,L] |
3. Cross-site scripting attacks
Like SQL Injection attacks, Cross-site scripting (XSS) attempts to inject malicious code into vulnerable websites. One example is posting information that leads website users to another website that then attempts to steal personal data. This scenario can be potentially dangerous as the other website may not even need input from the user. It can simply scan user identification data such as cookies, session tokens, and more.
You can generally prevent XSS attacks using a Web Application Firewall (WAF). This useful tool allows you to block specific traffic on websites. Most top WordPress security plugins like All In One WP Security & Firewall will have this feature available. If you’d rather focus on running your WordPress website and want to leave the security to the experts, installing a plugin like All-In-One WP Security & Firewall is a great way of doing so. It not only helps you block most types of attacks but can also scan your WordPress website for vulnerabilities you may not be aware of.
4. Brute force attacks
WordPress makes use of a credential system that allows administrators and other authorized users to access its control features. Unfortunately, many users tend to employ weak and obvious passwords. Brute force passwords make use of scripts that make continued and multiple login attempts to a WordPress site until successful. The script works with a database that holds a dictionary of commonly used usernames and passwords (such as Admin and Password1), hoping that you would have chosen one of these combinations without putting any thought into the risks.
You can however do several things to limit the effectiveness of brute force attacks;
- Use complex and unique passwords
- Block access to the WordPress admin directory
- Add Two-factor Authentication (2FA)
- Disable directory browsing
- Limit the number of login attempts
5. Distributed denial of service attacks
Distributed denial of service (DDoS) attacks consist of a massive flood of requests that target a website. This flood is intended to cripple a website, making it inaccessible to regular visitors as it is unable to cope with the volume of requests. While DDoS isn’t unique to WordPress, websites based on this CMS can be especially vulnerable since it requires more resources to serve a request than regular static websites. It can be impossible to guard against a determined DDoS flood however, but even the most prominent organisations have succumbed to these attacks. One example of this was the GitHub attack in 2018, in which their website came under a 20-minute DDoS flood attack.
Generally smaller websites aren’t the target of such a massive volume. To mitigate against smaller DDoS waves however, make sure you use a Content Distribution Network (CDN). These server networks can help balance incoming loads and help in serving content faster.
6. Cross-site request forgery attacks
Cross-site request forgery (CSRF) attacks are another way attackers force web applications like WordPress to recognize fake authentications. WordPress is especially vulnerable since these sites generally hold many user credentials. The CSRF attack is similar to the XSS attack discussed earlier in many ways. The main difference is that CSRF needs an authentication session, while XSS does not. Regardless, the ultimate aim is to divert a visitor towards an alternative location to steal data.
CSRF prevention needs implementation at the plugin level in most cases. Developers typically use anti-CSRF tokens to link sessions with specific users. WordPress website owners can only rely on plugin updates and general website hardening techniques to help prevent CSRF attacks.
Some hardening actions that may work include;
- Disabling file editors
- Targeted blocks of PHO execution
- 2FA implementation
Final thoughts on WordPress security issues
There is sometimes a misconception that WordPress is a highly vulnerable web application. However, this isn’t an entirely fair claim. Part of it stems from the widespread use of WordPress, but a more significant reason is the failure of website owners to take the necessary proper precautions.
We often take security for granted without thinking of the consequences of choosing a simple password. Website owners however have to take responsibility not just for the integrity of their websites, but also for the safety of their users’ data.
Author: Chris Read – contact [email protected]