As a hosting company we are busy on a daily basis keeping our clients’ websites, servers and cloud environments safe from DDOS attacks, hackers, malware and viruses. We are updated on specific IP ranges to block, updating anti-virus engines, removing malware and stopping live attacks. We recently experienced a brute force attack on a few of our clients WordPress sites which inspired me to write up a blog post which will cover some tips and findings to help keep your WordPress sites safe. I have broken this down into a list of preventative measures to take to help secure your WordPress sites.
1) Upgrade to the latest version of WordPress. It is very important to keep WordPress updated to the latest version in order to add the newest fixes and security updates. Before you do this, upgrade all your existing plug-ins and active theme to the latest version. It is good to first confirm that your theme and any special plug-ins will work with the latest version of WordPress as you might have to upgrade to the version before the latest version if your theme is not supported on the very latest WordPress version. Always make a full backup of your code and database before performing a WordPress upgrade. There is a lot of documentation for this on the www.wordpress.org site. If you have a WordPress site that is many years old and has never had a WordPress update, then you are a sitting duck for hackers, as WordPress new releases are constantly plugging security holes.
2) Disable XML-RPC. A few weeks ago one of a client’s site was hit with a brute force attack attempt to try and compromise the WordPress Admin password. We noticed the load on our servers go very high and some of the WordPress sites were loading very slowly or not loading at all. After investigating the logs, we could see the load was targeting the XMLRPC.php. With this, we disabled access to this file through some configuration files and this mitigated the brute force attack. Another method is to add the Disable XML-RPC WordPress plugin to stop massive XML-RPC brute force attacks.
To further explain what the brute force attack against the XML-RCP is doing we can describe it this way. Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request. It used to be recommended that people block all access to xmlrpc.php, but it was breaking some plugin’s functionality (mostly JetPack). With that in mind, if you are not using JetPack or any of the other plugins that require XML-RPC, it might be a good idea to block direct access to it altogether. If you can’t block XML-RPC, and you are using a WAF (web application firewall), it is highly recommended to block system.multicall requests. It is barely used in the wild and will protect you against these amplification methods.
3) Add a Firewall WordPress plugin. As a suggestion, WordFence is a good application firewall for your WordPress site. You can download the standard version for free that will send notifications on who is logging into the site, who is attempting to login and their IP address, what plug-ins that you need to upgrade, what files have been modified and when, and what attacks have been stopped. The premium version will allow for 2 factor sign-on by using your cell phone, spam blocking, premium support, country blocking, advanced attack blocking, malware scans and more. You can add this plug-in within the WordPress plugin module.
4) Add Captcha plugins. It is important to use a Captcha with your contact forms and logins. This will fend off malware and automated hacker scripts from exploiting your forms or login pages. We use Math Captchas. You can add them easily, and it protects you from most hack scripts out there. After adding the Math Captcha WordPress plugin, turn it on for the forms/pages in your site that you want in the settings page. By default it is not turned on for the log in page. Make sure you check that check box in the setting page to add the math captcha to the log in page so robots that hit your login page will be hindered.
5) Folder Permissions. Check your permissions on WordPress folders and be careful to avoid a setting of everyone with read, write and modify permissions to a folder. In the unix world this file level access is denoted with a number value of 777, which means anyone in the outside world has full access to overwrite your files. This would basically give a hacker or malware free rain to add or delete files to your site.
6) File Access Be careful how you program the .htaccess file. If you are not sure, use the default .htaccess file from WordPress. However the default .htaccess file does not come with blocking the viewing of WordPress directories such as your /wp-includes folder. You can test this out now to see if your directory browsing is open by going to your wordpress site http://yoursitenam/wp-includes. If you are able to see a bunch of directories, this is a vulnerability and opens you up to compromise. To block viewing of your WordPress directories such as your /wp-includes folder, add this 1 line of code just before the line of code: Options -Indexes
7) Passwords. Make sure your passwords are complex and not simple. A hacker is going to run a script that has 10’s of thousands of common passwords against your site to see if they can gain access. So be sure to use a complex password with a combination of letters, numbers, caps and special characters.
8) User Roles. Guard who you give the administrator role to as those doing publishing or editing to your WordPress site should only have the editor or publisher role not the administrator role.
9) Plugins. Research plugins before you just randomly add them to your WordPress site. Do a Google search to find out if they have a security vulnerability and make sure you are using the most up to date version. There are too many plugins out there that are notorious for leaving your site vulnerable to compromise.
If you find you need help implementing the above tips, you can reach me at firstname.lastname@example.org or give us a call at 1-800-640-4892.
Sozo Hosting is an Atlanta-based hosting company, offering enterprise hosting services and expertise to support your growing business. We provide Dedicated Server Hosting, Cloud Server Hosting, Enterprise Information Management Hosted Systems, Private Cloud Business Storage (a more secure solution than Dropbox), Data Backups, Offsite Replication, IT Managed Services and more.