The Highs and Lows of WordPress

Wordpress. It’s one of the most popular content management systems (CMS) for websites in the world. And it’s no surprise really. It’s free, easy to install and customise and makes keeping website content fresh, quick and easy. That’s why 20% of the globe’s websites use it.

But like any popular piece of software or tool, being at the forefront of an industry means it’s under constant attack.

Wordpress is now a favourite target for hackers, who exploit poorly developed plugins and WordPress packages that aren’t maintained. The damage can range from an owner’s website being used to send thousands of spam emails, websites defaced with ISIS messages, to malicious hackers using it to gather visitors personal data.

Not only can hacks be damaging to a company’s operations, it can a huge effect on their reputation as well – the last thing a business needs, is to find itself embroiled in a data leakage scandal.

So what’s the answer to keeping your WordPress site safe?

There are some basic steps that can be taken which will help keep hackers at bay. They are by no means full proof, but it’s like a burglar eyeing a house fitted with deadlocks; sure they could get in eventually, but it’d be a lot easier to move onto another house that doesn’t have such tight security.

If you have a WordPress website, consider carrying out the following:

  • Create a new administrators account that doesn’t have the username ‘Admin’ and remove the default administrator account.
  • Use complex passwords for the administration section of your WordPress site.
  • set the permissions of WordPress ‘include’ files to read only.
  • xmlrpc and wp-config are two vulnerabilities that can be safely locked down.Add the following to your .htaccess file in your Web Root. Note that this file may be hidden because if begins with a . so you may need to work with your Administrator for help with modifying this file.
    <files wp-config.php>
    order allow,deny
    allow from 127.0.0.1
    deny from all
    errordocument 403 "This file is forbidden"
    </files>
    
    <files xmlrpc.php>
    order allow,deny
    allow from 127.0.0.1
    deny from all
    errordocument 403 "This file is forbidden"
    </files>
  • Turn off comments on your WordPress site.
  • Another vulnerability is the WordPress Heartbeat. This is the script that automatically refreshes your dashboard while you are logged in. Unfortunately this script will use up extra resources and open a vulnerability to some attack types. You can restrict access to this file by adding a rule to your .htaccess files as follows:
    <files admin-ajax.php>
    order allow,deny
    allow from 127.0.0.1
    deny from all
    </files>
  • Make sure your WordPress site is up to date and that it is set to automatically upgrade itself when a new version is released (WordPress updates are frequently released to fix security holes). In your wp-config.php file, change this value:
    define( 'WP_AUTO_UPDATE_CORE', true );
  • Only use plugins for WordPress from reputable developers.
  • You can prevent people from snooping through your files by adding another rule to the?.htaccess file:
    Options -Indexes
  • Install a plugin that will keep your plugins updated on a regular basis (plugins are another backdoor hackers love to exploit).
  • Install a plugin like Wordfence that will give a basic level of security, scanning and warnings about hacking attempts.
  • Take regular backups of your WordPress site and it’s accompanying database, so if it does get hacked, a working copy can be quickly restored.