WordPress being an open source script has its code publicly available. It means anyone willing to contribute can build on top of others' work. This is how WordPress software gets developed. The WordPress security team cannot always be on top of security vulnerabilities because it is difficult to address something which is not even discovered yet.
Some people say that WordPress has built in features which are not inherently secure which some day end up plaguing the site security. Careful there. This is not what I said; it’s a speculation that I have had read many times over. You must be wondering why these known vulnerabilities are not fixed in the first place? Core developers must devise a plan to fix issues like WordPress version number, limiting login attempts, etc. But, that’s not the case, is it? So, there must have been a strong reason for not doing it till now. I believe it is not as simple as it sounds.
That's what I want to address today. The fact that WordPress is secure. The argument about WordPress is not secure by default is way off. In this post, you will learn how hackers attack WordPress site, why are some threats not entertained in the WP core and other security threats in WordPress architecture which we may or may not want to fix.
Who Wants to Hack Your Site?
People with bad intentions who want to breach through your private data are called hackers. It is always better to think that your site is susceptible to hacker attacks. However, it is wrong to assume that the attacking entity is always a human. It can also be a computer bot, program or even a botnet (more on this later).
You might be wondering why anyone would want to hack your site. Even though you have low traffic and hardly 20 posts, but your site is still a target for malicious hackers!
What do hackers want?
The question is why? What do these hackers want from your site?
It is rare that hackers want to steal or delete your data instead they are normally interested in your hosting server through which they can send spam emails or add spam links to your content. Sometimes you don’t even get to know about the suspicious activities going on until someone notifies you about it.
Also, hackers get fascinated about your site's ranking because it is completely legitimate and it is not blacklisted by the search engines. Hackers use this to their advantage. They either redirect your site's traffic to their spammy pages or send illegal data via the server. Before digging into further details, let’s find out the possible sources of threats that plague a WordPress website.
- Humans: It is very rare for an individual hacker to devote his attention into hacking a particular site. However, if it happens, know that a human has the creative skills that a bot or program lacks. A human can much easily exploit site's weakness than a robot.
- Bots and botnets: The reason hackers write and utilize programs to hack is that they are fast, scalable, and have mass impact. If a zero-day vulnerability is known, hackers can easily compromise a great deal of sites in less time. A zero-day vulnerability refers to a hole in the software that is unknown to the vendor. A bot can be an individual program running on a server. Botnets are multiple servers running different versions of the same program to detect and exploit sites. Botnets can also utilize the power of hacked sites’ servers or virus infected user’s bandwidths. Bots are not as sophisticated or improvising as humans but can be much more dangerous. Though, sometimes bots are easier to detect.
WordPress Security Threats
How does WordPress fight with security threats is an interesting thing to talk about. But let’s review what you can do about it if you care about your site security.
Outdated Themes and Plugins
Many WordPress users do not stay up to date with their themes and plugins. This is a big mistake. Yes, I get it, having 15+ updates every other week is a hassle. But it's worth the effort. When a security vulnerability is discovered, nefarious hackers write programs to exploit them. All sites with outdated, vulnerable theme or plugin are targeted.
To resolve these security threats, developers release fixes in the form of updates. Updating a theme or plugin takes no more than a few minutes.
However, most users do not stay up to date and pay the price by getting hacked. At any given time, there are thousands of malicious scripts running, tasked to look for vulnerable sites.
ManageWP Orion is a great tool when it comes to handling the updates of multiple WordPress sites. I wrote a detailed review about it just a few weeks ago. You can read it here.
WordPress Automatic Security Updates
WordPress runs minor automated security updates in the background. This setting is customizable by adding a filter to the wp-config.php file. When users have a vulnerable WordPress version, WordPress may decide to update all such sites automatically. However, this only happens during special cases as described by WordPress.org API response.
Recently an XSS vulnerability was found in Yoast SEO, a very popular plugin. But thanks to the WP Plugin team which saved the day. They automatically updated millions of sites to save people from getting hacked.
These automated updates have been criticized by many because they are run without user's consent. You can read more about configuring automatic updates at WP.org
Default Table Prefix
Quick script installers sometimes install WordPress with default table prefix "wp_." Which means posts table will be called "wp_posts." You can define a table prefix of your choice at the time of installation. However, most people are not aware of this. Hackers know this very important piece of information. It helps them hack sites in case of known vulnerabilities.
Here is how to change table prefix:
- Install and activate Change DB Prefix plugin.
- Go to Settings > Change DB Prefix.
- On the next page, you can change the table prefix.
Changing table prefix to something random is important because hackers cannot inject SQL injections anymore. You can read more about WordPress database security here: How to Secure and Optimize WordPress Database?
WordPress Version Number is Visible
One of the threats which are most talked about as a built-in threat is the WP version number which is publically visible. Readme.html is a helpful file that comes with the installation. It contains introductory text and details about how to install the script. It also contains WordPress version number. Hackers are aware of this file. So, they program their scripts to detect this version number. If the version is outdated and has security holes, it is easily exploitable.
The reason WordPress adds version number is that there are many ways to retrieve the version number and removing them in an open source software is not ideal. Moreover, it’s better to update your WP websites than to worry about having a public WP Version number.
Andrew Nacin (Lead WP Dev) wrote about this:
“With publicly accessible web application software, there is no way to prevent version detection. The readme and generator versions are just the fairly cheap ways to do it. My favorite is looking at publicly accessible CSS and JS files, but there are many others. Script kiddies blindly attack sites. They don't sniff version numbers first. Even if they did, this means they're looking for core vulnerabilities. (Of which there are few, and anything of note requires a user account these days, at a minimum.) So, you're either running an out of date version — don't hide the version number, *update* — or you're running the latest (at which point, that's on us, and no suppressing that version is going to help you).”
To prevent version number from being displayed, you can read a detailed article about it here: How to Remove Version Number for WP Security & Hide the Fact That You Use WordPress? In this article, you'll also find links to two more articles about why you should not hide the fact that you use WP or that what WP version you use. I hope you read it.
Vulnerable Firewall Settings
WordPress has very open firewall settings. Which is an intentional decision! Yes, not everyone needs to use a WP website the same way. For beginners, a firewall is a valuable network that filters incoming and outgoing traffic through a set of rules. A firewall helps to protect servers, websites, and individual computers.
Traffic means HTTP request(s) from client to the server. Traffic can be from hackers, DDoS attacks, bots as well as legitimate users. By default, WordPress firewall allows all types (even malicious bots) of traffic. This can be dangerous. However, this can be avoided by using a third-party firewall service.
There are a few WordPress security plugins, which offer firewall service. Among them is Sucuri, which is one of the most trusted brands in WordPress community. Their services, though, are premium. A free alternative is All In One WP Security plugin.
In a firewall network, there are three phases:
- Filtering: In this phase, traffic comes to the middleman (proxy) and is filtered against a set of rules.
- Middleman: This is also called proxy. It is the entity between your web server and traffic. Its job is to suspend "bad" traffic and only let good traffic through.
- Inspection: Instead of analyzing all incoming traffic, important elements are compared to the trusted database information. Once it matches, it is allowed to get through.
Strong firewall settings add an extra layer of site security. You won't feel the pain of being hacked unless something happens out of the blue. WP Core, on the other hand, cannot help you with that. This is what we call a plugin’s territory. Because this is not something which is needed by every single WordPress install.
Unlimited Login Attempts
WordPress uses a login-based system to separate backend from the frontend, but that can be exploited by hackers to utilize brute force attacks. In a brute force attack, hackers use an automated program to guess the login credentials by trying thousands of random passwords and usernames. By default, there is no limit to failed login attempts. So, it won't lock an IP address out of its system if an IP is constantly failing to log in.
Hence, it's best to either change your WordPress login page or to limit the access by banning particular IP addresses. An easy yet effective method to cope with the situation is WP Limit Login Attempts plugin. Here is how to limit login attempts:
- Install and activate WP Limit Login Attempts plugin.
- Go to Tools > WP Limit Login.
- Configure the settings accordingly your preferences.
The plugin decapitates the brute force attacks by blocking their IP after certain login attempts. To detect bots, it has a captcha feature. Which can help get rid of bots. Read complete article about preventing brute force attack in WordPress.
Thousands of WordPress sites are hacked every year. It's better to be safe than sorry. WordPress Core is as secure as they come. There are certain features which should always remain optional and in the plugin’s territory. Just because a site has not been hacked so far does not mean it is safe. There are times when you don't even know if your site is compromised. According to a WordFence survey, 61.5% respondents did not know their site was compromised.
So, instead of waiting for something bad to happen, you must at least take preventive measures against these I’m sure they can protect you from the first-level attacks.
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.