Recently a WordPress attack led to defaced web sites. WordPress is an easy web platform to use and one used in many attacks. Here’s why — and what you can do to protect a WordPress site.
Why WordPress Is Attacked
WordPress is a very powerful platform. It makes it easy for novices and non web developers to build their own customizable web sites that are easily updated and very social. But that ease of use can also mean ease of being used in attacks. The core of WordPress is augmented by any number of third party plug ins and thus to patch and maintain WordPress sites can be pretty tricky. Recently, several security issues caused many sites to be defaced. The update, released on January 26th, fixed several issues the worst of which caused an “unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.” The bottom line? Attackers could take control of a site and post whatever content they wanted. As soon as the patch was released, sites came under attack. So why didn’t all of us running WordPress sites immediately update? Well, for the same reason we don’t immediately update Windows patches – we fear new releases will impact a nicely running system and thus we hold back a bit before we update.
Advice for Protecting Your Sites
I run several WordPress sites . Here are some recommendations I would pass along to those of you who also run WordPress sites:
- Set up the site for updating: While we all hesitate to set up our machines, our sites, our servers, or anything else to automatically update, for a web site that is constantly at risk for attacks from malcious attackers, it’s wise to enable WordPress to automatically update. You may even consider using a service to host WordPress for you so that you don’t have to worry about updating it yourself.
- Keep plug ins up to date: Often the third party plug ins can be used in malicious attacks. These plug ins are not coded up by WordPress, but by any number of third party developers that build on the base of WordPress. If you download a plug in, be sure that the developer is maintaining the plug in and is updating it regularly themselves. If you have a plug in on your WordPress site that is older and hasn’t been updated in a long time, it’s time to investigate another plug in that does the same thing. The marketplace of WordPress plug ins is vast, so often you can find another one that does the same thing.
- Watch the permissions on the site: When setting up the site, watch how you set things up and be careful on how you follow third party guidance on setting permissions. WordPress recommends security guidance on their site.
- Don’t forget to update the other parts of the WordPress site: If you are running your site on Linux you need to keep it up to date as well. Also watch what version of php you are using on the site as well. Don’t know what these are? Then it might be time to either move to a site that advertises keeping you up to date or hosting it on WordPress.com itself.
- Not comfortable with running WordPress on Linux? You can also run a WordPress site on Windows. In fact you can even run a WordPress site on Azure, Microsoft’s cloud platform service. The unique thing about hosting it on Azure is that you have to purchase an external mysql service to handle the WordPress database. You will need to purchase a database from the vendor ClearDB as noted in Scott Ge blog from a few years ago.
- Look for third party tools to help secure your site: One of the ones I recommend is the WordFence plug in that monitors and provides additional defenses to your site. It adds brute force attack blocking as well as geographic filtering for the site.
- And don’t forget the obvious: Have a backup. So many times having a good backup is a key way to recover from an attack. I would set up automatic backup of your site and if you are hosting the site location yourself, of the server hosting the site. If you go through a third party to host your WordPress site, check their backup timing and ensure you are backing it up preferably daily.
User Access is Key
When you are setting up WordPress, don’t overlook one of the most basic way to secure a site: choose a strong password. In fact you may even want to set up two factor authentication, especially for your admin login. For those that have their WordPress on WordPress.com, two facotr is available. If you don’t host your site on their, consider adding a plug in that provides two factor access. There are several available as plug ins for external sites.
If you are hosting a multi user WordPress site, or a forum or any other multiuser use of WordPress ensure that you limit admin user access and choose read and edit rights appropriately. Follow the guidelines provided by these Multi-user plug ins and do not set up a user with SuperUser admin rights.