WordPress Website Security

WordPress Security

WordPress Security is very important.  Hackers are always scanning and looking for web exploits and vulnerabilities

Your site will be safe and protected with our 24/7 server-side proactive web monitoring services.

If anything out of the ordinary does happen, your site will be wiped out and restored back to normal in minutes.

WordPress Vulnerabilities

Check out some of the different types of WordPress security vulnerabilities below.

1. Backdoors
2. Pharma Hacks
3. Brute-force Login Attempts
4. Malicious Redirects
5. Cross-site Scripting (XSS)
6. Denial of Service

1. Backdoor vulnerability enables hacker with hidden backdoor passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server. In Q3 2017 Sucuri reported that backdoors continue to be one of the many post-hack actions attackers take, with 71% of the infected sites having some form of backdoor injection.  Canton Becker has an amazing post on how you can clean up the backdoor mess on your WordPress website.
2. Pharma Hack exploit is used to insert rogue code in older versions of WordPress websites and plugins, causing search engines to return ads for pharmaceutical products when a compromised website searched for. The vulnerability is more of a spam menace than traditional malware, but gives search engines enough reason to block the site on accusations of distributing spam. You resolve it by cleaning up using the following the instructions from this Sucuri blog.
3. The most common Brute-force login attempts use automated scripts to exploit weak passwords and gain access to your site. Two-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks.
4. Malicious redirects create backdoors in WordPress installations using FTP, SFTP, wp-admin, and other protocols and inject redirection codes into the website. The redirects are often placed in your .htaccess file and other WordPress core files in encoded forms, directing the web traffic to malicious sites
5. Cross-Site Scripting (XSS) is when a malicious script is injected into a trusted website or application. The attacker uses this to send malicious code, typically browser-side scripts, to the end user without them knowing it. The purpose is usually to grab cookie or session data or perhaps even rewrite HTML on a page.
6. Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems. Hackers have compromised millions of websites and raked in millions of dollars by exploiting outdated and buggy versions of WordPress software with DoS attacks.

How do you check if your WordPress Website is at risk?

• Online WordPress Security Scan for Vulnerabilities | WP Sec
• Sucuri SiteCheck – Free Website Security Check & Malware Scanner
• WordPress Security Scan | HackerTarget.com
• VirusTotal Malware Scan

Checklist for Securing WordPress

• Check that you have the latest version of WordPress.
• Check that automatic updates are turned on.
• Check that you have the latest version of all Plugins and Themes.
• Check that you have strong and strict passwords.
• Check that you have 2-factor authentication (2FA) enabled.
• Check that you have a plugin to protect you from brute force password attacks.
• Check that, if you’re using passwords to log in, your login form is HTTPS only.
• Check that there’s no account named default “Admin” for your site.
• Check that you are not developing over an insecure channel (like FTP).
• Check that the folders in your WordPress installation have the correct permissions.
• Check that the files in your WordPress installation have the correct permissions.
• Check that your separate WordPress sites use separate databases.
• Check that your database is not using the default wp_ table prefix.
• Check that your database user has the minimum necessary set of permissions.
• Check that your wp-config.php file is protected.
• Check that your wp-includes folder is protected.
• Check that you have a secure .htaccess file.
• Check that file editing from the dashboard is disabled.
• Change your domain listing to private, if customers want to find out more about you and your company, create an information page for them.

These are some of the most essentials protection, there are many more. To know more, please contact us.

What you can do if your WordPress Website is infected? You can try these plugins

• Wordfence Security – Firewall & Malware Scan – WordPress plugin | WordPress.org
• iThemes Security (formerly Better WP Security) – WordPress plugin | WordPress.org

How Can We Can Help?

• Proactively updating of WordPress Core, Plugins and Theme
• Adopt Market Proven Best Practices for WordPress Security
• 24/7 Monitoring of Website Availability and Service Anomalies.
• Scheduled Regular Security Penetration Test for WordPress Website
• In case of unforeseen circumstances, we will be able to restore backup copy of the website back in a few minutes