WordPress and security that’s quite a controversial combination of words but it’s possible. So let’s see what’s all about.
A website normal operation can be compromised using many tools and methods and combinations of them.
Even if you secure a WordPress installation – operating system, internal network, web server, mysql server and php software should also be taken good care of – topic, well beyond the scope of this article. Let’s at least try to secure a WordPress installation.
Assuming the system administrator / webhosting provider took care of installing an adequate linux server distribution (redhat or suse for example), secured their network, update the linux software regularly, use best security practices for hardening a linux server (quite a few assumptions I would say) would not be enough to claim a freshly installed WP site secure.
So far we mention security but what I consider also very important is exploring basics of compromising a wordpress site. E.g. know your enemies so that you can defend a bit more efficiently.
Let’s mention wpscan https://wpscan.org which can actually scan any wordpress website and shows details like wordpress version, installed plugins and their versions. It can even let you log into the admin panel of a wp site (by bruteforcing), provided it’s not secured.
Combine the above mentioned info extracted by wpscan with the 80 WordPress exploits found in the Metasploit framework https://github.com/rapid7/metasploit-framework and things start to get worrying which is normal.
To enter a wp site without owner permission you need to visit its unsecured wp-login.php and find a valid username and bruteforce the password. Wpscan + Metasploit are the security auditing tools you need.
Example of unsecured wp login form:
http(s)://domain.net/wp-login.php – if this is applied to a real domain running wordpress it’s safe to call it a problem.
We have unsecure wp login but no username and no password.
Enumerating existing wp users. Here is how:
http(s)://domain.net?author=1 – this usually spits the handle for author 1 , other numbers can be used for sites with more authors. The link in the browser will show you the username 🙂
All you need to do is bruteforce/social engineer the password and you are done – another testing site pawned.
What we, as wp admins, can do to reduce (ideally avoid) such damage:
Simple recommendations would be something like:
- Keep system up to date
- Update wordpress regularly
- Install wp security plugin
- Use strong passwords
I will add one more thing – do not be afraid to configure your wordpress user to be displayed as Name or Nickname when posting content on website – should make “enumerating existing wp users” process a bit more funny to any attacker.
Install iThemes Security – loaded with 31 modules, this plugin is no joke. There you can configure network and local bruteforce protection, audit website files access permissions and changes.
Most importantly iThemes allows you to obfuscate that unsecured login form wp-login.php with any custom string you select and don’t share with strangers.
There are system and wp specific tweaks sections in this plugin. iThemes also has a premium version which adds even more gunpower to the mix.
If you update wp and its plugins regularly and use a security plugin like iThemes your site will be much harder to exploit. Maybe it’s not 100% secure but 80+% is good enough for casual use.