How can you protect against WordPress security vulnerabilities? What are the correct steps to take to ensure that your website is secure, running efficiently, and not vulnerable to hacking and other issues?
Allowing your website to be out-of-date
This can happen in a variety of ways, whether it’s the WordPress version, whether it’s the plugins, whether it’s the theme files. This is a very common issue that seems to plague many WordPress sites. This is due to poor management & oversight.
We believe this to be the case because a website can survive in this overlooked state, although there are negative ramifications happening. If you were to treat a website the same way that you would treat your car or your house, and you put the proper maintenance into it, whether it’s the lawn and watering it regularly and fertilizing it or putting an oil change and tire tune-ups into your car, if you treat your website the same way, you’re going to get the same results where it’s going to last much longer. I mean, sure. You can drive a car and you don’t have to do an oil change for 60,000 miles, but how long is it going to last?
The website database is where all necessary website data is stored. MariaDB, which is probably the largest database for any sort of cPanel or WordPress hosting has been set to in sunsetted or end-of-life, so within the next few weeks that database isn’t going to be supported, meaning a lot of hackers and bots are going to be looking to exploit sites that are still on that version because there’s vulnerabilities that will be much more easily accessed. And as time goes on, developers are not going to be putting work into adding security patches. So it’ll be much more accessible.
Making sure that your plugins are kept up to date is a first step. We like to say, “A website is a concert of many things working together in order to show your live website. One thing is out of whack, you’re going to have issues.” Similar to a home, letting the lawn grow, letting things go a long time without updating. Whether you are handling updates yourself, or have professional website management in place, make sure that the basic steps outlined in this article are happening regularly.
There’s a big difference between well-built plugins and plugins that are developed by random developers. We’ve said it many times to clients, “Hey, there’s a big difference, for example, from buying direct from WooCommerce and knowing you’re going to get a certain level of plugin development, whereas you can just download some random thing and who knows what kind of damage it will do to the site.” The other part is these random plugins. If they’re not maintained and kept up to date with the existing WordPress code base, they might not be compatible and end up breaking.
If you’re not on top of it, we have seen many instances that sites stop delivering contact form submissions and that’s due to their form contact plugin not being up to date, or captcha issues.
It is important to regularly check with your theme developers for updates, as themes will likely not work, or malfunction, as the underlying WordPress version continues to update over time. Ensuring you source your themes from professional developers will save you a fortune in time, resources and energy over the life of your website. For more on this subject, check out our blog about 6 things to consider when redesigning a website.
So what about access? Far too often is access given to third parties, and not controlled as to who has access, who has restricted access, and how has no access. Maintaining a level of control is the first step. From a development standpoint or as an owner of a website, giving out your cPanel is like giving out your social security. There are certain people that should have access, but then most people should not.
Outside of your trusted web developer, there is no need for anyone to have it because there’s nothing that they’re going to get out of it. If someone is updating a blog, you can set permissions within WordPress to give them access only to the blog. They should not have access to be updating themes or plugins or adding extra files. Same goes for administrators. It’s a good practice, especially if you’re an eCommerce site and you have a lot of employees accessing the back-end regularly, you need to do a quarterly or at least every six months, an audit to understand who has access and what they’re actually doing in the back-end.
Now there’s plugins and ways to monitor the logs to see how many people have accessed and when’s the last time someone accessed. If someone hasn’t accessed your site in weeks or months, they probably don’t need access at all. So it’s probably a good practice to remove it.
You can also set restrictions on how tough of a password is. If someone’s using the word password123 or the username admin, that’s asking for trouble. Make sure you have sufficiently-difficult passwords in place.
We personally love using LastPass. Difficult passwords are automatically generated and stored via this service, we can grant access to team members, and maintain stringent password levels. Making sure that you have secured usernames and passwords is very important.
There are security plugins out there that do an excellent job at monitoring and ensuring the integrity of your website. Our personal favorite is Wordfence. You can really lock down the back-end. You can change the actual admin URL. Most people just use the default website.com/wpadmin. Anyone who is interested can easily see your code base from the developer tools and understand your site is on WordPress. And they can easily try to access WP admin just to see if that’s accessible.
One thing that certainly we try to do from a client standpoint, if we redirect the admin page, we can make it where if anyone tries to access WP admin, it’ll automatically block them. Because if that’s not the default URL for someone to be able to access the back-end and someone tries to access it, obviously they don’t know where they should be going and they really probably have no business in accessing the back-end. You can set a default setting. Let’s say you terminate an employee and they try to start accessing the back-end. If they put in an invalid username, or if they put in an invalid password too many times, we can block that IP. And that means that they’re going to have to go through extra steps to try to get into the back-end, and most likely will be unsuccessful.
Wordfence also has a huge database of blacklisted IPs that any access from them will automatically deny access to the site, which is wonderful. It’s the benefit of having it on a huge amount of WordPress websites.
Monitoring Analytics Traffic
You can get a lot of good data from Google Analytics or Adobe Analytics or Omniture, whatever you’re using to monitor your site. You can start to see if there’s pages that are being crawled. This will give you an indication of how much of a risk you are for bots. If you find that there’s a bunch of requests to random pages that you don’t currently have, either you can put redirects in, or at least you can be aware that a is trying to crawl your site and you might need to add something like New Relic or another high level security platform to ensure that your site is secured.
One thing that is a easy target are your forms, whether it’s a newsletter sign up or a contact form or some PDF download form. Oftentimes the forms are just put in and it’s asking for a name, maybe a phone number, email address, and a submit button. Now there’s two things that you can easily input into most forms. And one is called a Honeypot, which is a field that’s not visible to the user but it is visible on the back-end. So if someone goes to fill out the form, if I’m a user and I go to fill out a contact form and it’s asking for a name, phone number, email address, and I press submit, that’s three fields that should come through the server.
Honeypot adds a fourth one in where it’s not visible to me, but a robot isn’t going to know that because a robot is not looking at the front end of your site, it’s looking at the back-end of your site. So it’s going to go in and it’s going to see four form fields, and it’s going to put a name, it’s going to be able to read that it’s a phone number so it’ll input a fake phone number and a fake email address. But what it’s not going to do is understand that last field, whether it’s a company name or position. It’s going to add some data in and if you have any sort of upload, it’s going to make sure that nothing actually goes into your server. That’s the first part, because if it’s not visible and there’s data in there, obviously it knows it’s fake.
The other part is making sure that you’re sending the right permissions on what you’re allowing to be uploaded. For almost all cases, there’s no actual need to upload anything besides a PDF, JPEG, DOC or XLS. Those are all valid forms and you can’t insert PHP or any sort of malicious code. If you don’t allow those to be blocked, someone can upload it and that code base is going to live on the server. Just making sure that you have the right security permissions on a form field is something that will prevent a lot of sites from being attacked from within.
Actionable Steps to Improve Website Security
Please seek professional assistance to ensure that your website is safe and secure. Make sure that the following items are all taken into account;
- Your plugins and your core files are up to date.
- Before you update anything, you need to make sure you have a full backup.
- Your plugins are maintained regularly, which is every couple of weeks at most.
- You’re using current PHP and current database versions that are available depending on the type of server you have.
- Audit your users and make sure only the people that need access to your site still have access.
- You have some sort of security plugin at the bare minimum on your site like Wordfence.
- The right permissions are set. Now there’s a ton of settings. So don’t go crazy unless you know what you’re doing.
- Check Google Analytics, make sure that you’re not seeing random pages showing up that are trying to be found that aren’t visible or aren’t available.
- Your contact forms are properly secured.
Additionally, having professional hosting services for your website is imperative if you are to be competitive, secure, and up to date with the latest technologies. Check out our blog post about why good website hosting is important.
We hope that you have taken away some actionable steps on how to improve your website security and protect yourself against security vulnerabilities with this information.