Even if we allow that some of the hype is media scaremongering, it’s still a sobering thought that the sites you work so hard on can be taken away, broken, or used to distribute malware.<\/p>\n
It’s frustrating when your hard work gets stolen or ripped off. That’s why we decided to write a quick tutorial on the common threats that WordPress sites face and some easy ways that you can reduce the threats to them. We tried to make this as easy as we could without too much technical mumbo-jumbo.<\/p>\n
First we’ll go over six of the most common threats to WordPress sites and how to fix them. At the end we have some suggestions on software and plugins to use when securing your site.<\/p>\n
Threat #1: Brute Force Password Attacks<\/h2>\n
Brute force password attacks are when a computer tries to guess your login information by trying every combination of numbers and letters it knows. For a person, this could take years, but for a computer it could guess a relatively short password in minutes<\/a>.<\/p>\n This is especially dangerous if the attacker already knows your username. It’s just one fewer thing they have to guess.<\/p>\n But hang on, how could they know your username? Well, if you left it as \u201cadmin\u201d then they already do.<\/p>\n Even if you’ve changed the username from \u201cadmin\u201d (and you really should), there are still ways of finding it out.<\/p>\n Type in your browser window \u201cmy-site.com\/?author=1\u201d (replace my-site with your domain name and add your WordPress subdirectory if it’s not on your main domain, so this could be example.com\/blog\/?author=1).<\/p>\n Most often, you’ll see your username come up. If not, try typing the same thing again with 2 at the end, and keep going until 10. You’ll see your username soon enough.<\/p>\n Once an attacker has your username, they can try to brute force your password.<\/p>\n If you have an easy password, then believe me \u2013 the only reason your site hasn’t been hacked yet is that nobody has really tried to.<\/p>\n There are plugins out there to prevent user enumeration, but the best ways to prevent brute-force password attacks are to choose a strong password and limit login attempts.<\/p>\n It goes without saying that \u201cadmin\/123456\u201d is not a good username\/password combination (although it is distressingly common). A strong password is long, not a word from the dictionary or Wikipedia (in any language), and contains a variety of symbols.<\/p>\n CLU is the acronym to remember: Complex, Long, and Unique.<\/p>\n That, unfortunately, also makes your passwords almost impossible to remember.<\/p>\n One option is to use a pass phrase instead of a single word. A computer is going to take a long time guessing a 25-character phrase (assuming 1000 guesses per second, that’s 550 years – source<\/a>) that’s comparatively easy for a person to remember \u2013 it’s harder for a computer to guess a random phrase than it is to guess just one word. A password like “B0ndfriskingmaniacvillain” can be easy to remember, but very hard for a computer to brute-force.<\/p>\n Just remember – if your attempts to make a secure password lead you to writing it down and sticking it onto your monitor, then that’s already a bad password.<\/p>\n If you prefer even more secure passwords, or want a way to avoid having to remember them, there are some resources you can use for that. We’ll include a couple in our list at the end of this article.<\/p>\n You can also enable multi-factor authentication, and there are great programs in our list that let you do that as well. It can seem like a pain, but effective security measures often mean that we need to change our habits just a little bit.<\/p>\n No matter how strong your password is, if someone has an infinite number of attempts to guess it, they eventually will. On the other hand, even a relatively weak password can’t be guessed in just a couple of tries.<\/p>\n Good security plugins and software (you can skip to the end of the article for our suggestions) will limit the number of unsuccessful login attempts and block IP addresses that try to brute-force your passwords.<\/p>\n Remember that no reputable developers try to make software with security flaws. That means that when something comes up<\/a>, developers stay up all hours patching their software and fixing the code.<\/p>\n Imagine their disappointment when people don’t update their sites. A new version of the code isn’t going to help if you’ve still got the old version on your site because clicking the “update” button was too hard.<\/p>\n Check your plugins and themes regularly to make sure that they aren’t out of date and that they don’t have serious security risks. It also makes the developers happy that people value their work.<\/p>\n Another important thing to remember here \u2013 people who crack and distribute free versions of WordPress themes? They’re usually including some of their own code in there. And when we say \u201ccode\u201d, we mean \u201cviruses, Trojans, and backdoors\u201d that they can use to damage your site.<\/p>\n Enough said. The latest versions are the versions with problems that nobody knows yet. In the world of information security that’s as good as it gets.<\/p>\n Also, don’t try to pirate themes. It’s just not worth it. Only download themes from sources that you can trust, and if someone has created a great theme, just buy it. It saves time and trouble in the long run.<\/p>\n Here’s where we get into a little bit of code \u2013 but don’t worry, it’s very simple code.<\/p>\n The first of the two files we’ll be looking at is wp-config.php. This is a very important file that WordPress uses to communicate with databases.<\/p>\n The databases are where posts, settings, and users are all stored. You want to make sure that nobody can access this file other than you.<\/p>\n The second is the .htaccess file. This is a file that Apache (the software that web servers use, not the tribe) uses to decide how to retrieve files.<\/p>\n It’s also a very important potential vulnerability. The good news is, it can be used to close down access to both itself and to the wp-config.php file.<\/p>\n Just by seeing these files, attackers can gain valuable information about how your site is configured, which can lead them to discovering vulnerabilities. Obviously you don’t want this to happen.<\/p>\n Here is the code you need to put into your .htaccess file:<\/p>\n Just go to your .htaccess file and put that code in there. If you need help finding your .htaccess file, check out our Support articles for an explanation.<\/p>\n This code will tell your server not to let anyone access those files, but won’t stop you from getting to them with local access.<\/p>\n This isn’t so much a specific WordPress problem as it is a general security problem, but it’s such an important one that it deserves a mention here.<\/p>\n Phishing, as we reported earlier<\/a> can take many forms \u2013 it can come as spam emails that directly ask you for your passwords, as faked sites that ask for login details \u2013 basically, any way you can think of for someone to try and steal your username and password.<\/p>\n Now, being suspicious is normally not a good thing. But online it can save you.<\/p>\n Don’t use links that you get in emails to log onto sites. Log on in a separate window by navigating to the site as you normally would.<\/p>\n Also, never tell anyone your login details over email. No matter who they claim to be.<\/p>\n This is the most common threat to WordPress sites, and almost deserves an article to itself. It’s a way that attackers can put their own code into your site. Let’s look at how that’s possible.<\/p>\n HTML is the language used to create web pages, and it’s what is called a tag-based<\/strong> language.<\/p>\n For example, if I want to create bold text<\/strong>, I use a tag<\/i> that is placed around the text that I want to make bold – like this: <strong>text that I want to make bold<\/strong>. The tags aren’t shown to the person visiting the page, instead they change how the text inside them is displayed.<\/p>\n Note – I’m describing HTML in a really over-simplified way, but it works for the example I’m trying to make.<\/p>\n Almost all tags in HTML function like the <strong> tag, with one exception. That tag is <script>.<\/p>\n <script> says to the browser,<\/p>\n “Hey, what’s written inside this isn’t text, so don’t show it to the user. Instead, it’s a piece of code.”<\/p>\n This is really useful for creating interactive sites, but it can lead to some big problems if it’s misused.<\/p>\n Now, some fields in a site allow use of HTML – sometimes you want your visitors to be able to put a link in a comment, or make their text bold. That’s fine, and it usually doesn’t hurt anything (unless it’s a spam link).<\/p>\n However, if they can put <script> in your pages, then that’s a disaster waiting to happen. They use that vulnerability to change the way your site works, which is never good. Forget what you learned at nursery school – not everything needs to be shared, especially control over your site.<\/p>\n For example, if you have a page that prints the most recent search that a user has made (something that reads: “You searched for X”, for example), then this is a sort of pseudo-code that might be what your server says (note: this is not real server code):<\/p>\n This lets an attacker search for<\/p>\n When the page loads, that script will execute because the page will read:<\/p>\n Because the page loads user input as HTML without blocking the <script> tag, the attacker is able to add this script to a page.<\/p>\n That’s XSS in a nutshell, and while there are more complex ways of doing it (hence all the vulnerabilities related to it) that’s the basic way that XSS works.<\/p>\n But hang on, you might think, there’s nowhere that people can create user input on my blog. Why should I be scared of some script tag?<\/p>\n What about the comment section? The same place where people tell you how much your posts rock can also be the place that attackers inject code into your site.<\/p>\n This is how most XSS attacks are made, so protect yourself by manually approving comments. It may seem like a lot of work, but it can save your site.<\/p>\n Akismet<\/a> is one of the most common ways of securing comments – it also helps you eliminate spam. No WordPress site should leave home without it.<\/p>\n You should never<\/strong> allow comments that have a bunch of what looks like nonsense in them – this is probably obfuscated (hidden or disguised) code, and you should delete those comments with extreme prejudice.<\/p>\n Apply this principle to all user input on your site, and again, make sure that you update your plugins as soon as new versions come out, as new XSS attack methods get found very often.<\/p>\n There is so much software out there that you can use to harden your WordPress site that there is no excuse not to use the very best. These are just some programs that you can use to improve your security, categorized by the threat they cover. Using substandard software will bring you substandard results, so accept no substitutes.<\/p>\n Now what you’ve all been waiting for \u2013 here’s our Crazy Easy software list, solutions that you can use so you don’t have to worry about your WordPress site getting hacked. We’ve divided it into solutions based on what problems they solve.<\/p>\n LastPass<\/a> is a service that remembers your passwords for you.<\/p>\n Passwordcard<\/a> is a free resource that lets you create a card that generates and stores your passwords. It’s a great, comparatively low-tech solution to the problem of creating and remembering effective passwords.<\/p>\n 1password<\/a> is similar to LastPass \u2013 it creates strong, unique passwords for you and remembers them for all your accounts.<\/p>\n Clef<\/a> is an app for two-factor authentication. It uses your smartphone as a sort of digital key and is very easy to use.<\/p>\n The Stop User Enumeration plugin<\/a> makes it impossible for attackers to find out your admin username.<\/p>\n The WordPress security scan<\/a> is a simple testing tool that will find many of the vulnerabilities that we discussed in this article. It works as a good checklist to make sure that you have implemented your security correctly.<\/p>\n wpscan.org<\/a> is a black box WordPress vulnerability scanner. It takes a little bit of technical know-how to use and install, but is very effective. It gives you a full understanding of your site’s vulnerabilities.<\/p>\n The WordFence plugin<\/a> is one of the most popular security plugins for WordPress and its advantages are enjoyed by literally millions of site users.<\/p>\nSolution: Strengthen Passwords and Limit Login Attempts:<\/h2>\n
Strong Passwords<\/h3>\n
Limit Login Attempts<\/h3>\n
Threat #2: Plugins, WordPress Version, and Themes<\/h2>\n
Solution: Update Your Plugins, WordPress Version, and Themes<\/h2>\n
Threat #3: Table Access<\/h2>\n
Solution: Your Own Coding<\/h2>\n
<Files wp-config.php>\r\norder allow,deny\r\ndeny from all\r\n<\/Files>\r\n\r\n<Files .htaccess>\r\norder allow,deny\r\ndeny from all\r\n<\/Files><\/pre>\n
Threat #4: Phishing<\/h2>\n
![](\"http:\/\/1.bp.blogspot.com\/-CesQ_D28S5I\/Vnpb3Ybq4nI\/AAAAAAAAAd8\/JFw1ey3qaL0\/s1600\/153175439.png\")
<\/p>\nThe Solution: Be Suspicious<\/h2>\n
Threat #5: Cross-Site Scripting (XSS)<\/h2>\n
print \"<html>\"\r\nprint \"<h1>You searched for<\/h1>\"\r\nprint database.latestSearch\r\nprint \"<\/html>\"<\/pre>\n
<script>doSomethingTerrible();<\/script><\/pre>\n
<html>\r\n<h1>You searched for:<\/h1>\r\n<script>doSomethingTerrible();<\/script>\r\n<\/html><\/pre>\n
The Solution: Approve User Input<\/h2>\n
![](\"http:\/\/3.bp.blogspot.com\/-ML7CGtM4hcs\/VnpQH9jCDhI\/AAAAAAAAAdE\/TESWBjvtOgA\/s320\/xss%2Bscreenshot.png\")
<\/a><\/p>\nThreat #6: Using Poor Software<\/h2>\n
Solution: The Crazy Easy Security Software List!<\/h2>\n
Password solutions:<\/h3>\n
Theme, Plugin, and Version Checking Solutions<\/h3>\n
General WordPress Security solutions<\/h3>\n