How Do Hackers Compromise Your WordPress Website?

It is important to understand how hackers gain entry into a Word Press website and have their wicked way. Although there are many different ways in which a hacker can break into a Word Press website, the main techniques can be grouped together into four categories. In an article last year, WP White Security reported the following statistics about hacked websites:

• 41% were hacked through a security vulnerability on their hosting platform
• 29% were hacked via a security issue in the WordPress Theme they were using
• 22% were hacked via a security issue in the WordPress Plugins they were using
• 8% were hacked because they had a weak password

As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change data (e.g. your password), retrieve data, or delete data (i.e. delete all your posts and pages).

A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam).

Important Installation Settings

WordPress Security Keys were first introduced in WordPress versions 2.5, 2.6, and 2.7. The keys improve encryption of the information that is stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure.

The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:

12345678

define(‘AUTH_KEY’, ‘put your unique phrase here’);define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);define(‘NONCE_KEY’, ‘put your unique phrase here’);define(‘AUTH_SALT’, ‘put your unique phrase here’);define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);define(‘NONCE_SALT’, ‘put your unique phrase here’);

Eight keys and salts can be generated through the WordPress Salt Keys Generator. Once the code has been generated, you simply replace the code above with the unique generated phrases.

1) Disable XML-RPC

Since WordPRess 3.5, XML-RPC(Information of wordpress API ) has been enabled by default. The feature allows you to remotely connect via blogging clients. It is also used for trackbacks and pingbacks.( https://make.wordpress.org/support/user-manual/building-your-wordpress-community/trackbacks-and-pingbacks/) Unfortunately, hackers have been known to use the file for DDoS attacks. (DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.)

You can use a plugin such as Disable XML-RPC Pingback and Disable XML-RPC and reduce the change of your website being attacked.

2) Limit Login Attempts

Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords. One of the best ways to protect your website against this kind of attack is to install Login LockDown or Login Security Solution. The plugins allow you to limit the number of login attempts from a given IP range.

The great thing about these plugins is that they record the IP address of anyone who fails a login attempt. You can use this information to block those people from your website indefinitely using the .htaccess technique.

3) Two-Step Authentication Solutions

A two-step login authentication process will make it even more difficult for hackers to access your website through a brute force attack. It forces everyone to use an authorisation code in order to login to your website. For example, you may have to provide a code that can only be accessed via your mobile phone.

Here are some useful authentication WordPress plugins that are available to you free of charge:

• Google Authenticator – Requires you to enter a secret key or QR code that is provided to you via a Google Authenticator smartphone application
• Clef – Allows you to login using a passwordless two-factor authentication system using your mobile phone
• Clockwork SMS – Sends a SMS to your mobile phone with a key that you need to enter to login
• Duo Two-Factor Authentication – Offers multiple ways to access your website such as a mobile phone application, a SMS, or a phone call
• OpenID – Allows you to login using the OpenID protocol, which supports every major social media service
• Authy Two Factor Authentication – Requires you to enter an API key from a smartphone application
• Stealth Login Page – Login to your website using a secret login authorizaiton code

4) Hide Your Login Page

Malicious parties can attack your login page because they know that a default installation of WordPress can be logged in at www.yourwebsite.com/wp-admin/ and at www.yourwebsite.com/wp-login.php. Moving the location of your login files makes it very difficult for hackers to perform a brute force attack.

There are good plugin solutions available that allow you to do this easily:

• Rename wp-login.php – A multisite friendly plugin that allows you to change your login page. Once activated, the wp-admin directory and wp-login.php page will be inaccessible.
• Hide Login+ – Allows you to change name of your login page, admin area, logout page, and forgotten password page.
• Lockdown WP Admin – Another useful plugin that can conceal your admin area and login page.

If you forget the new location of your login page and admin area, you can reset everything by simply deactivating the plugin in question. You can do this by renaming the name of the plugin folder contained within /wp-content/plugins/. Alternatively, you could delete the plugin and reinstall it once you have logged back in to your website.

5) Remove the Word Press Version Number

By default, Word Press will place a meta tag in your website code that states the version of Word Press you are using:

1	<meta name=”generator” content=”WordPress 3.9.1″>

Unfortunately, this information is useful to hackers, particularly if you are using an older version of WordPress that has a security hole.

WordPress developer Paul Underwood shared a useful code snippet that lets you easily remove the WordPress version number from your website. You can do this by adding the following code to the top of your theme functions.php file:

1	remove_action(‘wp_head’, ‘wp_generator’);

Alternatively, you can remove the WordPress version number by installing the plugin Remove Version.

6) Hide your username from the author archive URL

Another way an attacker can potentially gain access to your username is via the author archive pages on your site.

By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs

This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.

7) Change Passwords and User

Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.

The goal with your password is to make it hard for other people to guess and hard for a brute force attack (known as DDos attack) to succeed. Many automatic password generators are available that can be used to create secure passwords.

Things to avoid when choosing a password:

• Any permutation of your own real name, username, company name, or name of your website.
• A word from a dictionary, in any language.
• A short password.
• Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.

In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.

8) FTP

When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.

Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

9) File Permissions

Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

Here is one possible permission scheme.

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

/ The root

Word Press directory: all files should be writable only by your user account, except .htaccessif you want WordPress to automatically generate rewrite rules for you.

/wp-admin/

The WordPress administration area: all files should be writable only by your user account.

/wp-includes/

The bulk of WordPress application logic: all files should be writable only by your user account.

/wp-content/

User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:

/wp-content/themes/

Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

/wp-content/plugins/

Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Changing file permissions

If you have shell access to your server, you can change file permissions recursively with the following command:

For Directories:

# find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

# find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

10) Securing wp-admin

Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots.

Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php. See the Resources section for more documentation on how to password protect your wp-admin/ directory properly.

The most common attacks against a WordPress blog usually fall into two categories.

1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
2. Attempting to gain access to your blog by using “brute-force” password guessing.

The ultimate implementation of this “second layer” password protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted. See Administration Over SSL.

11) Securing wp-includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteRule ^wp-admin/includes/ – [F,L]RewriteRule !^wp-includes/ – [S=3]RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]RewriteRule ^wp-includes/theme-compat/ – [F,L]</IfModule>  # BEGIN WordPress

Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

 

12) Securing wp-config.php

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.

Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>order allow,denydeny from all</files>

13) Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

define(‘DISALLOW_FILE_EDIT’, true);

This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.