Mitigating Attacks Against WordPress Sites

Becoming a target of an attack is never a good prospect for any website owner. There are some people on the World Wide Web that would resort to taking reputable actions in order to gain control of your website, or even bring it offline if that is their goal. Websites that are powered by WordPress have recently become the focus of a large and coordinated attack in order to gain control over any website possible. There are many types of attacks, security or otherwise, to look out for, and there are just as many ways that a website owner can help prevent a successful attack.

Which Attacks are being Used?

There are as many different types and styles of attacks as there are people commencing these attacks. There are several well-known and popular methods used to gain illicit entry to a website, or even to take a website offline, and three of such attacks include Distributed Denial of Service attacks, brute-force attacks, and using exploits/vulnerabilities.

Distributed Denial of Service

A popular tool used to flood a website with bad requests in order to force a particular service offline, a Distributed Denial of Service, or DDoS, is when a malicious party gains control of many computers in order to overload a website with the intention of bringing it offline. This usually means sending data to a server so rapidly that it cannot keep up, taking the attacked service offline for most users.

One method of accomplishing this task is to take control of a botnet, where many innocent computers are forced to take certain actions given by a central controller. Most people do not know if their computer has been converted into a bot in a network, so they are powerless to stop what their computer is doing. Botnets can have thousands, or even millions, of computers controlled from a single source, placing the receiver of a DDoS attack in a very weak position.

Brute-force attacks

An attack that can be carried out by a botnet, a small group of computers, or even a single device. A brute-force attack is when someone attempts to determine a user’s password by trying every combination of letters, numbers, and characters that he or she can put into your website’s password field. Statistically, he or she will eventually be successful, especially if that password is short or is commonly used (think “12345” or “password”).

Exploits & Vulnerabilities

Done by a person trying to find a backdoor into your website, using an exploit or vulnerability means trying to find insecure code with the intent of placing custom commands into that script to gain further access into your site. Software that does not sanitize data when processing information is susceptible to this type of attack, and persons knowledgeable in which software has an exploit can easily find website that use this insecure code.

Methods of Mitigation

Of all the possible doors into a website, there are several large ones that should be monitored and closed. Some of these items may seem to be common sense, but others may be methods that you never considered using for your website.

Update the WordPress core, themes, and plugins regularly

The most easy way to remove any exploits or vulnerabilities is to update any software whenever the author releases a new version. To accomplish this, head to your site’s dashboard and click on “Updates” in the sidebar on the left. From that page, you can see which themes and plugins need to be updated, or if WordPress itself needs updating. Just check the boxes, click on update, and your chances of being a victim of a successful attack are reduced.

Remove your “admin” user

The “admin” user is the default user for WordPress sites, so it is often the target of many brute-force attacks. It is appealing due to its elevated privileges and often ignored state. To remove the “admin” user, head to your website’s dashboard and click on “Users” in the lower portion of the sidebar. From there, hover your mouse over the row containing the admin user and click “Delete.” If that user has posts attributed to it, you can reassign them on the page that appears. If you want to add a new user for these posts, go back to the Users page to do so, then restart the process of deleting the admin user account.

Use secure passwords

MAaWPS weakpass

Having a weak password is another method to give brute-forcers an easy way into your website. If they cannot break into the “admin” account, they may try to gain access to other accounts discovered by combing through your website’s list of authors. They will often try some of the most common passwords before trying other means, so be sure that your password is not on one of those lists.
To use a new password that is more secure, first think of a secure password or use a password generator, and type that into the new password fields on your profile, accessed by hovering over your name in the admin bar and clicking on “Edit My Profile.” The strength indicator below these boxes will tell you how strong this new password is, giving you a good sign if your password is less likely to be discovered.

Leverage htaccess features

Your web server may already have some tools available to you to help put another line of defense between your website and any potential attackers. If your server uses Apache for your website, you have the powers of a special file called “.htaccess” available to your website.

One such power is to only allow people from certain IP addresses access to your wp-admin folder. First, create a file called “.htaccess” in your wp-admin folder. Second, open it up with a text editor and paste the following code into it.

order deny,allow
allow from xxx.xxx.xxx.xxx
deny from all

To find your computer’s external IP address, visit a site similar to What’s My IP Address. Copy the large number with periods throughout it and place that where the “xxx.xxx.xxx.xxx” is located in code above. If multiple people will be accessing your wp-admin folder, then copy the middle line for as many people as are needed, making a new line for each IP address. Ask them for their IP address and paste each into the htaccess file as needed. Make sure no lines that contain the Xs remain, or your website’s functionality may be broken.

Cloudflare

MAaWPS cloudflare

For those unaware of this service, Cloudflare offers protection to your website from several types of attacks, including DDoS and exploitation, all while helping to speed up your website for regular users. To take advantage of this service, you first need to sign up at Cloudflare’s website and add your domain. You may need to ask for help if you are unfamiliar with how DNS works and which nameservers your domain should use. Once your domain is set up to use Cloudflare, you can add the Cloudflare plugin linked in the Resources section below to your WordPress site.

Two-factor authentication

MAaWPS authy

If you use Gmail or Facebook, you may have already been introduced to the concept of two-factor authentication. If not, two-factor authentication means that you need to provide two pieces of information when attempting to log into your account: your password, and a code sent to your email or mobile phone. This ensures that it is truly you that is signing into your account.

One service that offers two-factor authentication for WordPress sites in Authy. The process is simple and involves only four steps. The first step is to obtain an API key from the Authy website by creating an account (there is a free tier called the “Starter” plan). The second step is to install and activate the Authy plugin (linked in the Resources section below) on your site. The third step is to enter the Authy API key to the Authy settings page within your site’s admin interface. The fourth step is to have each user choose if they want to use two-factor authentication, and have him or her enable it on his or her profile page if he or she decides to use it.

Summary

There are so many ways for someone interested in attacking or breaking into a WordPress sites that avoiding all of their attacks seems impossible. That may be true, but it is better to protect yourself than go without any security. There are several ways to thwart and reduce the damage of several types of attacks on your website, including simple tasks like changing your website’s user information, and more involved tasks including installing plugins to utilize external services to help filter out most intruders.

Even though some plugins have already been talked about, there are many other great plugins to help secure and protect WordPress sites. Visit “WordPress Security Plugins” for a description of several of them, including Bulletproof Security, Login Lockdown, and WP Security Scan.

Resources
Link: Hardening WordPress in the WordPress Codex
Link: Cloudflare in the WordPress Plugin Directory
Link: Authy in the WordPress Plugin Directory

This article was authored by:

Chris Ellison is a web developer living in the United States, and has been working with WordPress since 2009. He owns Abbson Studios, a design studio where he is free to experiment with new ways of molding WordPress into whatever he wants or his clients need.

Chris Ellison has authored 11 posts.Visit Website

Showing 1 Comment

  • Many bloggers are reporting WordPress attacks recently. I’m using Better WP Security along with CloudFlare. I’ve removed admin user also. We know that nothing can be 100% secure but still we can try our best to protect the sites.

    REPLY

Add Your Voice: