Where To Look For WordPress Security Issues
The core sections of WordPress have such a great community of developers and testers that the general chances of your site being hacked with a basic WordPress installations is pretty slim. Too often I hear a person complaining about “Not knowing how their site got hacked”. The truth is often far more common of an issue then one might think.
In many cases hackers are allowed to enter into a website.
Yep, I said “Allowed to enter”. Let’s consider a real world example that everyone should be able to equate to:
You live in a house. If you go on vacation you make sure to lock the doors and windows, set the alarm and maybe even post-pone your mail service. But what about the time you left to go shopping and you forgot to lock the door. Did you return home and become very thankful that nothing was taken?
Many people let intruders into their lives, often purely by accident. When you build a website it takes on a quality not unlike your home. It becomes a virtual real estate that has its very own front doors, back doors, and security holes.
Adding Security Risks
A home with one door and no windows has a greater level of security then a home with 30 windows and 4 doors. This is simply a matter of fact. It is much easier for someone to break a window then through a wall. Obviously some doors are stronger then others. The type of locks you use on your home also make a considerable difference. This is also true on your WordPress blogs. As the core structure of WordPress is very stable and secure, one then has to understand where the majority of security holes arise. Where this happens is unfortunate but it is one of the main reasons we use WordPress at all – Interchangeable plugins and themes.
The more themes you try and the more plugins you install you run a greater risk of opening up a security hole.
Not All Plugins Or Themes Are To Blame
We must take a moment to separate those plugins or themes that “INTENTIONALLY” cause harm and those that do so “ACCIDENTALLY”. The reason for this distinction is important.
Most of the plugins you will likely encounter from the WordPress Repository are pretty safe, however you are more likely to encounter an accidental issue.
IMPORTANT: There is not presently any enforced security practices for creation of a plugin or theme.
If you see someone offering a “paid plugin for free” download link, especially if it is not from a person you know or a reputable source, then by all means download it.
But do so at your own risk.
Plugins and themes are mostly written in combinations of PHP and HTML. This means that most any plugin that is purchased once can have the source code edited and then redistributed. This type of intentional malicious redistribution of a plugins takes into account that some people will want to get a “freebie”. This lures people into downloading a potentially corrupted or insecure version of a valid plugin and installing a backdoor or hack unwittingly.
Often times the person downloading the plugins has little or no clue that a backdoor or virus was just installed into their website.
Types Of Security Concerns To Be Aware Of
There are a host of security concerns that can come along with adding functionality to WordPress. Occasionally a programmer accidentally causes a problem since it is hard to know exactly how their plugin might interact with 10,000 or more other plugins. Hey It happens. But those intention ones will look to take advantage of every potential risk they can. Below are just a handful of the types of common attackks that can hit a WordPress site.
- Vulnerable scripts and plugins
- Web shells and PHP malware
- Phishing and iFrame injection attacks
- Malicious code in .htaccess
- Malicious Unix executable scripts
- Suspicious encoded strings detection
- Adware, SPAM links, and black SEO links
- Suspicious IPs detection
- Brute Force Attacks against Admin Accounts
- Password Hacking
This are just the more common types of attacks and intrusions into a website. Some people want to gain access to sites personal data, banking accounts, or just for fun. If the hacker is any good the majority of people would never even know they were there. It all depends on what the hackers intentions are.
What Can You Do To Secure Your Site
If you read this post here: What’s The First Steps to Securing WordPress, then you know that security starts at the point you even decide to install a WordPress blog. But once you have installed it the next few steps will become important.
Now that your site is installed and you login for the first time you might be thinking it is time to go ahead and do all of your basic setup. You can, but it can wait for a little bit.
Even though WordPress core is good, I always like to install a security scanner plugin first. There are several nice choices and you might even wish to try a couple until you find one you like.
Security Scan Plugins I use often include:
- CWIS Antivirus Scanner – Designed to detect exploits, malware, trojans, viruses and other threats within database content and files uploaded to your system.
- WP Scanner – Scan your WordPress site and receive recommendations on how to improve load time, performance and security.
- Anti-Malware Security – searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
- Sucuri Security – Auditing, Malware Scanner and Security Hardening
Pick the one you like the best based on your level of concern or expertise. When picking plugins to consider I follow some simple criteria:
- Is the plugin currently up-to-date?
- Are the plugins support tickets being processed?
- How many active installations does it have?
Using these three criteria I will often look for the most up-to-date plugins with an active support staff and a high volume of installations. To me this is often indicative of a plugin whose authors are working hard to stay on top of any issues that might arise. Since things change on the web so fast I often will not even consider a plugin that is more then a few months old or not tested for the 2 most recent versions of WordPress.
Adding Even More Security
Once you have a baseline scan of your website the next step is to work on actually securing it for the future. This will be where picking the security plugins come in. While there is not yet one plugin that can handle every possible or potential threat, there are a few that come pretty close.
At present the leader for WordPress security plugin is likely going to be WordFence.
Wordfence Security – THE MOST DOWNLOADED WORDPRESS SECURITY PLUGIN
Secure your website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. Our Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most complete WordPress security solution available.
Almost 2 years ago WordFence was my new favorite security plugin, you can read that article here: WordPress Security Plugins – Our Favorite List Of Must Have Plugins For Blogging Security. Among the other favorites at that time included:
- iThemese Security – (formerly Better WP Security) – Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
- Centrora Security – (formerly OSE Firewall) – is excellent for security management. It incorporates firewall, dedicated malware scanners to enhance WordPress security.
As of this post I am still favoring WordFence on site installations even though I have worked on Centrora (when it was still OSE Firewall). In 2013 OSE was undergoing management changes and other issues that led me to switch from using that as an active security plugin at that time. I will revisit the newest rendition and see if it has once again climbed the ladder of WordPress security.
In addition to the security plugins listed above, take a close look at the Pro version of BulletProof Security. It runs for around $60 but does include some features that I would love to see implemented into something such as WordFence, such as more of the logging features.
Bear in mind it is also possible to run more then one security plugin at a time and pick and choose which features you apply for your needs. Please be careful though as this can sometime cause overlapping features that are not always optional. If this happens you may find that a feature is not working properly.
Pick the Security plugin of your choice, there is no one right or wrong choice as they all have stuff to offer. WordFence is my top choice and I use it daily. However I do also to use many of the others for specific functionality but I will have to cover that at another time. I will create a walk-through covering the most popular options for WordFence in a future posting.