Is your website built with WordPress? Probably!

Even if you have no idea what your website is built with (because someone else looks after it), there’s a good chance it will have been built with WordPress. 53% of all the websites are created using WordPress [1]

With that in mind, we turned to John, our website security expert and asked him: How secure is a WordPress website (out of the box) and what can you do to make it very secure? 

Well, as you can imagine, there are many factors that can make a website either secure or insecure.

A website is the digital front door for nearly all businesses these days, and if someone comes to your front door and notices it looks insecure, it may have an immediate impact on a potential customer’s impression of you and influence their willingness to trust you with their data. And aside from reputation, you really don’t want your site getting hacked, do you? At the very least it’s a hassle. At worst, it could be the end of your business.

Having considered the question for some time, John came up with 5 great points, highlighting the most important security features that can really help in protecting the external layer of your WordPress site[2].

It’s gets a bit technical from here, sorry, but bear with us. It’s worth it for the sake of your website!

Hiding the administration login page

By default, your WordPress content management system (CMS) administration page is at https://**yourwebsite.com**/wp-admin . Hackers know this so exposing the login page to the administration section (or back-end) of the website is generally considered bad practice.

If it is exposed, there is a chance that an attacker can use this page to their advantage, for example they could try and login in with admin:password and the response for the server will probably say that you have entered an “Invalid username”

Continuing this approach, using script automation, we might be able to try thousands of possible  usernames/email addresses and eventually enumerate a list of valid account names.

Armed with a list of valid usernames, the next step is to use a script to try to guess the password. Although the likelihood of a successful brute-force attempt is low, this is the main reason why you should hide the CMS administration login page.

To do that there’s a free plugin called: WP Hide & Security Enhancer. The plugin allows you to modify your re-write rules directly from your admin panel. In the screen shot below you can see the default login page being changed to something completely different. The plugin also provides you with a backup link should you not be able to access your new login URL.

 

Enabling Multi-factor Authentication

Multi-factor authentication (MFA) is a security measure that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. For those of you who are not yet familiar with MFA, please take a quick look at Marclay’s MFA blog: Click Here.

If you’ve already hidden your administration login page, you can further improve the security of the site by adding MFA. This means that even if somebody miraculously finds your now hidden login page, then somehow manages to obtain your login details and attempts to login, they will be presented with the following:

As you can see even after getting this far a user still has to authenticate using the Google authenticator app which means that a hacker probably needs to have immediate access to your phone as well. At this stage you would need to input a code that is re-generated every 30 seconds on your phone. So, as you can imagine it is now almost physically impossible to gain access thanks to MFA. To implement this plugin into your application you can use the mini Orange MFA plugin.

 

TLS Certificates

We often see websites that have an SSL certificate installed for their site. Some administrators then think this has secured their website and all traffic is safely encrypted. Unfortunately in 2018, this is not the case. There are more steps that need to be taken to ensure that the SSL/TLS protocol is being put to best use on your site.

To make sure you are making full use of TLS we need to implement HTTP Strict Transport Security (HSTS).  To do this, you will need to add the following header to your website. Make sure the following is on one line in your configuration file:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Formax-age’, you can start off with a small number then gradually increase as you test all pages and are happy that you site works with the header.

Finally, the preload ensures that your domain qualifies to be submitted to Google’s list of websites that can only be secure over HTTPS. This will prevent your website being a victim of an SSLStrip attack. For more information on HSTS, take a look at this detailed guide:  Click Here.

 

Other Headers that can stop web attacks

A great tool for testing your website’s security is securityheaders.io. This site will do a quick scan of your site and let you know what security headers are missing, and most importantly what you can do to fix them. By default, WordPress will be missing the following security headers:

X-XSS-Protection
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Content-Security-Policy

Adding the following headers to your website will fix these missing header issues;

Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
Header set Referrer-Policy strict-origin

The X-frame-Options header is designed to stop iframes being loaded within your application. This can be helpful in preventing social engineering attacks, however, if your site uses any third-party content that is loaded within an iframe, you will have to explicitly set that content to be allowed to be loaded into your application. Also, if you load iframes from your own application, you can set the header to; same-origin.

The CSP header is known to not work very well with WordPress, if you find that it is causing issues you can set the following in your .htaccess file:

<IfModule mod_headers.c>

Header unset Content-Security-Policy

</IfModule>

Other entities to consider changing are the server type and x-powered-by headers. These provide useful information to hackers by revealing their version number. Should your server version be vulnerable to a known issue, anyone who can access the application will be able to see the server version. It is considered best practice to rename this header to something low-risk like ‘Server’.

Now that the web server and headers are configured you can look at securing some of the WordPress features and content.

 

Deploy a Web Application Firewall

If you have implemented the steps above, the admin panel is now very secure from unauthenticated access, but one threat remains: Bots and malicious requests.

For those of you that have ever looked at logs of web servers running on the internet, you’ll have seen plenty of ‘crawlers’ from all over the world. Some of these are good and are indexing your page ready to be searched on Google, Bing etc. Others are not so good and are just trawling the web for poorly secure websites, once they find these sites they will quickly run some tests and most likely report back to an attacker that there could be a potentially vulnerable application ripe for exploitation. Thankfully you can employ the use of a Web Application Firewall (WAF) to combat this, as well as other threats.

Marclay’s team recommends Word Fence. It has a free and premium version and for me the free version suffices but you may wish to look at some of the benefits of the premium version depending on your budget and requirements.

There are many benefits of deploying a WAF on your WordPress site. For example, in Word Fence you can limit-rate requests (or attempts to interact with your website/server). Usually when somebody is looking for a vulnerability they will use an automated tool. The WAF can immediately detect this and provide you with options on what to do; throttle (reduce) their requests or block them all together for a length of time of your choosing.

A WAF will also further toughen the login of your WordPress. This WAF can deter anybody from being able to identify valid users (as discussed above), as well as black-listing a malicious user attempting to login with certain usernames.

There are lots of other helpful features for you to look at and to use within Word Fence, and I would encourage you to make the most these on your site.

If you take the time to implement these steps on your WordPress website you will be very secure. There is the final matter of housekeeping.

A well-maintained website will have a much higher availability rate than one that is never maintained. For your site to be as efficient as possible you need to ensure that is kept up-to-date. There is a handy feature within the WordPress admin panel that allows for email alerts whenever the WordPress CMS or one of it’s plugins needs updating. You should aim to keep everything as up to date as possible, usually within 12-24 hours of release to prevent possible compromise.

Also, it is probably worth carrying out these updates and checks out of business hours to prevent disruption, and finally, always back up your site before any major updates.

We hope this guide has been helpful. If you would like to talk to us about the security of your website (or anything else cyber security related), please call our team on +44 2030 393 394 or send us an email: info@marclay.co.uk

 

 


[1] https://trends.builtwith.com/cms

[2] Note – you should make a backup of your website before making any changes. This guide assumes that you understand how to edit your web server’s configuration and rewrite rules, whether nginx, Apache or anything else.