Blog Security 101 – Part 2

The first part of this article covered some of the basics when it comes to WordPress security. This installment will focus on some of the basic steps you can take to address some of the vulnerabilities that are common to web applications and those that are unique to WordPress itself.

A Foundation in Good Security

Before we start with installing plugins or changing file and folder permissions we need to start with you and your computer.

Think about it, you are the Admin of your blog; you have control over everything and you use your computer to access that blog. If these two things are not secured then it doesn’t matter what else you do as far as security is concerned, your blog will be easy to compromise.

Is your computer malware free?

Before you install WordPress onto your server, before you create the database before you do anything related to your blog make sure that you computer is free of viruses, worms, Trojan Horses, spyware, etc. Malware that resides on your computer has the ability to log every action you take and report it back to another computer. If it sees you login to your bank, it can capture your account and password information; likewise if it sees you login to www.yourblogname.com/wp-admin it can capture your username and password. If the bad guys have this information then they own your site. Make sure that you update your anti-virus software and run it frequently. If you already have a blog set up, take this precaution anyways. If you find malware on your computer clean it off and change your password immediately. Check to see if there have been any additional admin accounts created as well; if they are not ones you recognize then you should think about deleting them.

Speaking of passwords…

Are you one of those people who use a strong password? That’s good, as long as you use different strong passwords for all of your different accounts. People who use the same password over multiple accounts run the risk of that password being compromised somewhere. If an attacker has that and it works on all of your accounts then they have access to everything. Instead of just password complexity, think password diversity. If you have trouble remembering all of those passwords then use a piece of software known as a password safe to store them in.

Stay up to date

One final word on security fundamentals; stay up to date. It was mentioned that your anti-virus software should be up to date at all times. This is so it can identify all of the latest malware that is out there. Likewise, your WordPress installation should be up to date and all of your plugins should be as well. These updates usually address any known vulnerabilities in the code itself.

The Plugins

One of the easiest ways to add functionality to any blog is by using a plugin. Plugins, however, can be a way for you to better secure your blog but they can also be a way for someone to breach it as well.

Plugins contain code, and it is that very code that may be vulnerable to an attack so it is important that you keep your plugins updated but that you also remove any plugins you are not using on your blog. While you are at it, remove any themes that are not being used as well as these may contain vulnerabilities also. For this reason you should only install themes and plugins that come from reliable, trusted sources.

As previously stated, plugins can also be used to help secure your blog. At a minimum, you should install plugins to handle the following:

  • System hardening
  • System scanning
  • File monitoring
  • Firewall tasks
  • Backup and recovery

One plugin, Better WP Security, takes care of most in the aforementioned list. It will help hide essential information from potential attackers by taking steps like changing the URLs for the dashboard, renaming the admin account, changing the database table prefixes and much more. It will also protect the application itself by forcing strong passwords, limiting file editing and scanning a site to find vulnerabilities among other things. Other features included in this plugin are the ability to monitor the file system for changes, schedule backups of your database and look out for automated attacks from bots.

The drawback to this plugin? It isn’t fully functional for blogs that have WordPress installed on Windows IIS server; it will only work to its fullest on Apache, LiteSpeed or NGINX web servers (NGINX servers will require you to manually edit your virtual host configuration). If you are unsure which operating system your server runs, check with your hosting provider to make sure.

If Better WP Security isn’t the plugin you want to go with, there are others that can handle different aspects of security for your blog. One of the most highly regarded plugins is Acunetix WP Security. Created by a leader in the web application security space, this plugin will do many of the same things that Better WP Security does to obscure information from attackers, harden the system and backup your blog. What it does not do is monitor files to see if anything has been changed and it does not have the same ability to thwart attacks from bots and other agents. There are some other features that it does not have that can be found in Better WP Security, however Acunetix does work on Windows IIS web servers as well as Apache, LiteSpeed and NGINX. It will also scan your blog and provide a security overview report with information any vulnerability it finds. This alone makes WP Security worth a look as Acunetix sells professional vulnerability scanning tools to many leading security firms.

Your blog should also run a web application firewall in front of it to protect against any outside attacks. Plugins like NinjaFirewall for WordPress will protect against threats like cross-site scripting, brute-force scanners and shell scripts. If will also sanitize input to guard against attacks like SQL injections and block attackers from scanning your site for vulnerabilities. These tools are so important that the credit card companies strongly suggest they be used on any e-commerce site. This one is for free and provides a solid barrier of protection for your blog.

There is one other plugin that needs to be mentioned as it takes the place of all three of the ones mentioned here and that is the Sucuri WordPress plugin. Not only is it the most comprehensive security plugin you will find, customers also have access to a great support team if they run into any configuration or management problems. Unlike the others, Sucuri does come with a yearly subscription fee but if your blog is part of your business it might just be worth the $90.

Using the .htaccess file

Many security checklists will tell you to change file and folder permissions and this is a good thing because it helps prevent access to your site. That isn’t covered here too much because the plugins that were mentioned will take care of this. If you want to do this yourself then you can do this using any FTP program and following the guidelines under the File Permissions section here http://codex.wordpress.org/Hardening_WordPress.

While file permissions will not be looked at, making some changes to the .htaccess file will be. This file defines access control to certain areas of your web site, and in this instance your WordPress site.

In order to edit the .htaccess file you will need to use an FTP program. Most web hosting companies offer this as part of their management console so this will do for making changes to the file.

Once opened you should see something that looks like this:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

We are going to add some things after the # END WordPress so that when you update WordPress your changes will not be overwritten.

The first file to protect is wp-config.php that stores information about the database and the site itself. To the .htaccess file add:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Once saved, this will deny outside access to wp-config.php.

You can also add a snippet of code to this file to protect the .htaccess file as well. Using:

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

will do just that.

Securing a WordPress site means being constantly vigilant. The methods attackers use to compromise sites is always evolving. They discover new vulnerabilities every day so staying on top of things is paramount.

While no site will ever be 100% secure against attack, these tools will certainly help keep most of the bad guys out and will alert you to any that do make their way past your defenses.

Blog Security 101 – Part 1

Blog and lock

There is no doubt that WordPress is the most popular web application for building a presence on the Internet. Currently, there are over 74 million web sites using WordPress and that number makes up a staggering 18.9 percent of all web sites on the Internet. But being so popular has a price; when the bad guys know that so many people use your software it becomes a target. Add to the mix the fact that your application is so easy to use that people without a great deal of technical knowledge can operate it and you start to make malicious hackers salivate; just ask Microsoft.

According to research conducted by the security firm Sophos, 73 percent of WordPress installations are found to be vulnerable to attack. This means that the application has not been hardened by the site’s owner to the point where an attacker could not break into the site by exploiting any known vulnerabilities.

If those facts have you worried take a deep breath and relax. We’re going to show you some ways that you can better secure your blog against malicious hackers and make it difficult enough that most attackers will move on to an easier target and leave your site alone.

The very basics

If we are going to look at security from the ground up it is important to understand some of the terminology that is thrown around. The word hacker is used outside of the security industry to describe the bad guys who are trying to compromise your blog. The pros, on the other hand, opt for the terms threat actor, criminal or attacker; most of them despise the term cybercriminal. A breach is when a threat actor successfully breaks into your system, in this case your blog, and this is done by exploiting a vulnerability.

Most of the time, we think of the attacker as someone who is trying to break into our site so they can steal financial information like credit card numbers or usernames and passwords. These are common targets of the threat actor, but they are not the only reasons why they might target your blog.

Blogs are targeted by some attackers to help other sites rank better in the search engine results. A blog is breached and the attacker injects links to another web site in the comment section or even in the posts themselves. These links might not be easy to spot since they can easily code out the text-decoration and change the color of the anchor text. These links can harm the reputation of breached site since they often point to low-quality sites, web sites that promote illegal or illicit activities or sites that host malware. Which brings us to another reason why WordPress sites are often targeted.

One of the most common reasons why a site might be attacked is so that the criminal behind the attack can upload malware to the targeted site. When this happens the malware can be used to exploit vulnerabilities in the web browsers of the site’s visitors. Malware is then loaded onto the visitor’s computer just because they went to a blog, and it might even be a blog that they trust. Sites that are guilty of this are flagged by search engines like Google and are usually removed from the results costing the site a great deal of traffic and causing a great deal of damage to that site’s reputation.

The last type of attack we will mention here is known as a Denial of Service attack. This occurs when the attacker knocks a site offline so that legitimate visitors cannot access it. Usually this is done by flooding the server with enough traffic and requests that the web server that hosts the site just gives up. Attackers use other people’s computers to do this; the ones that have been infected by malware and taken over or they use other technologies. These attacks can come at the hands of a hacktivist, or someone who is trying to take the site down for political or social means; a competing business or web site; and sometimes these attacks come from a young threat actor who is trying to hone their skills.

How they get in

We mentioned vulnerabilities earlier as the way attackers breach a blog. These vulnerabilities can come from a number of places:

  • The WordPress code itself
  • A plugin
  • A template
  • Brute force attacks
  • The user

WordPress itself is a software application and at times, people find holes in the code. Many times, it is the wp-config file or the wp-includes folder that are targeted. When these holes are found, the people who maintain WordPress work to patch it so that the hole is no longer a vulnerability. This is one reason why WordPress is updated and the most important reason to make sure that you are always running the most current version of WordPress on your site.

Plugins present the same problem; they consist of code and can have holes in them that allow attackers in. For this reason, you should be careful about what plugins you install on your site and you should make certain to remove any plugins that are not being used. Plugins have also been known to have exploits written into them with the purpose of giving attackers access to any site installs and activates them. This is not a common scenario, but it has happened. The best way to avoid this is to install plugins from the WordPress Plugin Directory. This is much safer than downloading the plugin from another site to install as WordPress monitors the plugins in their directory.

Likewise, templates have been known to house security holes as well. Those inactive themes that are sitting in the themes directory and haven’t been updated since you installed them could be just the thing an attacker is looking for. There have also been themes that contained malicious code in them that can be used for nefarious things.

Brute force attacks are another common method used to breach WordPress blogs. An automated system seeks out blogs running the WordPress application and then goes to work trying to guess the password for the admin username. Since most blogs keep the admin account active, and with administrative rights, the attack need only guess the password. This isn’t too hard for a program that can guess hundreds of thousands of passwords a minute when you consider most passwords are ridiculously simple.

The final vulnerability we will look at here is the user. It was mentioned previously that there are sites out there that exploit holes in a web browser and install malware on the computer of a person who visited that site. Malware can also be installed through phishing attacks that contain malicious attachments and even through older methods like file sharing. Malware can do a number of bad things on a computer, and one of these things is they can capture keystrokes on a computer. Translate this into the attacker can see that a person is logging into a WordPress site and can steal the URL, the username and the password. This is just one more reason why you should run up-to-date anti-virus software on your computer especially if you use that computer to access your blog.

Fighting back

A majority of attacks against WordPress sites happen because they are considered low hanging fruit by the attacker; meaning they are easy to breach. Many of these attacks are so simple for the bad guys that they are automated and the attacker never has to do more than let a few programs run to compromise thousands of WordPress sites.

While no WordPress site, or any other computer system, will ever be 100 percent secured against attacks you can make it more difficult for any attacker who targets your site. If you have done a good enough job at hardening your site, they might move on to an easier target. If they are intent on breaching your site, and they are able to successfully do so, you goal will be to identify the breach and clean up your site as soon as possible.

To help you better secure your blog, we have part two of this series coming soon. In the follow up post we will look at plugins, code hacks and other things you can do that will harden your blog against a majority of the common attacks out there.