WordPress 202: Website Security with WordPress

By May 28, 2015Websites

In our previous article, we provided an introduction to WordPress along with some fun statistics awe well as the pros and cons of WordPress. One of these cons is the security issues with WordPress.

Before we jump in, it’s worth noting that most website security issues on your website are not exclusive to WordPress, and can happen to any website at any time, regardless of what web technology is being used to run the website.

In this post our website developer will be covering how these issues arise in the context of WordPress and what can be done to identify and protect your WordPress website.

How to Identify a Security Vulnerability or Security Breach

A website security breach on a website could be completely buried in the code, hidden in plain view, or outright visible. For the average user, this means that something in your website can be wreaking havoc in places that aren’t used or are so behind-the-scenes that it goes virtually undetected until it’s too late. These areas can include theme files, plugin files, and even the database itself.

On the other hand, an issue can arise in a very public manner. Be wary of notifications showing random users trying to sign in to your website or trying to register a new user. Keep watch also for a flood of spam comments (even when commenting is turned off on the visible part of your website, these comments can still come through). The spam comments are usually the easiest to detect, often containing total gibberish or something irrelevant to the article topic.

Telltale signs that you’ve been hacked:

  • Your website suddenly has unknown links or advertisements included in the text (many times linking to a pharmaceutical ad.)
  • Your website or mobile site redirects to unknown URLs when clicked.
  • Unwanted results appear when you search for your business or website on major search engines.
  • Your website displays a message like “Your Website Has Been Hacked.”
  • Your website is experiencing a DDOS (or Distributed Denial of Service), which means it is currently under attack.

What Caused This?

Diagnosing the cause of a website security breach or hack is one of the most difficult parts of the security response process. Here is a list of the most common types of cyber attacks that can happen to a website:

PHP Backdoors

A PHP backdoor is a malicious piece of code that can be uploaded to a site to gain access to files stored on the server. This means that any file on the website can be edited, deleted, replaced, or downloaded from the server.

Malwares

Just like a computer getting a virus when a malicious piece of code is downloaded or opened, a website server is susceptible to the same kinds of attacks. More often than not, website malware can come from insecure code being used on the website.

Cross Site Scripting (XSS)

Cross Site Scripting allows someone to inject client-side code into a web page that is public to other users. Once the code is injected, the attacker can have the ability to gain control of some, or potentially all, aspects of the website.

Black Hat SEO

Black Hat SEO is an attack on a website where unrelated keywords and meta tag information are injected secretly into a website. This doesn’t affect the website itself, but rather how it’s indexed by Search Engines. This issue can be found only by running a search for the website in question. Black Hat SEO can have serious implications for search engine rankings on SERPs (search engine result pages), including lower rankings or altogether being removed from results.

DDOS Attacks

A Distributed Denial of Service attack involves the attacker creating connections to a site from multiple sources in an attempt to overwhelm the server and shut it down. This could take a site down for a period of time.

Brute Force Login Attacks

The simplest form of an attack on a WordPress site, this method of attack involves the attacker attempting to login to the website’s backend by trying various name & password attempts. This means that if the website has weak login credentials (e.g. a password that’s “12345”) an attacker has a very good chance of gaining access to the website.

Another issue that arises from this type of attack is how it affects the speed of your website. Repeated attempts at logging in to a website drain the memory on the server that’s hosting the website, which can slow down load times dramatically or even result in your website crashing.

First Response: How to Clean a Hacked Website

So your site has been hacked! We need to clean it up and get everything back in working order. Here are some easy action items that you can do to get the ball rolling:

  1. Make sure WordPress and all WordPress plugins are updated.
  2. Contact your hosting provider and request to have the server scanned for any issues.
  3. Using FTP, search the site and delete any PHP files found inside the “uploads” folder.
  4. Check the htaccess file on the root folder and any sub-folders for any code that indicates the site being redirected to an external website

If those don’t get the job done, here are some more serious actions to take:

  1. Consider upgrading to a premium security solution such as managed WordPress hosting and/or Secure or ManageWP. While it may be a bit expensive, these solutions provide a solid foundation for your website security.
  2. Request your hosting company to provide a server firewall and install basic website protection such as Maldetect and ClamAV (Linux Servers Only). Some hosting companies provide this from the start, but most wait only until they are asked about it to implement it.

Once your website is completely cleaned and secured, go to Google and search for all of the website’s URLs by entering “site:example.com” into the search bar. From here you can check if Google indexed any of the Black Hat SEO links. If Google did index these malevolent links, follow these steps:

  1. Sign up for Google Webmaster Tools (this may require verifying the website by adding a html file to your server.)
  2. Open the unwanted link and make sure it is removed from your site (it should come up with a 404 error message.)
  3. Login to your Google Webmaster Tools account and select your website. Under “Google Index”, select “Remove URLs.”
  4. Click “create a new removal request” and add one of these links at a time.

Be advised, this could take up to 48 hours to complete the request. It may even be denied completely if the page you are requesting to be reviewed doesn’t pull up a 404 error.

Being Proactive: What Can You Do To Avoid This?

A WordPress user/developer’s greatest tool when it comes to staying up to date with the best website security practices is to stay updated by following the right resources. As mentioned in the previous article, WordPress’s community is filled with people that provide the most up to date information and tools. Because of this you do not need to be an expert in WordPress website security. Instead, just follow the experts and keep track of what they are saying. They will uncover any vulnerabilities faster than you can imagine and provide the steps necessary to fix them.

Here are some things you can do to improve website security:

  1. Keep WordPress and all of the plugins up to date, as these updates usually include solutions to looming website security vulnerabilities.
  2. When setting your website up, never use the default “admin” username. Create a unique username and a difficult password that contains upper-case letters , lower-case letters, symbols, and numbers.
  3. Back up your website on a daily basis (some hosting companies provide this as a service so check with them first.)
  4. Secure important files like htaccess and wp-config.php.
  5. Add an htaccess file to the uploads folder to deny all php files from executing.
  6. Check with your web hosting company if they have firewall, antivirus and antimalware tools in place and make sure they are up to date.

On top of these steps, the following resources will help you stay up to date with the latest WordPress happenings and issues, while also providing the latest website security measures:

+ Hardening WordPress: http://codex.wordpress.org/Hardening_WordPres
Written by WordPress’s team, this resource lists the full gambit of WordPress-specific things that can arise and the action steps you can take to protect your website. (Warning: may require the help of a web developer to decode the technical jargon.)

+ WordPress Vulnerability Database: https://wpvulndb.com/
This is a great site created by WordPress developers and users with a running log of issues people find during their time on WordPress Platform Versions, Plugins, and Themes. (ProTip: Check this website before installing a theme or plugin and skip any potential issues.)

+ Plugin Vulnerabilities: https://wordpress.org/plugins/plugin-vulnerabilities/
This tattletale plugin can scan a site when installed and see if other plugins running on the site have any current vulnerabilities.

Update These Now!

Here’s a list of very popular and widely used WordPress Plugins that can create vulnerabilities on your website if they’re not currently updated:

  • JetPack
  • W3 Total Cache
  • Slider Revolution (this comes packaged with many themes so it’s important to read what the updating policy is for that)
  • WordPress SEO
  • Google Analytics by Yoast
  • All In One SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP eCommerce
  • WP Touch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Plugin Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken Link Checker
  • Ninja Forms
  • WooCommerce

Stay Ahead, Stay Alert

The Internet can certainly seem like a scary place at times, and it definitely can be! The only way to be 100% secure is to not have a website at all, but the next best thing is to be educated. Staying ahead of the curve is half the battle against these website attacks and can prevent disaster from striking.

Think You’ve Been Hacked?

Speak with one of our account managers today about how our Web Development team can help!

Stay tuned for part 3 of our WordPress series.