WordPress gets a bad rap when it comes to security. Because WordPress powers over 35% of the web, it is an attractive target for hackers, crackers, and script-kiddies alike. Review the web server logs of any WordPress site, and you’ll feel worse than after reading YouTube comments.
When you run a high profile or high traffic WordPress site, it’s understandable that the hackers take an interest in it. But why do we see the same hack attempts on new WordPress sites running on a default theme with no content?
More often than not, hackers are interested in the underlying server resources more than the site itself. If they can hack enough sites, those can be used to create an army of bots. Since most of these hack attempts are automated, it is cheaper and easier to try and hack every WordPress site rather than classifying active vs. dev sites.
Think of it like the junk mail you receive for extended car warranty or insurance offers. It’s cheaper for the sender to bulk mail these letters to every household. Even if 0.1% of people respond, it still makes the scam profitable. Hackers use the same law of large numbers when trying to hack WordPress sites.
Does this mean that WordPress is the wrong choice for enterprise sites?
Since most of the hack attempts are automated, we can block them with security measures that are essential for any content management system.
WordPress hacks commonly fall in these categories:
Brute force logins
Brute force login attempts try to gain access to your site by trying commonly used username and password combinations. In the past, installing a plugin to block visitor IP after X failed attempts used to be sufficient. These days hackers rotate the IPs between login attempts to maximize chances of a successful login. We can stop these attacks effectively by switching to a whitelist based approach. By permitting admin access to a small list of approved IP addresses effectively blocks everyone else from accessing your site. If you use WooCommerce on your site, limiting access to a specified list of IPs for a certain number of critical user roles helps.
A byproduct of implementing a whitelist is that it helps find any plugins that rely on admin-ajax.php functionality. Replacing these plugins with better alternatives helps protect your site against the next type of hack.
Plugin and theme exploits are one of the reasons WordPress is considered insecure. With these, hackers try to use recent 0-day exploits to gain admin access to WordPress or install malware at scale. If you implement a whitelist to access wp-admin, some of these exploits are blocked automatically. For the rest, you can tweak your WAF to prevent direct access to .php files and block non-standard query strings.
Finally, we look at SQL injections. These are one of the oldest exploits and have a permanent place on the OWASP top 10 application vulnerabilities. To effectively protect WordPress against SQL injections, we need to go beyond WAF rules. Making sure that your plugins and themes are sanitizing inputs is essential to a secure site. Routine code reviews and instilling a culture of security-first coding helps keep your mission-critical site safe against these exploits.
While it’s true that no security measures are 100% effective, the ones listed here help you block most of the automated hacks. With a smaller attack surface, your WebOps team can work more effectively to protect your site.