Website security, just like backups of years of family photos, is something that we often worry about only when it is too late.
In today’s post I would like to show you how to easily add a layer of protection to any WordPress website.
Why and How WordPress Websites Get Hacked?
Usually WordPress websites are focused around content (posts, articles, photos) and not financial information (orders, credit card info, etc.). This make them a good target for Blackhat SEO tactics, such as injecting links to dubious websites selling even more dubious products or services.
Another common reason for hacking WordPress websites is the creation of “spam bot networks”, and not to “steal a million dollars”. This is why a compromised website can go unnoticed for weeks and even months.
Outdated WordPress, Plugins and Themes
By default, from version 3.7 and above, a WordPress site will update itself when a new minor or security update is released. This means, that if you’re on WordPress 4.8.0 and version 4.8.1 is released, WordPress will auto update itself when a visitor hits it (usually in the first 24 hours since the release of the update).
This means that security vulnerabilities found in WordPress itself are quickly patched up and generally don’t require manual actions from a website administrator.
Unfortunately Themes and Plugins are always open targets. The more complex a theme is, the higher the probability that a piece of code somewhere could be exploited, given the right circumstances.
Some themes come with a bunch of bundled scripts and plugins, most of them from different developers and of different code quality.
Revolution Slider Hack of 2014 (SoakSoak)
Back in August 2014 a major vulnerability was discovered in a very popular premium slideshow plugin called Revolution Slider.
The plugin contained a vulnerability that allowed hackers to easily download any file on the server, including the wp-config.php file that contains database credentials.
This plugin was bundled with hundreds of premium WordPress themes, including the most popular WordPress themes (to this day) on ThemeForest. A few weeks later a list was disclosed with all ThemeForest themes that included this plugin.
At that time the list included 292 themes that contained a vulnerable version of RevSlider and 905 that were patched in a timely manner.
This means that users of 1197 premium WordPress themes (just on ThemeForest) were most likely vulnerable at some point in time, before and after the vulnerability became publicly known.
And then, some 2 years later, also in the month of August, this happened:
The Famous Mossack Fonseca Hack in 2016 (aka #PanamaPapers)
#PanamaPapers was one of the biggest worldwide scandals of 2016.
The Panama Papers consist of 11.5 million files leaked from the Panama-based law firm Mossack Fonseca. At 2.6 terabytes of information, it’s one of the biggest leaks of information ever (dwarfing the Snowden leaks or WikiLeaks).
According to reports (here and here), the attacks most likely went through an outdated (and vulnerable) version of the Revolution Slider plugin. There were also a bunch of vulnerabilities in an outdated version of Drupal that MF were running on their website.
The bottom line is this: Mossack Fonseca were negligent with the software that was running on their servers. Incidentally the same servers hosted client data that shouldn’t have been there.
Back to WordFence Security Plugin
Now that we know what the consequences of a neglected website can be, let’s talk about one of the most popular (and free) plugins for WordPress: Wordfence Security.
At the time of writing this (August 2017) WordFence is powering over 2 million WordPress websites.
How to Install WordFence Security
Thankfully the plugin is available for free in the official WordPress.org repository, which means that installation is quick and easy and updates are automatic.
How to Set Up WordFence Security
When activating WordFence for the first time, you will see a notice with a “Click to Configure” button.
Here’s the initial Configuration screen. Just click the “Continue” button.
As the plugin will modify your .htaccess file in the next step, it first makes you download a backup of the current .htaccess file.
First click the “Download .htaccess”, which will activate the “Continue” button.
Here’s the Firewall configuration page of the plugin, the Web Application Firewall tab. It might be a little overwhelming, but usually you don’t have to do anything here.
However I do recommend that you switch to the “Brute Force Protection” tab and set stricter rules.
The screenshot below contains the default values.
I would change the 4 highlighted options to this:
- Lock out after how many login failures: 3
- Lock out after how many forgot password attempts: 2
- Count failures over what time period: 12 hours
- Amount of time a user is locked out: 1 day
It is also a good idea to open the “Rate Limiting” tab and set up some crawling restrictions.
Generally I change at least the 3 options that are highlighted in the screenshot below.
- If a human’s pages not found (404s) exceed: 15 per minute – throttle it.
Be extra careful with this option. Missing images in posts and pages can very quickly lead to real visitors getting locked out.
- If 404s for known vulnerable URLs exceed: 2 per minute – block it.
- How long is an IP address blocked when it breaks a rule: 6 hours
More WordFence Options
After setting up the Firewall options described above, let’s check the rest of the WordFence options. Open the WordFence > Options page.
Some important options are not set up properly by default, so let’s fix that. Below are some of the more important ones:
- Enable Live Traffic View: disable it (saves some server resources).
- Update Wordfence automatically when a new version is released?: enable it.
- Email me if Wordfence is deactivated: keep it enabled.
- Alert on critical problems: keep it enabled.
- Alert when the “lost password” form is used for a valid user: keep it enabled.
- Alert me when someone with administrator access signs in: keep it enabled.
- Hide WordPress version: enable it.
- Block IPs who send POST requests with blank User-Agent and Referer: enable it.
- Disable Code Execution for Uploads directory: enable it.
Now your website should be much safer from malicious activity at no extra cost.
Please keep in mind that nothing is always 100% bulletproof. There are many other ways that a hacker can break into your website: guessing your password, gaining access to your email account, hacking your WiFi connection, gaining access to a unprotected website on the same shared hosting server, etc.
But having a properly configured security plugin and keeping up with updates should considerably increase your website’s online security.
Do this today and stay safe!