of a third of sites nowadays. This is the CMS platform of choice for our community since the middle of implementing many SEO features of WordPress. It was therefore relentlessly attacked largely for the sake of spam by SEO, but the attacks may further worsen.
Here is an overview of the basics of WordPress and ways to ensure the security of your WordPress site.
Is WordPress safe?
The latest version of WordPress is very secure. Failure to update it, among other things, can make it dangerous. That's why many security professionals and developers are not fans of WordPress. WordPress also looks like PHP spaghetti code that is inherently insecure, where WordPress itself warns that vulnerabilities "come from extensible parts of the platform, specifically plug-ins and themes ."
of WordPress updates
. ] There is no 100% secure system. WordPress needs security updates to work safely, and these updates should not affect you negatively. Enable automatic security updates. To update the WordPress kernel, however, you must make sure that everything is compatible. Update plugins and themes as soon as compatible versions are available.
Open Source Code
WordPress is an open source code, which has advantages and disadvantages. The project benefits from a community of developers who contribute to the core code, the core team corrects security flaws found by the community, while hooligans discover ways to leverage. Vulnerabilities are scripted in scans by operating applications that can detect running versions that correspond to known vulnerabilities in your versions.
Protect Yourself First
There are things you can do to protect yourself even when you do not have an administrator role. Make sure to work on a secure network with a regularly scanned workstation. Block advertisements to prevent sophisticated attacks that pose as images . Use a virtual private network (VPN) for end-to-end encryption when working on public Wi-Fi hotspots to prevent MITM and session attacks .
Secure password management is important, no matter what your role is. Make sure your password is unique and long enough. Combinations of numbers and letters are not safe enough, even with punctuation, when passwords are not long enough. You need long passwords. If you need to memorize, use four- or five-word sentences, but it's best to use a password manager that generates passwords for you.
Length of password
Why is length so important? In simple terms, eight-character passwords crack in less than 2.5 hours using a free, open-code utility called HashCat. No matter how unintelligible your password is, it only takes a few hours to crack passwords. From 13 characters or more, cracking begins to become insurmountable, at least for now.
If you have an administrator user role, create a new user limited to an editor role. . Start using the new profile instead of the administrator. In this way, WAN attacks will focus on your publisher role IDs. If your session is hacked, you have the option, as an administrator, to change passwords and prevent intruder checks. Encourage everyone, perhaps using a plugin, to follow a strong password policy.
If you have security experience, do code audits of your plugins and themes (of course). Establish the principle of the least privilege for all users. You then force hackers to execute tricks and elevate shell privileges, which involves attacking targets other than WordPress credentials.
Change file permissions
If you control the host, provide an SFTP account yourself. Use Control Panel, if you have one, or try out which administrator user interface you have access to. It may also have the effect of configuring the credentials to open a secure shell terminal (SSH) window. In this way, you can apply additional security measures by using system utilities and so on.
Locking Critical Files
Some files should never be accessed except by the PHP process running WordPress. You can change the file permissions and edit the .htaccess file to further lock these files. To change the permissions on the files, use your SFTP client (if it has the option) or open a shell terminal window and run the chmod utility command.
$ chmod 400 .wp-config
$ ls – la
This means that only the PHP process running WordPress will be able to read the file, and nothing else. The file should never have the "execution bit" defined, as with chmod 700. You should always have zeros in the second and third place – that's what locks it. Check your changes using the ls utility with the -la options and take a look.
Having strict file permission settings means nothing can be written to the file, even with WordPress. You may want to reenter write permissions with $ chmod 600 .wp-config when a major update to WordPress contains changes. This should happen extremely rarely, if ever.
WordPress Connection File
I like to lock the wp-login.php file with the help of .htaccess rules. Limiting access to my IP addresses is ideal when I work from a statically assigned IP address or a handful of addresses for myself and some users. It is not difficult to change the settings if you log in from another location, provided you get a shell on the host. Just comment on the deny directive, log in with your browser, and then uncomment it.
XSS and SQL injection
The most frightening attacks that you will encounter will be the intersite script (XSS ) and SQL injection. There are rules for rewriting .htaccess query strings that you can use to stop some of them, and you may want to use a plugin that will handle that for you. Some security plugins will scan your installation for signs of compromise. If you know how to rewrite, redirect, or block query string signatures for attacks that you know about or see in your logs.
Some security plug-ins analyze your installation for signs of compromise. Wordfense is a popular security plugin, and it is updated regularly. Sucuri Scanner has a paid option that will analyze your installation. Ninja Firewall will try to limit query-based attacks by blocking them before they reach the WordPress kernel. You can also write an application using the new Google Web Risk API from Google to analyze the pages of your site.
About the Author
Detlef Johnson is the editor-in-chief of Third Door Media. He writes a section for Search Engine Land titled "Technical SEO for Developers". Detlef is part of the original group of pioneering webmasters who created the field of professional SEO more than 20 years ago. Since then, he has worked for leading search engine technology providers, manages programming and marketing teams for Chicago Tribune, and is consulted with many entities, including Fortune 500 companies. Detlef has a solid understanding of SEO. technical and a passion for web programming. As a recognized technology moderator of our SMX conference series, Detlef will continue to promote SEO excellence with marketing programmer capabilities and webmaster tips.