WordPress Security from a 👨‍💻 Hackers perspective

WordPress Security from a 👨‍💻 Hackers perspective

A few months ago I was approached by blank from blank on Fiverr regarding “WordPress Development” job, but actually, it had nothing to do with Development, but rather just building PBN’s.

For those of you that don’t know, Private Blog Network (PBN) is basically a bunch of blogs that all link to each other with relevant keywords, in order to trick Google into ranking you higher. It’s usually hosted on cheap hosting that offers additional IP’s for a couple of bucks.

The problem started appearing after a few weeks: WordPress websites started getting hacked, redirecting to third-party websites, showing popups, making new admin users..

I kept all the malicious files on github for reference.

But why was this happening? Well for one: CHEAP HOSTING

When we talk about Website security, people often have an oversight about the server’s security and go straight to securing the application.

Here is how to properly secure your WordPress website and make it safe even from experienced hackers.

CONTENTS

Hide WordPress Login Page

One of the first things that you should do to secure your WordPress website is to change the login URL and the admin section. Why is this important? Hackers use /wp-admin to check if the website is using WordPress and /wp-login.php to brute-force their way into your admin section.

Here is a simple python script that detects WordPress using that very same method.

You can use a plugins such as WebCraftic’s Hide Login to achieve this.

Change Default Admin Username

How to Change Default WordPress Admin Username - MainWP WordPress ...

To brute-force their way in, hackers often use lists that contain most used usernames/passwords. And if they get the username right, there are cases where they don’t even need the password to log in. They can reset your password via inboxes on expired domains, inject XSS that will give them the hashed password, etc.

To be honest, the more WordPress vulnerabilities that you know about, the more you try to protect it, so it’s always a good idea to be in the loop with the latest WordPress vulnerabilities.

Always Use Strong Passwords

Strong passwords are made by mixing letters, numbers, and characters, however length is the most important aspect of a strong password. In short, the longer your password, the better.

You can access this tool through the Users > All Users screen within WordPress. Then you can click Generate Password within the individual user profile.

Use Two-Factor Authentication

As the WordPress Security Team has said “The weakest link in the security of anything you do online is your password,” so it makes sense to put energy into strengthening that aspect of your site.

One of the easiest ways to protect your WordPress website against stolen password is to add two-factor authentication. This way even if someone stole your password, they will need to enter a security code from your phone to gain access.

Some of the most popular WordPress Two-Factor Authentication plugins are:

Change Database Table Prefix

Encrypt Connection with SSL

SSL for your website is a must in 2021! You can generate a free SSL certificate using Let’s Encrypt.

Here are the five key benefits of using an SSL certificate.

  • SSL Protects Data
  • SSL Affirms Your Identity
  • Better Search Engine Ranking
  • SSL Helps You Satisfy PCI/DSS Requirements
  • SSL Improves Customer Trust
  • It is critical that you properly use SSL on all websites. Proper use of SSL certificates will help protect your customers, help protect you, and help you to gain your customers trust and sell more.

Password Protect WP-admin Directory

Adding passwords does not just help prevent cyber attacks, but it also prevents employees with access to your cPanel account (your hosting provider) from accessing something they shouldn’t.

To password protect wp-admin log into your cPanel and click on the Directory Privacy option. Click on the folder icon next to the public_html directory and then click on the wp-admin name to begin setting a password for the directory.

Check the box that asks you to password protect this directory. The first text box will allow you to enter a name for the protected directory. Feel free to keep it named as wp-admin or something like Admins Only, etc. Click on the “Save” button when done.

Your wp-admin directory is now password protected.

Delete Unused Themes and Plugins

Remove all WordPress themes and plugins that you don’t use. These plugins are almost never updated and that can lead to serious security issues.

Auto Update Themes and Plugins

Always use the latest version of WordPress, auto/update all plugins, and regularly update the theme as soon as the new version rolls-out

Don’t use Nulled Plugins

Never, I repeat never use nulled premium WordPress themes and plugins – because they come with backdoors and malware.

Make regular offsite Backups

No matter how much time, money or effort you spend to harden your WordPress website, if your Hosting account get’s hacked you are f***ed!

And it’s not enough just to make regular backups, it’s equally important where you store those backups. If the backups are stored locally on the same hosting account as your live website, then if a hacker gets in he won’t just mess up your website but also all your backups.

Backups are super important because they can save you a lot of time and money.

Never keep backups on the same location as your website!

I suggest UpdraftPlus, the world’s most trusted WordPress backup, restore and clone plugin.

Disable Directory Listing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory listing is generated by Apache module mod_autoindex, to disable this module:

a2dismod autoindex -f
systemctl restart apache2

If you don’t have root access, another way to disable directory index in Apache is to simply add the following in your .htaccess file:

Options -Indexes

Use CDN for DDOS protection

Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.

Distributed Denial of Service attack (DDoS) seeks to make an online service unavailable to its end users.  For all plan types, Cloudflare provides unmetered mitigation of DDoS attacks at Layer 3, 4, and 7. Cloudflare does not bill by attack size and does not have a cap on attack size, type, or duration.

Cloudflare’s network is built to automatically monitor and mitigate large DDoS attacks. Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets require an additional manual response to DDoS attack.

Get Better Hosting

And finally, get better hosting! Seriously, saving money on hosting is like saving money on the materials while building a house.

Written by
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.