Understanding WordPress Security in-depth

Security in general can be very simple, there is only one simple concept to master. That concept is understanding. Just like attackers understand the flaws in systems and how they exploit it, you must understand these flaw in order to prevent exploitation. Just installing another plugin is not enough. Most security plugins are very heavy on resources and only prevent symptoms instead of actual causes. If you are interested in a plugin which is lightweight and prevents security issues from the root, take a look at ‘Arevico Security Basic.

The way in which an adversary proceeds to hack a WordPress website is similar to the way they gain access to any other system. Basically, what a hacker does is supplying input in such a way that they manipulate the processes on the server to get favorable output. That’s all what’s to it. So, in order to assess your security, we must first indentify potential points of access.

Points of Access

Most WordPress website have a number of assets in common. They are hosted on a shared server, they have a control panel like cPanel or DirectAdmin, FTP access and public facing FTP scripts. Furthermore, the devices a webmaster uses are also relevant, but that goes beyond the scope of this article.

If you pay peanuts, you get monkeys

A shared hosting is often available for less than a dollar a month. This is the main reason beginning webmasters use low budget shared hosting. However, low budget dedicated hosting comes with a lot of disadvantages with regards to security and performance. The truth is that a provider stacks thousands of websites on one physical machine in order to be able to sustain a low budget hosting solution. Internet connection, disk I/O and memory is shared, thus decreasing performance. Furthermore, total isolation is often not possible. This forces you to think about file permissions. In order to fix this, you should strongly consider switching to a professional web hosting provider.

Do you know what’s under the hood?

FTP access and control panel access often won’t be a problem. However, most webmasters don’t know how the scripts or plugins they install work. However, how can you be sure if you website is secure if you don’t even know a few simple things about the plugins running on your website. For example, did you know that by clicking on a link in a comment, an adversary can add a new admin user (with reflective cross site scripting). This issue is present in a number of plugins. Less is often more. Don’t clutter your website with plugins YOU find useful, only use those which provide MEASUREABLE value to the visitor. This significantly reduces security risk (and as a benefit increases performance).

Main vectors of attack

There are a few vectors of attack a potential adversary uses:

  • Cross Site Scripting – In WordPress the reflective variant is used. What this means is that the adversary will try to trick you to click on a link. Once you click on a link, it automatically tries to change settings on your WordPress installation or vulnerable plugin. This is done by automatically submitting a form. This is preventable by checking if a token is present (you’ll be surprised how many plugins don’t do this).
  • SQL Injection – Adversaries use a plugin as a vehicle to retrieve data from the main database or read files on your server. This happens when plugins don’t scan user-passed data when they assemble a query. For example, an plugin could query the database for all votes on poll x. Poll x
    is an user inputted value. If it isn’t checked, an adversary can modify that query so that WordPress returns all votes on poll x combined with the concatenation of usernames and password from the user_login table. An undesirable situation. How to fix this? Simple, prevent access to the user_login table for unauthorized pages and check query variables on specific constructions.
  • Password Guessing – with automated tools like wwwHack (a surprisingly popular program made in 2001), an adversary can test up to 3,000 WordPress admin passwords per minute. It is absolutely crucial that an account is locked after a number of attempts. Another way to prevent this kind of unauthorized access is to require a email to login, since it is usually not available to an adversary. A research shows that this is the most popular method of intrussion. ‘Arevico Security Basic‘ has both of the two mentioned functionalities to prevent this vector.

Thoughts on popular security measures

While it is easy to come up with a large amount of security measures, it is quite difficult to go back to the root of the issue. Implement only as much as necessary, since security is always a trade-off between convenience and threats. Since there are lots of security plugins, this section mentions a few measures and how we think about their effectiveness.

  1. Renaming the wp-admin, wp-content folder. By renaming those folders, adversaries are not able to enumerate the plugins used or be able to login to WordPress. At least,that is the philosophy behind it. It’s absolutely useless to rename those folders. It create conflict with plugins (unfortunately, lots of themes and plugins hardcore those paths). Furthermore, if one plugin which loads CSS or JS is installed, the true path of those directories will leak out.
  2. Renaming the admin user. This is absolutely useless, unless the administrator does not post or edits any pages. The idea behind is, is that if you don’t know the admin account you can’t try to guess his or her password. However, the admin user name is visible all over the blog (from comments, to posts and pages).