Congratulations, you have stepped into the word of website development and decided to use the CMS (Content Management System) WordPress to help you get started! While WordPress is a fantastic, robust engine for beginners and experts alike, it can be frustrating to learn that there are hundreds of thousands of bots constantly scanning the internet for WordPress installs, attempting to hack them. Why, you ask? Well, because WordPress is a commonly used web engine, and the source code is well known throughout the hacking community, there are many “low-hanging fruit” vulnerabilities that exist, such as XSS (Cross-Site Scripting), User Enumeration Techniques and more, all of which pose a threat to your new website.
Thankfully I have been developing with WordPress for over a decade, getting quite familiar with how attackers decide to go about breaking into a WordPress site. I have decided to sit down and write out some common attack surfaces and vulnerabilities that I’ve seen over the years, including ones I use during a penetration test that I am performing on behalf of a client. After you’ve gone through this list, your website will be much more secure, allowing you to rest easier as your site stays online 24 hours a day.
1) Change the default username!
Never, EVER use default credentials on anything you are trying to protect from an outside actor on the internet. Many bots that are scouring the web are looking for easy access, giving up on anything that poses a real challenge. Default usernames like “WordPress”, “Admin” or “Administrator” are tried on the sites I manage well over 1,000 times per day, and I only manage a small handful of sites at the time of writing this article. Change your username to something memorable, preferably to a name that is not listed anywhere on your site. For example, I would not use the usernames “Adam” or “AdamJohnson” for this site, as my name is all over this blog. Some clever actors will scan for common phrases and use them as part of the attack in combination with wordlists like rockyou.txt for brute force attacks.
2) Install & Configure A Firewall
Thankfully, there are many applications to help new users keep their websites safe. Wordfence is a popular firewall for WordPress that includes robust, top-of-the-line security features like Multi-Factor Authentication (MFA), anti-brute force measures, whitelists, page blocking and more. You can monitor your sites health, blocklist and traffic live from any smartphone, tablet or desktop by linking your WordFence account up to an email, getting updates sent to your email as well. No, I am not sponsored by these people and there are other solutions like WPVIP, but WordFence has a free edition that will suit most small businesses or hobby sites, which is why I suggest it.
3) Change The wp-login and wp-admin Page Names
Another thing that bots will do to enumerate what site engine you are running is to quickly try and index your /wp-admin or /wp-login pages so that Hydra or a similar brute-force cracking tool can attack it thousands of times a minute. Thankfully, there are plugins that exist like Change WP-Admin that will do this for you, but you can also change the canonical URL by tinkering with the back end of WordPress, if you are more knowledgeable with programming languages. No matter how you get it done, I would highly suggest doing so, as it can lower the overall odds of being hacked. Remember: if an attacker wants to get in to a resource bad enough, they will. However, the more difficult you make it for them, the more likely they are to give up altogether and move on to a different target. Most serious attackers will go after billion dollar companies in hopes for million dollar ransoms, they will not risk law enforcement getting involved over a store that turns out sales in the thousands by comparison.
4) Limit Access To Enumeration Techniques
WordPress, by nature, is riddled with URL’s that can enumerate the username of your administration account, which attackers can then leverage to brute-force attacks on your login screen. While some techniques are elementary, like if you’ve exposed your admin username on blog posts instead of using a nickname, some are more “tech-ey”. Let’s explore some examples of these URL’s:
| https://www.*****.org/wp-json/wp/v2/users |
These are just some examples of URL’s that can be entered into a WordPress site, which will return a block of text that can be read & utilized that looks like this:
Limiting access to these resources using a firewall or blacklist is a must. There is no reason that an end user would make calls to these resources, as they are intended for the backend use of the website and the engine itself. Therefore, you can also cross-reference these requests with browser agents, such as blocking Tor access or other browsers that might utilize privacy measures to hide the true identity of your website visitors (or attackers!)
I hope this helps, I will upload more articles and tips on securing WordPress!