WordPress Security:
Any CMS like WordPress can be affected by two major factors when it is in public or protected environment.
- Environmental Issues (Hosting Environment)
- Configuration Issues (Plugins, Modules)
Environmental Issues:
1. Threat: Fuzzing attack
Countermeasure: Implement IPS
Attackers try to attack on any server using fuzzing. Fuzzing will increase number of user request on server and it may lead any web portal to stop working. Fuzzing works with specific signature and one can prevent these attacks by filtering those signatures.
Environmental issues can be taken care by implementing some basic security mechanisms like IPS. Mod_security is personally recommended for LAMP environment. This will prevent base level attacks and provide extra layer of security to hosting environment. Implementing mod_security is only possible when we have managed hosting, on shared hosting implementing custom rules is not possible.
2. Threat: Information Disclosure
Countermeasure: Server hardening
One can easily get server information using HEADER verification; HEADER provides much information like Application version (PHP), Server details (Apache, OS details)
By providing proper hardening mechanism server signatures can be changed and it will become very difficult for attacker to start attack.
WordPress do provide CMS version with meta header which should be removed to prevent application from possible attack vector.
Configuration level:
Threat:
- Spamming
- Username / Password hack
- SQL injections
- Site hack
- Cross site scripting
- DOS / DDOS
- All other known and unknown vulnerability
Countermeasures:
- Make sure that copy of all plugins and WordPress is updated
- Implement CAPTCHA
- Monitor site/site log weekly for any unusual activity
- Removal of plugins when it is not required
Some important plugins to be installed/used for extra security
Semisecure Login Reimagined
Description:
Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.
Stealth Login
Description:
This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website.
You could also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly. You can then set your login url to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.
Login LockDown
Description:
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Chap Secure Login
Description:
Whenever you try to login into your website, you can use this plugin to trasmit your password encrypted. The encryption process is done by the Chap protocol; this is particularly useful when you can’t use ssl or other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username; password is hided with a random number (nonce) generated by the session – and opportunely transformed by the MD5 algorithm. In the first login there will be an error, but don’t worry is only a tecnical error. Indeed in the next login’s operation, if the values are correct, there will not be errors, but you give mind because the password will sended in unencrypted way. If you want more details about this algorithm, check “Building a CHAP Login System”. This is a zero-configuration plugin.
myEASYbackup
Description:
Backup, restore, migrate your WP installation, both code and MySQL tables, with a single click.
Antispam Bee
Description:
Protects your blog from spam by replacing the comment field. It’s easy to use and extremely effective. Really!
Math Comment Spam Protection
Description:
Asks the visitor making the comment to answer a simple math question. This is intended to prove that the visitor is a human being and not a spam robot
BlackHole
Description:
Blackhole is a trap for bad bots. The concept is simple: include a hidden link to a robots.txt-forbidden directory somewhere on your pages. Bots that ignore or disobey your robots rules will crawl the link and fall into the trap, which then performs a WHOIS Lookup and records the event in the blackhole data file. Once added to the blacklist data file, bad bots immediately are denied access to your site.
AskApache Password Protect
Description:
This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site
Wp Security Scan
Description:
This plugin will scan your WordPress installation for security vulnerabilities and it will suggest some corrective actions.
Apart from above implementation, http://codex.wordpress.org/Hardening_WordPress should be taken care while implementing WordPress CMS portal.
