Less Known Tips to Secure WordPress Blogs

by Yaniv Kimelfeld September 27th, 2013 

wordpress-lock
The mass attack on WordPress blogs last April raise the issue of web security in general and WordPress security in particular. Although a lot has been written about this issue, in this post I tried to gather some of the less common tips (at least in the e-marketing arena). Some of these tips are simply going back to the basics while some utilize the most innovative tools in the security world.

SSH With Public Key Authentication

secure shell (SSH) protocol provides a secure tunnel for remote web server management, that can protect from account or session hijacking. Even though, an account may still be compromised due to brute-force attack or poor passwords management. Using SSH with public key authentication and passphrase would make the former nearly impossible and mitigate the latter. BTW, in order to maximize the strength of the public/private key pair it is highly recommended to use RSA encryption.

An Additional way to prevent unauthorized access to a dedicated or virtual private server (VPS) install Dome9 firewall on the server (supported OSes include windows as well as linux). Once the firewall has been installed, one may open or close ports from the Dome9 website. Dome9 has a totally free plan for one Dome9 user and up to 5 servers (!). The other plans include two-factor authentication and mobile apps for firewall management.

Web Application Firewall

Web applications are vulnerable to variety of malicious attacks like Cross-site Scripting (XSS), SQL Injection, and Denial of Service (DoS). While softwre companies and developers are constantly release security patches and updates to fix these vulnerabilities, keeping All software components in a web server up-to-date entail IT knowledge and resources. Moreover, even the most updated servers are exposed to zero-day exploits. To mitigate these threats, software professionals started to develop web application firewalls (WAF). This piece of software was intended to provide an extra security layer for all the web applications on the server regardless of their programming language or function.

While ModSecurity is one of the famous and oldest WAF, there are many open source and commercial WAFs nowadays. The most recent development in the WAFs arena is the Cloud-based web application firewalls . These firewalls have vast amount of computing resources that can be shared between their clients according to their current security threats and thus make them more economical (some, like Cloudflare and Incapsula, even have free plan). Additionally, they have the advantages of centralized management by a skilled IT stuff. Now, although these cloud WAFs can mask a server IP address it may still be vulnerable to direct attacks. In order to avoid this scenario, one may limit the server traffic to the WAF IPs or install additional open-source WAF on the server itself.

Securing WordPress Backend

While the above tips are not platform-specific, here are some specific tips to protect WordPress Backend (i.e. WP login and admin pages).

Like web server managment, WordPress management account should ideally be protected by a secure tunnel. While some people use VPN connection to protect their accounts on public networks (e.g. coffee shop Wi-Fi), there is no guarantee that every person with privileged WordPress account will do so. Forcing Secure Sockets Layer (SSL) on WordPress admin and login pages may secure WordPress backend without slowing down its frontend pages. The WordPress HTTPS plugin can force SSL on backend as well as frontend pages. In addition it may fix some SSL 'mixed content' issues.

If one cannot afford himself the additional costs of SSL version (e.g. SSL certificate) he may still install the AskApache Password Protect plugin. This plugin is utilizing Apache Digest access authentication to perform secure authentication without SSL protocol. Although less secure than SSL, this protocol may protect the blog passwords during the authentication process.

While SSL may protect WordPress accounts from account or session hijacking, there are still many other potential backend vulnerabilities. Better WP Security plugin offer a range of tweaks to mitigate these vulnerabilities like protecting .htaccess, wp-config.php, and readme.txt files, rename the "admin" username, and change WordPress default content folder, SQL tables prefix, and admin login URL. In addition this plugin offer some security mechanisms like strong passwords enforcement, regular backups, and brute force attacks detection (here is a comprehensive video review of this plugin features). BTW, Better WP has a tweak that forces SSL in login or administration pages.

Two Factor Authentication

Last but not least, phishing attacks and keyloggers may compromise WordPress accounts especially when users login from their own Laptop or PC. Two factor authentication may protect WordPress accounts from this scenarios with the requirement for additional one-time password (OTP). S-CRIB OTP Authenticator is a WordPress two factor authentication plugin that works with variety of OTP generators including Google Authenticator. For those who prefer not to rely on WordPress and its plugins security, Incapsula offer two factor authentication as part of its cloud-based WAF.

Yaniv Kimelfeld

Yaniv is an independent writer that inquires search engines in general and topical search engines in particular. He also explores methods for optimizing custom-built search engines.

Topical Search Blog

You May Also Like

9 Responses to “Less Known Tips to Secure WordPress Blogs”

  1. Marko Saric says:

    Some very good blog safety advice in here! Definitely worth doing a bit of work and installing couple of plugins to make your blog safer.

  2. Daniel says:

    My old WP blog back in 2009 was having issues with people registering via wp-register.php and for some reason being automatically assigned as a full administrator even though the default WP assignment role was "subscriber" and having registrations disallowed.

    They used this to inject base64 encoded javascript into my themes template in the footer to show various links to malicious websites with both .ru and .cn domains.

    I then learned about blocking access to files using htaccess (as well as denying access to the htaccess file itself) to deny access to wp-login.php and wp-register.php. Though this method was crude and sometimes gave me a fit when logging in to WP admin panel, it stopped the injection attacks for me.

    This was many years ago though and I don't use WP anymore for the most part, so not sure if this exploit is still present or not.

    Great article though, some things I would have never considered.

    About the two step authentication, not only phishing and keyloggers, but I do remember a visual logger that spread out targeting Internet Explorer that was able to track mouse clicks (for people that use virtual keyboard to enter their password). I can't remember if this is still present though.

    • Hi Daniel, sorry I couldn't reply to your comment sooner. Since according to the OWASP injection is one of the top 10 threats at 2013, I assume that after this exploit had been fixed new exploits have been discovered.

      Additional, although I found some reference for "screen loggers", as far as I understood they are rarer than keyloggers. Anyway, a firewall may stop both loggers since they usually use the Internet connection to send their logs.

  3. Yaniv says:

    Thanks Marko :)

  4. Great advice Yaniv. I always use a random password generator for both the login and password on my privately hosted WP sites. Usually 8-10 letters and numerals. Then I use Roboform to remember them all haha. Though I do have a spreadsheet I keep on my PC with the details too.

    • Hi Shannon. Again sorry for my late reply. As opposed to LastPass, RoboForm lets you reset your master password. This makes RoboForm user friendly, although little less secure than LastPass. Therefore, using spreadsheet in addition to RoboForm seem to me unnecessary and risky (i.e. your spreadsheet isn't encrypted).

    • Yaniv,
      I just keep some of the details I need in the spreadsheet on sites I access the most. Not for everything, certainly. There are too many websites out there I've logged in to to try to keep track of all that! Perish that thought lol

      Besides, the only PC I use is at home (I work from home these days). Not even the hubby touches it, he wouldn't dare! :D

  5. Trevor Stewart says:

    Great insight! We have been under-attack by hackers since mid-April mostly by brute force entry. We have over 75 WordPress blogs, what could we do to shortcut the volume of protection we need?

  6. Hi Trevor, sorry for not replying your comment sooner too. Strong passwords are usually sufficient to deal with brute force attacks. Forcing strong passwords policy on your administrative accounts may be sufficient to cope with this threat. In addition, you may limit login attempts or apply a CAPTCHA challenge to make these attacks less efficient.