The mass attack on WordPress blogs last April raise the issue of web security in general and WordPress security in particular. Although a lot has been written about this issue, in this post I tried to gather some of the less common tips (at least in the e-marketing arena). Some of these tips are simply going back to the basics while some utilize the most innovative tools in the security world.
SSH With Public Key Authentication
secure shell (SSH) protocol provides a secure tunnel for remote web server management, that can protect from account or session hijacking. Even though, an account may still be compromised due to brute-force attack or poor passwords management. Using SSH with public key authentication and passphrase would make the former nearly impossible and mitigate the latter. BTW, in order to maximize the strength of the public/private key pair it is highly recommended to use RSA encryption.
An Additional way to prevent unauthorized access to a dedicated or virtual private server (VPS) install Dome9 firewall on the server (supported OSes include windows as well as linux). Once the firewall has been installed, one may open or close ports from the Dome9 website. Dome9 has a totally free plan for one Dome9 user and up to 5 servers (!). The other plans include two-factor authentication and mobile apps for firewall management.
Web Application Firewall
Web applications are vulnerable to variety of malicious attacks like Cross-site Scripting (XSS), SQL Injection, and Denial of Service (DoS). While softwre companies and developers are constantly release security patches and updates to fix these vulnerabilities, keeping All software components in a web server up-to-date entail IT knowledge and resources. Moreover, even the most updated servers are exposed to zero-day exploits. To mitigate these threats, software professionals started to develop web application firewalls (WAF). This piece of software was intended to provide an extra security layer for all the web applications on the server regardless of their programming language or function.
While ModSecurity is one of the famous and oldest WAF, there are many open source and commercial WAFs nowadays. The most recent development in the WAFs arena is the Cloud-based web application firewalls . These firewalls have vast amount of computing resources that can be shared between their clients according to their current security threats and thus make them more economical (some, like Cloudflare and Incapsula, even have free plan). Additionally, they have the advantages of centralized management by a skilled IT stuff. Now, although these cloud WAFs can mask a server IP address it may still be vulnerable to direct attacks. In order to avoid this scenario, one may limit the server traffic to the WAF IPs or install additional open-source WAF on the server itself.
Securing WordPress Backend
While the above tips are not platform-specific, here are some specific tips to protect WordPress Backend (i.e. WP login and admin pages).
Like web server managment, WordPress management account should ideally be protected by a secure tunnel. While some people use VPN connection to protect their accounts on public networks (e.g. coffee shop Wi-Fi), there is no guarantee that every person with privileged WordPress account will do so. Forcing Secure Sockets Layer (SSL) on WordPress admin and login pages may secure WordPress backend without slowing down its frontend pages. The WordPress HTTPS plugin can force SSL on backend as well as frontend pages. In addition it may fix some SSL 'mixed content' issues.
If one cannot afford himself the additional costs of SSL version (e.g. SSL certificate) he may still install the AskApache Password Protect plugin. This plugin is utilizing Apache Digest access authentication to perform secure authentication without SSL protocol. Although less secure than SSL, this protocol may protect the blog passwords during the authentication process.
While SSL may protect WordPress accounts from account or session hijacking, there are still many other potential backend vulnerabilities. Better WP Security plugin offer a range of tweaks to mitigate these vulnerabilities like protecting .htaccess, wp-config.php, and readme.txt files, rename the "admin" username, and change WordPress default content folder, SQL tables prefix, and admin login URL. In addition this plugin offer some security mechanisms like strong passwords enforcement, regular backups, and brute force attacks detection (here is a comprehensive video review of this plugin features). BTW, Better WP has a tweak that forces SSL in login or administration pages.
Two Factor Authentication
Last but not least, phishing attacks and keyloggers may compromise WordPress accounts especially when users login from their own Laptop or PC. Two factor authentication may protect WordPress accounts from this scenarios with the requirement for additional one-time password (OTP). S-CRIB OTP Authenticator is a WordPress two factor authentication plugin that works with variety of OTP generators including Google Authenticator. For those who prefer not to rely on WordPress and its plugins security, Incapsula offer two factor authentication as part of its cloud-based WAF.