WordPress_Security_Threats

WordPress Security Threats That Want You Know

When it comes to my online activity, security is something I have always been fairly conscious of. But in my opinion, making sure that your WordPress site is secure is not something that you can ever do too much of.

That fact was recently driven home to me when Limit Login Attempts (which I have installed on my blog) started reporting multiple login attempts from more than one IP address. I also discovered that someone had attempted to login to my Facebook account.

With those recent events still fresh in my mind, I thought I’d take the opportunity to focus on some security threats concerning your WordPress site that you may not even be aware of. Whilst there are plenty of basic steps you can take to improve the security of your site (such as changing the default “admin” username and setting strong passwords), you may want to check these ones out too.

5. Published WordPress Version Information

By default anyone can find out what version of WordPress your site is running if they know how. This is not a good thing, because if you are running an older version of WordPress, unscrupulous hacker types will be able to target specific security vulnerabilities that have since been patched by more recent updates.

The first thing I will say is this — you absolutely should update WordPress (as well as your themes and plugins) as soon as new versions become available. Prevention is the best cure, as the timeless saying goes. However, it is still a good idea to remove version information from your site.

This information is stored in two places:

  1. Your page header meta
  2. Your readme.html file

To remove the information from your page header meta, paste the following code into your active theme‘s functions.php file:

function remove_wp_version() {
return '';
}

add_filter('the_generator', 'remove_wp_version');

As for the readme.html file, just rename it to something completely random (like “23bd8.html”). No one’s going to be finding that in a hurry.

4. Access to Theme/Plugin Files

You’re probably familiar with the theme and plugin file editors:

wordpress theme-file-editor

Pretty darn handy, but also a huge security issue should someone gain access to your dashboard. And in general, using the editors is bad practice as any incorrect PHP code can “break” your site (which will then require you to gain access via FTP).

With that in mind, I would recommend that you disable the editors and edit theme and plugin files via FTP only. Doing so is a piece of cake — just include the following in your functions.php file:

  1. define(‘DISALLOW_FILE_EDIT’, true);

3. Universal Registration Option

This is a real simple one — is your WordPress site currently set up so that anyone can register as a user? This is only necessary if you are running some sort of community site (as opposed to a “normal” website or blog). So if you are notyou would be best served by preventing people from having the opportunity to register.

You can do so via Settings > General in your sidebar:

wordpress security threat general-settings

Whilst someone registering for your site in a limited role does not give them a huge amount of access, it does give them more than is absolutely necessary, which is why you should remove the option.

2. Login Name Confirmation

By default, the WordPress login screen will inform you as to whether you have got the username or the password wrong:

wordpress security invalid-username

wordpress security  invalid-password

This effectively makes it twice as easy for hackers to gain access to your site — they can figure out what your username is without having to know the password. It is not information you should make readily available.

As per usual, this issue can be remedied with some code in your functions.php file:

function failed_login() {
return 'The login information you have entered is incorrect.';
}

add_filter('login_errors', 'failed_login');

Now when there is a failed login attempt, there will be no specific information concerning the username or password.

1. Brute Force Login Attempts

Finally, and along the same lines as the penultimate security issue, we have brute force login attempts.

This is when someone will attempt to gain access to your site by attempting an enormous number of different username and password combinations. Such a process is of course made far more difficult by adding the above code to your functions.php file, but you can all but eradicate the chance of a successful brute force login attempt by limiting the number of login attempts by a specific IP address.

My personal recommendation is to install and activate the Limit Login Attempts plugin (mentioned at the beginning of this post). This simple plugin offers you the ability to customize how many login attempts someone should have, and how long they are locked out for if unsuccessful. I consider it a must-have for any WordPress blogger.

What Security Issues Do You Consider a Threat to Your Site?

I am of course just scratching the surface here, but I consider the above tips pretty effective methods for closing potential security vulnerabilities in your WordPress site. I don’t want to frighten you into thinking that WordPress is an inherently unsafe content management system (because it isn’t), but it is better to be safe than sorry.

With that in mind, I’d love to know what suggestions you have for making WordPress more secure. Let us know in the comments section!

Related Posts


7 thoughts on “WordPress Security Threats That Want You Know

  1. wp squeeze bar review

    I do consider all of the ideas you have introduced on your post. They are very convincing and will certainly work. Nonetheless, the posts are too brief for newbies. May just you please prolong them a little from subsequent time? Thank you for the post.

    Reply
  2. mba thesis topics

    Inspiring blog post, lots of enormous information. I’m going to show my friend and ask them what they think about this.

    Reply
  3. Guild Hosting

    Thanks for any other informative website. Where else could I get that type of information written in such an ideal way? I’ve a undertaking that I’m simply now working on, and I’ve been at the look out for such information.

    Reply
  4. hack

    I used to be suggested this web site by means of my cousin. I am not certain whether or not this submit is written by means of him as nobody else realize such unique about my problem. You’re amazing! Thanks!

    Reply
  5. Guild Hosting

    I am just extremely satisfied with your creating capabilities and even while using design in your blog site. Are these claims any paid out style or maybe can you adjust it your self? Anyways continue the nice high quality writing, it can be strange to search an incredible weblog just like it these days.

    Reply
  6. WordPress defend

    Hi very nice internet site! Male. Fantastic. Superb. I am going to take a note of your site plus take the nourishes in addition? Now i am glad to get quite a few techniques listed here inside the article, we’d like determine extra approaches to the following reverence, thanks for spreading.

    Reply
  7. guild web hosting service

    This thread is an awesome read. I have stored your blog and will certainly suggest the page to others.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*