• Experts Explain: WordPress Security

    This is the sixth part in our series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

    In this article we will talk about WordPress security. WordPress is arguably the most popular content management system (CMS) on the Internet today. Malicious hackers are always looking for ways compromise these installations in order to infect thousands of sites. We will show some examples of what can be done secure your WordPress installation.

    What is WordPress?
    WordPress is an extremely popular web application software that has gained millions of users over the last few years. The features pf WordPress are well defined on its official site.

    WordPress is a application software that makes it easy to build a site, launch it, and manage it: it’s a Content Management System (CMS). WordPress has a very vibrant support community and there are many useful plugins available for it, not to mention beautiful themes that let you skin your website and blog just as you like.

    Why do web designers and administrators use WordPress?
    Web designers and admins use WordPress due to its ease of use and simplicity in the design and launch of websites. WordPress is a very capable piece of software that can cut down the time and effort needed to create blogs and sites and on edits to them. WordPress also supports a variety of third party “plugins” that can add additional functional and aesthetic features.

    Is WordPress secure?
    Yes, the WordPress development team is very aware and responsive to vulnerabilities discovered in WordPress installations. However, many WordPress installations still fall prey to hackers due to a few simple reasons.

    When a WordPress install is compromised, it can lead to many headaches. We will discuss these issues below and how to avoid them.

    The image shows PHP web malware code that can infect WordPress installations.

    The image shows PHP web malware code that can infect WordPress installations.

    Why does a WordPress installation get compromised?
    A WordPress installation can be compromised, and then infected with web-malware (malicious computer code) as a result of various issues.

    • Not upgrading to the latest WordPress version
    • Installing vulnerable plugins
    • Using weak passwords
    • Using FTP to upload files to the WordPress installation
    • Allowing guests to post content
    • Not using rate limiting to prevent bots attacks

    What can you do to make your WordPress installation more secure?
    Here are a few tips you can use to make your WordPress install even more secure.

    • Restrict access to your WordPress administrator login page using .htaccess files. You can use something like:
      order deny,allow
      deny from all
      # allow specific IP address 1 only
      allow from
      # allow specific IP address 2 only
      allow from

      This will reduce the chances of a malicious attacker testing your administrator login forms for weaknesses.

    • Ensure that you do not allow Guests to register by default.
      To make sure this is correctly set, click on the settings tab once you login as an administrator and then verify that “anyone can register” is left un-checked in the “Membership” area.
    • Set correct permissions.
      Never use 777 for WordPress permissions. Make sure that all folder permissions are set to 755. Individual files can be 644. Make sure that files that you would like to edit with the built in WordPress Theme editor are set to 666.
    • Upgrade your WordPress installation as soon as a new version is released with security enhancements.
    • Use strong passwords and change them frequently.
    • Do not use FTP from your computer to connect to your hosting account.
      Use SFTP/SSH instead. FTP passwords can be sniffed by hidden Trojans and malware on your PC. You should scan your PC regularly with multiple AV engines.
    • Prevent directory listing by using a .htaccess file similar to that below:
      # Prevents directory listing
      Options -Indexes
    • Move your wp-config file to a different location.
      After WordPress 2.6 you can move your wp-config.php file outside of your root WordPress directory. Simply place the file in the directory above the WordPress root directory and it will automatically be detected.
    • Use WordPress with limit login attempts plugin.

    WordPress installations are a juicy target for malicious hackers to exploit and infect benign websites. We have seen what WordPress is, how an installation can be compromised by malicious hackers, and how to protect your website.

    StopTheHacker customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our product page to protect your website right now.