WordPress Security & Why the Plugin Alone Is Not Responsible

Courtesy of wpkube.com ()

About vulnerabilities and breaches.

There are hundreds of ways in which a site’s security can be compromised.

Clearly a plugin can’t be responsible for everything!

A WordPress site (or any other site) is vulnerable in many places. I personally will never place my bet on a single plugin for securing my site.

While you must fullproof your security with a premium plugin like iThemes Security (formerly Better WP Security), you should not stay assured that this alone is enough. What about the threats that are beyond the scope of such security plugins?

How can a single plugin cover for an obvious username, a poor password, a bad hosting service or an outdated WordPress version?

When it comes to making our site secure, there are a couple of things that we must be proactive about.  Here are some areas that definitely deserve some attention even with a premium security plugin in place.

Pending updates

Always use the latest WordPress version
WordPress site owners feel crushed even at the mention of automatic updates. This is sad as every new version covers the security loopholes form the previous versions. As a version becomes old, several of its vulnerabilities are exposed. Each new version introduces an advanced layer of security, covering all the lapses from the previous versions.

And unless you take the precaution of hiding your WordPress version, it can be found out easily by viewing your page source. An old version has known vulnerabilities and therefore using an old version is equal to inviting security breaches.

This doesn’t apply to the WordPress core only. This applies to all the plugins and themes that you use on your site. If you can’t update them yourself, you can go in for a managed hosting like the one offered by GoDaddy. With managed hosting, you don’t have to update manually. It is the hosting provider’s concern. Also, if certain plugins or themes seem dicey, you just can’t install them.

It’s convenient to think that updating each time a major version is released is enough. But minor releases are the ones that contribute to your site’s security and some bugs. Major versions generally introduce more functions while the minor releases often cover the vulnerabilities introduced in the major release or any others that come to the surface.

What about the zero day vulnerability?

A zero day vulnerability is a security loophole in a program that the programmer/vendor does not know about.

Remember the infamous episode of Sucuri exposing the recent MailPoet Secuity Lapse? This happen once is many cases, updating as soon as a new release is introduced is still the best option. And responsible authors immediately ship in a safe and secured version. MailPoet got especially lucky as no breaches were reported.

Weak Passwords

Password strength determines your site's security
Your security plugin can seriously not do anything about this. I would like to mention the 2012 LinkedIn story. Remember how lots of LinkedIn accounts got hacked.

If you guessed that the top hacked password was the password “link”, then you are 100% right! Imagine so many people not doing any better than this for securing their most important professional profile. Some other interesting passwords included 123456 and the reverse of this string too!

Hackers are smart. Besides, with such out of the world and unimaginable passwords, I’m sure they may be having a really nice laugh about their victory!

Forbes has published the full list and you have to absolutely read it.

I will admit that the password policies are definitely more strict now. You are now required to use numbers, special characters, mixed cases and more. But I am sure some of us will still find scope to be lazy with creating difficult passwords.

And I also wish that we were a tad more appreciative of the password strength meter that most responsible signup services use. Remember people, it’s not there for nothing.

While researching for this article, I came across a cool tool in a post by Christopher Ross. It is a nice password checker tool by Microsoft. You can feed your password to the tool and the tool will return its strength.

Also, if you want to learn about creating passwords that are easy for you to remember but impossible for others to guess, then there’s a post about this too. You can find it here.

Obvious Login URLs

Re doing the obvious login pages
WordPress, by default, comes with login URLs like site.com/wp-admin.php  or site.com/wp-login.php. Retaining the same URLs makes the hackers’ lives easy as they know exactly which page to attack.

Rename wp-login.php is a handy plugin that will help you cover this concern. Hiding the login page makes perfect sense as the hacker would have no idea about where to login. This is an easy security measure and can really create cause some pains to the hackers.

Limiting the number of login attempts

Allowing only limited login attempts
There’ s no point in allowing unlimited number of login attempts. Not limiting the number of login attempts encourages Brute Force attacks as the hacker can try until he gets lucky. You must install  a plugin like Login LockDown that helps in restricting the number of login attempts.

You can decide the period for which an IP should be blocked after a certain number of attempts.

Two-Step Authentication

Two step authentication introduces more security
If you want to further secure entering your website, then two-step authentication plugins can help you with this. You can use Google Authenticator on your site. With this plugin, each time a user tries to login, a key is delivered over his phone. This ensures that only the legitimate and the doubly authenticated users can login.

Hosting

A good web hosting provider takes regular backups and security measures
I think that the most popular keyword for hosting providers would be “cheapest hosting”.Because that’s what most people search for while selecting a hosting provider. Such hosting often provides poor or no security. If you have bought a shared hosting plan, then you have to share it with several other websites. If even one of them gets infected, there’s complete probability of your site getting affected too.

Ideally security should be one of the most important factors while selecting a hosting solution. You should also check if your hosting provider supports the latest PHP and MySQL versions. You must also understand your hosting provider’s capability in getting your site up and running in case of a breach.

Reputed hosting services backup your data regularly but this shouldn’t stop you from maintaining your own backup files.

Plugins and themes

Free or outdated themes and plugins cause security concerns
We absolutely love the WordPress repository for its free themes and plugins. But we often ignore the need to dig any information about the development team behind them. You must ensure that the theme or plugin that you are downloading and using on your site comes from a reputed developer. It is understood if you can’t manually look and scan through the complete code but there’s no excuse to not running it through some code scanners.

It’s best to stay away from plugins and themes that have not been updated for a long time. In the WordPress repository, you will see a notification if a product has not been updated for a significantly long period. Using such products is dangerous as they may contain several known security lapses.

You shouldn’t be sure about the established plugins either. Jetpack shipped in a major security upgrade with their 2.9.3 release. With your site’s security, you have to be careful all the time. Staying on top of the news is important for strengthening your site’s security.

To check your theme for malicious code, you can use the Theme Authenticity Checker plugin. This plugin identifies all the malicious code present within your theme.

To perform an even more exhaustive check over your complete site, you can use the Sucuri SiteCheck scanner. It checks your site for several things like malware, injected spam, blacklisting, and firewall settings.

User names

With the knowledge about the user name, the hacker only has to guess your password
To log into a site, you just need a username and a password. Unfortunately we fall in love with the default user name “admin”. It’s no wonder that one of the most highly recommended security practices is to change the default user name. You must set it to something else.

Removing the admin account altogether is just as good.

On many occasions, we expose our user names unknowingly. Like if I post using my admin account, then my author page will show my user name.

With the exact user name, the hacker has only to get your password and then he’s all set.

Transferring files

Using secured mechanisms for transferring files
You’ll eventually be sending and receiving files through your site. Switching from the standard FTP (File Transfer Protocol) to SFTP (Secured File Transfer Protocol) will make such transfers safer as your passwords will not be carried or stored in plain text. Using the SFTP protocol enables encryption of your sensitive data.

Removing unwanted themes and plugins

removing unnecessary themes and plugins from your WordPress dashboard
You should check your site once in a while for disabled themes and plugins. There’s no point in retaining them since you are clearly not using them. Hackers often exploit the vulnerabilities present in your disabled themes and plugins.

Security Audits

Importance of security audits in WordPress security
People often ignore security audits. Security audit logs are the easiest ways to skim out all the unusual activities from within your site. WP Security Audit Log is a great plugin to maintain such log files. It monitors everything from user activities to your WordPress version. It also keeps a check on your plugins, widgets and themes. Any modification in a user’s role is also reported.

It comes around as a handy security monitoring solution.

What are the other good security practices that you’re following on your site?

Leave a Reply

Your email address will not be published. Required fields are marked *