WordPress Site Security: Intrusion Prevention
Internet or web is always vulnerable to attackers since they are open to the world. A website or web application is brought to display to our web browsers as a result of many different services running behind it. Each service run in a specific port and they should be open to pass back and forth information in order to serve a web page request. Certain ports should be open for maintaining the websites for an authentic website maintainer, eg: 21/22 for uploading/transferring files and certain ports for serving the request of visitors, eg: 80/81/443 for serving http request. If not carefully maintained, such services become entry points where an intruder takes advantage of. Here are some common and best security practices that we will describe in order to protect such services and always keep our sites safe from intruders. We will specific with wordpress site in example steps below in terms of the way the components of it are discussed; plugins and themes. But it can be generalized to any other web sites and web applications. We will be focused more for general admin users or site maintainers rather than to secure development practices.
- We need to have at least some blockers for brute-force attacks. This is the type the intruders consistently try logging in with all possible combination of username/password unless its successful. This type of attempts can be detected very easily. For this type of attempts and other advanced security features we can install some free wordpress plugins, like, Wordfence security plugin (https://wordpress.org/plugins/wordfence/).
- Timely updation of the core wordpress version and plugin is required. Technology is evolving and intruders always tend to overcome with existing security measures. So it should be tightened more. Updating core of websites and plugins is one and only way the original developer can help us to secure the software they have provided to us. Outdated plugins which have not been updated in at least last 1.5 year should be removed and getting appropriate alternative is recommended. There might be having some security loop-hole left unmaintained. Carefully choose the plugins and themes before installing into the site.
- Adding Captcha or 2 factor authentication in WordPress admin login is best way that only valid users enter into the admin area. Using captcha in open word forms like contact us also helps to prevent bot submissions and annoying notifications.
- Changing administrative passwords of users and passwords of servers/cPanel should be performed regularly. Periodic checking of valid admin users & Unwanted administrators access should also be removed. This prevents unwanted control of the site if somehow the site credentials got leaked, eg: via mobile phone or phishing.
- Regular scanning of the open ports of the site should be performed in case if any unwanted service is left open accidentally by developer or hosting provider. It can be done using some open source tools or with many online sites. The most popular software is nmap. Following table is an example scan result of a domain to find out the open ports using nmap:Command used
nmap -sS -O -p 1-65535 -T4 yourdomain.com –vvvOutput:
Open port : 21 ftp
Open port : 25 smtp
Open port : 53 domain ISC BIND
Open port : 80 http nginx
Open port : 110 pop3 Dovecot pop3d
Open port : 143 imap
Open port : 443 https
Open port : 465 smtp
Open port : 587 smtp
Open port : 993/tcp imap Dovecot imapd
Open port : 995/tcp pop3 Dovecot pop3d
Open port : 2082/tcp
Open port : 2083/tcp
Open port : 2095/tcp
Open port : 2525/tcp
Open port : 2096/tcp
Open port : 18765/tcp
The above open ports are for standard services and doesn’t look to be vulnerable but the problem here is anyone can easily scan over them. Ports are for services and if in any case, if sensitive ports are left open, they are vulnerable and become target to automated port scanning malware script that are always running to seek out someone’s mistake. A secure server or hosting provider should block such port scanning. This can also be considered as a measure of how seriously a hosting provider take security issues.
- Scanned the website with common popular online vulnerability scanner sites especially to check if there are any cross site scripting, ssl signature issues, loopholes or thing like that if there in the site to the public. No information should be shared in such sites though, they should just be given url and ask to check if they can find any holes in the site/server/ssl. This should be done especially after any updates are made to the site by the developer or by plugin/theme/core engine update.
Some popular examples at the time of writing:
- Choose hosting plan that give complete ftp/ssh and access logs. This will be helpful to track down the intruders and find the cause of it. Mostly dedicated servers like aws ec2 instance give this access. Shared hosting rarely have this option to shared hosting accounts. Make sure the hosting has firewall and software to deal with most common attacks like ddos.
- Make sure the hosting regularly scan the scan the site files and databases and the anti malware scanners are updated with the most common type of vulnerability detection pattern or database.
- All the sql dumps and zipped files as backup of the site should not reside in web root (inside pubic_html) or in inner folder of it unless they are protected by external access through apache module rules like .htaccess. Anyone can download those databases/files easily through website url via normal scanning since they are publicly accessible. The intruders not only get your sensitive data from database dumps and private files but also know the internals of the system and find out the weak areas for later intrusion attempts to production data.
- Get automated backup of whole files and database in at least every 15 days interval so that if any section of the database or file gets infected, these can be replaced.
- Always have SSL (https) installed in your site, especially if it involves user data pass through the network. This prevents header tempering and Eavesdropping attack.
- It is always a best practice to put your website behind a reverse proxy for availability and security (hiding the actual ip address).