WordPress is the worlds leading content management system. This makes it a popular target for attackers.
Analysis of compromised WordPress installations, shows that exploitation most often occurs due to simple configuration errors or through plugins and themes that have not had security fixes applied.
The checks performed by our WordPress security scan will point out any obvious security failures in the WordPress installation. As well as providing recommended security related configuration improvements to enhance the security of the website against future attacks.
Security in WordPress must be taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken.
Numerous WordPress Security issues have been discovered in the open source software, particularly in 2007 and 2008. According to Secunia, WordPress in April 2009 had 7 unpatched security advisories (out of 32 total), with a maximum rating of “Less Critical.” Secunia maintains an up-to-date list of WordPress vulnerabilities.
January 2007 – many blogs featuring AdSense, were targeted and attacked with a WordPress exploit. A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.
May 2007 – a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software. In part to mitigate this problem, WordPress made updating the software a much easier, “one click” automated process in version 2.7 (released in December 2008).However, the filesystem security settings required to enable the update process can be an additional risk.
June 2007 – Stefan Esser from the PHP Security Response Team, criticized WordPress’s security track record, citing challenging issues with the application’s architecture that made it very difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems.
June 2013 – about 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that 7 of them were vulnerable. Plugins needs to be upgraded regularly also.
To promote better security, and to streamline the update experience overall, automatic background updates were introduced in WordPress 3.7.
WordPress Installation can be protected with security plugins. Users must protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins, editing the site’s .htaccess file to prevent many types of SQL injection attacks and block unauthorized access to sensitive files.
Developers can also use tools to analyze potential vulnerabilities
- WordPress Auditor
- WordPress Sploit Framework developed by 0pc0deFR.
These types of tools research known vulnerabilities, such as a XSS or SQL injection. Some vulnerabilities can not be detected by the tools, so it is advisable to check the code from other developers.
1. Remove the meta “Generator” tag
2. Change the urls for WordPress dashboard including login, admin, and more
3. Completely turn off the ability to login for a given time period (away mode)
4. Remove theme, plugin, and core update notifications from users who do not have permission to update them
5. Remove Windows Live Write header information
6. Remove RSD header information
7. Rename “admin” account
8. Change the ID on the user with ID 1
9. Change the WordPress database table prefix
10. Change wp-content path
11. Removes login error messages
12. Display a random version number to non administrative users anywhere version is used
13. Scan your site to instantly tell where vulnerabilities are and fix them in seconds
14. Ban troublesome bots and other hosts
15. Ban troublesome user agents
16. Prevent brute force attacks by banning hosts and users with too many invalid login attempts
17. Strengthen server security
18. Enforce strong passwords for all accounts of a configurable minimum role
19. Force SSL for admin pages (on supporting servers)
20. Force SSL for any page or post (on supporting servers)
21. Turn off file editing from within WordPress admin area
22. Detect and block numerous attacks to your filesystem and database
23. Detect bots and other attempts to search for vulnerabilities
24. Monitor filesystem for unauthorized changes
25. Create and email database backups on a customizable schedule
26. Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
27. Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.
28. Works on multi-site (network) and single site installations
29. Works with Apache, LiteSpeed or NGINX (NGINX will require you to manually edit your virtual host configuration)
30. NEW Remove the existing jQuery version used and replace it with a safe version (the version that comes default with WordPress).
31. NEW Disable PHP execution in Uploads
32. NEW Force users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user’s login usernames from the code on author pages.
33. NEW Disable a user’s author page if their post count is 0, making it harder for bots to determine usernames of users that don’t post to your site.