Updating WordPress

The first way to prevent hackers is to keep your WordPress website up to date. The quick-and-easy way to do so is through the automatic update feature. Book 2, Chapter 6 takes you through the process of updating WordPress step by step.

The beauty of applying updates is that they often introduce new streamlined features, improve overall usability, and work to patch and close identified or known vulnerabilities.

As technology and concepts evolve, so do attackers and their methods for finding new vulnerabilities. The farther behind you get, the harder it is to update later and the more your risk increases, which in turn affects how vulnerable you are to attacks.

Installing patches

All WordPress updates are not created equal, but you should pay special attention to a few updates of the WordPress core software.

Updates include major releases, which contain feature additions, user interface (UI) changes, bug fixes, and security updates. You can always tell what major release you’re on by the first two numbers in the version number (as in 5.0). See Book 1, Chapter 3 for more information about the difference between major and minor releases.

Then you have point releases, which are minor releases that can be identified by the third number in the version number (as in 5.0.1). These releases contain bug fixes and security patches but don’t introduce new features.

When you see a point release, apply it. Point releases rarely cause issues with your site, and they help close off vulnerabilities in a lot of cases.

Using a firewall

A firewall builds a wall between your website and the much larger Internet; a good firewall thwarts a lot of attacks.

Your web server should also have a good firewall protecting it. Every day, countless visits, good and bad, are made to every website. Some visits are by real visitors, but many are by automated bots. A web application firewall (WAF) helps protect your WordPress installation from those bad visitors.

WAFs don’t offer 100 percent protection, but they’re good deterrents for everyday attacks.

If you plan to manage and administer your own server, install and configure a tool such as ModSecurity (www.modsecurity.org), an open-source, WAF-like solution that lives at the web server level as an Apache module.

If you’re using a managed hosting solution, you’re probably in luck, because most of these solutions offer built-in WAF-like features.

As a user, you can also install a WordPress plugin called Cloudflare, which you can find in the official WordPress Plugin list at https://wordpress.org/plugins/cloudflare. Cloudflare (see Figure 5-1) provides the best available WAF-like features for your WordPress website on a managed hosting solution. If you’d like to use the Cloudflare plugin on your WordPress website, you need to have a Cloudflare account at https://www.cloudflare.com. You can open a free account or upgrade to a paid account that includes more features. After you’ve installed the plugin on your website, follow the instructions on the Cloudflare configuration page to connect your WordPress blog to your Cloudflare account.

Generating passwords

Password management is perhaps the simplest of tasks, yet it’s the Achilles’ heel of all applications, including desktop and web-based apps. You can keep your files and data on your web server safe and secure through these simple password-management techniques:

• Length: Create passwords that are more than 16 characters long to make it more difficult for harmful users to guess your password.
• Uniqueness: Don’t use the same passwords across all services. If someone does discover the password for one of your applications or services, she won’t be able to use it to log in to another application or service that you manage.
• Complexity: A strong password contains a minimum of 8 characters and is made up of upper- and lowercase letters, numbers, and symbols, making it hard to guess.

Use password managers and generators. Two of the most popular products right now are LastPass (https://www.lastpass.com) and 1Password (https://1password.com).

Limiting built-in user roles

Not all users of your website need administrator privileges. WordPress gives you five user roles to choose among, and those roles provide sufficient flexibility for your websites.

You can find detailed information on each of the roles in Book 3, Chapter 3. You can also discover more information on users and roles in the WordPress.org Codex at https://codex.wordpress.org/Roles_and_Capabilities.

Create a separate account with a lower role (such as Author) and use that account for everyday posting. Reserve the Administrator account purely for administration of your website.

Establishing user accountability

The use of generic accounts should be the last thing you ever consider because the more generic accounts you have, the greater your risk of being compromised. If a compromise does happen, you want to have full accountability for all users and be able to quickly answer questions like these:

• Who was logged in?
• Who made what changes?
• What did the users do while logged in?

Generic accounts preclude you from doing appropriate incident handling in the event of a compromise. In Book 3, Chapter 3, you find all the information and step-by-step details on how to create new users in your WordPress Dashboard. Keep the principles of least privilege and user accountability in mind as you’re creating users.

Enabling multifactor authentication

Authentication, in this case, refers to confirming the identity of the person who is attempting to log in and obtain access to your WordPress installation — just like when you log in to your WordPress website by using a username and password. The idea of multifactor authentication stems from the idea that one password alone isn’t enough to secure access to any environment. Multifactor authentication (also called strong authentication) requires more than one user-authentication method. By default, WordPress requires only one: a username with password. Multifactor authentication adds layers of authentication measures for extra security of user logins.

To enable multifactor authentication, you can use a free plugin called Google Authenticator for WordPress, which provides two-factor user authentication through an application on your mobile or tablet device (iPhone, iPad, Android, and so on). For this plugin to work, you need the following:

• Google Authenticator app: Find it at the App Store for iOS devices or the Google Play Store for Android devices.
• Google Authenticator plugin: You can find this plugin in the Plugin list at https://wordpress.org/plugins/miniorange-2-factor-authentication. See Book 7, Chapters 1 and 2 for details on finding, installing, and activating plugins.

Configuring Google Authenticator

When you have both of those tasks accomplished, you can configure the plugin for use on your website. Follow these steps to configure the plugin for each user on your site:

1. Click the 2FAS link on the Settings menu on your Dashboard.

   The 2FAS — Two Factor Authentication Service page opens.

2. Download the authenticator app to your smartphone (Android or iPhone).

   The authenticator app on your phone is required to complete the two factor authentication. I’ve chosen the Google Authenticator app, downloaded to my iPhone.

3. Click the Show QR Code button.

   This button displays on the 2FAS page in your WordPress Dashboard (see step 1) and when you click the button, the QR code displays.

4. Scan the QR code in the Google Authenticator application on your phone.

   Point your device camera at your computer screen, and line up the QR code within the camera brackets of your mobile device. The application automatically reads the QR code as soon as it’s aligned correctly and displays a six-digit code identifying your blog. The six-digit code refreshes on a time-based interval. After you scan the QR code is scanned, you receive a message on your mobile device that contains a unique numeric code.

5. Enter the six-digit code generated by the Google Authenticator app in the Token field.

6. Click the Add Device button.

   You see a notice at the top of the 2FAS page that the tokens are configured.

7. (Optional) Click the Add Another App/Device button.

   Perform this step if you want to add more than one smartphone device for authentication. (See Figure 5-3.)

Now, with the Google Authenticator plugin in place, whenever anyone tries to log in to your WordPress Dashboard, she has to fill in his username and password, as usual, but with multifactor authentication in place, she also needs to enter the authentication code that was sent to her mobile device. Without this unique code, the user can’t log in to the WordPress Dashboard.

The Google Authenticator application verification code is time-based, which is why it’s very important that your mobile phone and your WordPress site are set to the same time zone. If you get the message that the Google Authentication verification code you’re using is invalid or expired, you need to delete the plugin and then go to your WordPress Dashboard to make sure that the time zone is set to the same time zone that your mobile or tablet device uses. See Book 3, Chapter 2 for information on time settings for your WordPress site.

Activating multifactor authentication

The following steps show you how the multifactor authentication is implemented on your site:

1. Log out of your WordPress Dashboard.

   The WordPress login form displays in your browser window.

2. Type your username in the Username or Email field.
3. Type your password in the Password field.

4. Click the Log In button.

   A new page loads with a form that asks you to enter your token, as shown in Figure 5-4.

5. Open the Google Authenticator application on your mobile or tablet device, and locate the six-digit code assigned to your blog.

   This six-digit code refreshes every 60 seconds. If you have more than one blog that uses the application, find the code that corresponds with your site.

6. Type the six-digit code in the Token field.

7. Click the Log In button.

   You’re successfully logged in to your WordPress Dashboard via a two-factor authentication method.

If you don’t have access to a mobile device, WordPress has a couple of plugins you can use, including these two:

• NoPassword: https://wordpress.org/plugins/nopassword-free-muti-factor-authentication
• Loginizer: https://wordpress.org/plugins/loginizer

Limiting login attempts

Limiting the number of times a user can attempt to log in to your WordPress site helps reduce the risk of brute-force attack. A brute-force attack happens when an attacker tries to gain access by guessing your username and password through the process of cycling through combinations.

To help protect against brute-force attacks, you want to limit the number of times any user can try to log in to your website. You can accomplish this task in WordPress easily enough by using the Limit Login Attempts plugin. You can find this plugin in the WordPress Plugin list: https://wordpress.org/plugins/wp-limit-login-attempts/. See Book 7, Chapters 1 and 2 for information on finding, installing, and activating it.

When you have the Limit Login Attempts plugin installed, follow these steps to configure the settings:

1. Click the WP Limit Login link on the Settings menu of your Dashboard.

   The Limit Login Attempts Settings page opens in your Dashboard, as shown in Figure 5-5.

2. Select a configuration option.

   You can change the value of any of the following four options if you upgrade to the premium version (at a cost of $19 per year). The defaults should be sufficient for you, however.

   • Number of Login Attempts: This setting is the maximum number of times users are allowed to retry failed logins. Default is 5.
   • Lockdown Time in Minutes: This setting is the amount of time a user is prevented from retrying a login after she reaches the maximum allowed number. Default is 10.
   • Number of Attempts for Captcha: This option sets the number of time a user can attempt to enter the captcha. Default is 3.
   • Enable Captcha: Captcha is enabled by default.

If you’re managing your own server, monitor your login attempts to see whether a malicious attacker is making repeated attempts to obtain passwords and usernames. Keep track of those IP addresses from your logs, and if an address repeatedly attempts to log in, add it to your server firewall to prevent it from burdening your server access points.

Disabling theme and plugin editors

By default, when you log in to the WordPress Dashboard, you can edit any theme and plugin file by using the Theme Editor (click the Appearance link on the Editor menu) and the Plugin Editor (click the Plugins link on the Editor menu). The idea makes a lot of sense; it gives you the ability to do everything within your Admin panel without having to worry about logging in to your server via SFTP to edit files.

Unfortunately, having the theme and plugin editors available also gives any attacker who gains access to the Dashboard full rights to modify any theme or plugin file, which is very dangerous, because even one line of malware code embedded within any file can grant an attacker remote access to your environment without ever having to touch your Dashboard.

You can prevent this situation by disabling the Theme Editor and Plugin Editor. To do so, add a WordPress constant (or rule) to the WordPress configuration file (wp-config.php), which is in the installation folder on your web server. Download the wp-config.php via SFTP (see Book 2, Chapter 2), and open the file in a text editor, such as Notepad (PC) or TextEdit (Mac). Look for the following line of code:

define( 'DB_COLLAT', '' );

Add the following constant (rule) on the line directly below the preceding line:

define( 'DISALLOW_FILE_EDIT',true );

Although adding this constant won't prevent an attack, it helps reduce the impact of a compromise. You can find information about other constants you can add to the wp-config.php file at https://codex.wordpress.org/Editing_wp-config.php.

You can also disable the automatic updates in WordPress (the feature in place that automatically updates WordPress core and WordPress plugins) to include the administrator. If you do, you’d have to do everything manually, via SFTP. To do disable automatic updates, use the following constant in your wp-config.php file:

define( 'DISALLOW_FILE_MODS',true );

Filtering by IP address

Another option is to limit access to the Dashboard to specific IP addresses. This method is also referred to as whitelisting (allowing) access, which complements blacklisting (disallowing) solutions.

Everything that touches the Internet — such as your computer, a website, or a server network — has an IP address. An IP is like your home address; it uniquely identifies you so that the Internet knows where your computer is located. An example of an IP is 12.345.67.89 — a series of numbers that uniquely identifies the physical location of a computer or network.

You can edit the .htaccess file on your web server so that only IPs that you approve can access your Admin Dashboard, thereby blocking everyone else from having Dashboard access.

The lines of code that define the access rules get added to the .htaccess file located on your web server where WordPress is installed, in a folder called /wp-admin. Download that file to your computer via SFTP; open it with a text editor, such as Notepad (PC) or TextEdit (Mac); and add the following lines to it:

order allow,deny
deny from all
allow from 12.345.67.89

In this example, the order defines what comes first. An IP that follows the allow rules is given access; any IP that doesn't follow the allow rules is denied access. In this example, only the IP 12.345.67.89 can access the Admin Dashboard; all other IPs are denied.

If the /wp-admin folder in your WordPress installation doesn't contain a file called .htaccess, you can easily create one using your SFTP program. Open the /wp-admin folder, right-click with your mouse in the SFTP program window to open a shortcut menu, and choose New File. Give that new file the name .htaccess, and make sure to add the new rules from “Disabling theme and plugin editors” earlier in this chapter.

Limiting access via IP carries the following potential negatives:

• This technique works only with static IP addresses. A dynamic IP changes constantly. You have ways to make this technique work with dynamic IPs, but those methods are beyond the scope of this chapter.
• The ability to use .htaccess is highly dependent on a web server that's running Apache. This technique won’t do you any good if your web server is Windows-based or IIS, or if you’re using the latest NGINX web server.
• Your Apache web server needs to be configured to allow directives to be defined by .htaccess files. Ask your web host about configuration.

Killing PHP execution

For most backdoor intrusion attempts to function, a PHP file has to be executed. The term backdoor describes ways of obtaining access to a web server through means that bypass regular authentication methods, such as file injections through programming languages such as PHP and JavaScript. Disabling PHP execution prevents an attack or compromise from taking place because PHP can’t executed at all.

To disable PHP execution, add four lines of code to the .htaccess file on your web server:

<Files *.php>
Order allow,deny
Deny from all
</Files>

By default, you have an .htaccess file in the WordPress directory on your web server. You can also create an .htaccess file in other folders — particularly the folders in which you want to disable PHP execution.

To disable PHP execution for maximum security, create an .htaccess file with those four lines of code in the following folders in your WordPress installation:

• /wp-includes
• /wp-content/uploads
• /wp-content

This WordPress installation directory (the directory WordPress is installed in) is important because it’s the only directory that has to be writeable for WordPress to work. If an image is uploaded with a modified header, or if a PHP file is uploaded and PHP execution is allowed, an attacker could exploit this weakness to create havoc in your environment. When PHP execution is disabled, however, an attacker is unable to create any havoc.