Security is a topic that has been address since the first systems, and it is no different in the case of WordPress. This content management system has countless advantages, making it the most widely us CMS in the world. Of course, this also attracts attackers.
The robots are attacking
The vast majority of attacks today are automat by bots. And the risk is not low. In 2019, Sucuri caught a total of over 170 million attacks and clean 60,000 sites.
Most often, the attack website is misus for SEO spam, which can significantly damage companies, both with search engines and their reputation. There are many ways to secure WordPress, and they always depend on the nes of a specific website. We will look at the very basic places that should be sufficiently secur to minimize the risk of attack.
The most common reason for website
Attacks are out-of-date plugins, templates or the WordPress core itself . According to Sucuri, 56% of the hack sites had an outdat kernel. Attacks are being discover all the time, and timely updating can play a vital role in whether or not a website gets hack.
It is therefore advisable to monitor information about new vulnerabilities and, above all, to update regularly and often. For that reason, it is also not advisable to interfere with plugins directly. In addition, WordPress 5.5 allows automatic updates right in the foundation.
WordPress hosting provider CZECHIA.com provides pre-install WordPress that is already set up to perform automatic updates on its own. In addition, they recommend their users to install the Vevida Optimizer plug-in, which further extends the auto-update feature.
Logging in to the administration
As already mention, they are most often robots that try to gain access to the administration of the so-call brute-force attack, in short, it keeps trying combinations of login names and passwords.
There are several defenses against this:
Changing the default login address
Not using the default username “admin”
Using a strong password
Restriction of login access (geo-blocking, HTTP authentication, only select IP addresses)
Two-factor authentication
The effectiveness of the defense is understandably increas by the combination of the above measures.
WP hosting from CZECH REPUBLIC has automatically treat GeoIP rules, thanks to which it allows access to wp-login.php and xmlrpc.php only from the Czech Republic and Slovakia . At the same time, they always generate a strong password for users, including setting up a default account that is not nam admin.
Treat inputs and outputs
In its default configuration, WordPress is relatively open, both to the outside and to the inside of the system. You ne to philippines phone number data pay particular attention to the XML-RPC function , a procure that is most often us for brute-force attacks and should be adequately protect (or disabl if not us). Czech WP hosting automatically blocks these attacks on xmlrpc.php and wp-login.php, including treatment of the most common sql injects.
Another neglect area is the REST API . While giving developers great options, it can easily enable so-call ENUMERATION to attackers . By simply calling the URL address, it allows you to list all users and immiately knows what to try when logging in unsecur. You can check whether the enumeration has been treat in your browser via the /?author=X parameter . In the Czech Republic, this enumeration of users is block directly when the service is establish , so it is not possible to easily list users.
Security headers
One of the most underrat security practices are the so-call Security Headers . You won’t find them on most WordPress installations, as it’s best to set them up directly at the server level. Nevertheless, several security plugins offer this option in WordPress. The second reason will be that most users have no idea about their existence, they don’t look into the developer console of their browser and they are happy that everything is display as it should be.
Even if it is “just” some text in the document header, they can have a big impact on the level of security. The headers set the security rules we are not here to fail between the browser and the server . They can thus protect against XSS vulnerabilities, loading on an insecure protocol or displaying content from a third-party server .
Even basic settings can easily increase the level of security. More advanc users can then completely control resource loading. And bw lists thus prevent the launch of a dangerous script from a foreign server.