WordPress is a secure content management system, but because it is the most popular content management system (CMS) in the world, it is getting more attention from malicious people. In this article, we will discuss why you need to take care of your website security, what are the most common security vulnerabilities in WordPress, and how to minimise the chances of your website being compromised.
Content
Kodėl svarbu rūpintis WordPress svetainės saugumu?
Website security is an important part of the success of any website, regardless of the size of the business and the activities it carries out. Here are some reasons why it’s important to keep your website secure:
Google juodasis sąrašas
Every day, Google warns of 10,000+ new websites that may contain malware or steal information. In addition, Google blacklists around 20,000 websites each week for malware and around 50,000 for phishing. If your website were to be blacklisted by Google, it would mean that visitors to your website would see warnings that your website is unsafe, which would reduce your traffic, sales and trust.
Duomenų praradimas ar vagystė
If your WordPress website were hacked, you could risk losing your content, design, functionality or even your entire website. Also, if your website contains sensitive data such as user information, customer data, payment information or confidential business information, this information could be stolen and distributed by hackers. This could lead to legal repercussions, fines, loss of customers and damage to you and your business reputation.
Kenkėjiška programinė įranga ar nukreipimas
If your WordPress website is infected with malware, it could affect the performance, speed and stability of your website. Also, malware could redirect visitors to your website to other websites that may be dangerous or inappropriate. This could damage your website’s credibility and SEO.
Ar WordPress turinio valdymo sistema yra saugi?
Websites that use WordPress are a common target for criminals. In 2019, 94% of all successful attacks against websites that use a content management system were directed at WordPress sites. Even considering that WordPress is used by 65.1% of all websites using the content management system, nine out of ten attacks is a relatively high number.
These figures may raise the question, is it safe to use the WordPress content management system? The short answer is yes. But like most other questions, this answer is not complete. The WordPress content management system is open source and its appearance can be easily changed with paid and free themes, and the large selection of paid and free plugins makes it easy to extend the functionality of the WordPress content management system. These features are the reason for both the popularity and the vulnerability of the WordPress content management system. Currently, there are almost 47,000 security vulnerabilities in the https://wpscan.com database, of which only 2% are in the WordPress content management system. The most vulnerable parts of the website are themes (4% of known security vulnerabilities) and plugins (94% of known security vulnerabilities).
Kokios būna dažniausios atakų rūšys?
What happens if you ignore the statistics and don’t take steps to ensure the security of your WordPress site? In this article, we will outline some of the most common types of cyber-attacks.
DDoS atakos
A DDoS attack is a cyber-attack in which an attacker floods a selected server, service or network with Internet traffic in order to disrupt normal user access to related online services and websites. DDoS attacks can be of different types depending on which components of the network layer are targeted. DDoS attacks are necessary to cause damage or inconvenience to their victims, e.g. to cause them to lose revenue, reputation or customers.
Backdor
A “backdoor” is a code that is added to a website to allow a malicious person to gain access to the server without revealing their presence. “A backdoor can be used to bypass login screens, create new administrator accounts, access, edit and delete information, or even take over an entire website.
“A backdoor can enter a WordPress website in a number of ways, such as using vulnerable plugins or themes, exploiting vulnerabilities in the WordPress kernel, or directly uploading files via FTP, or exploiting another security vulnerability such as a remote code execution vulnerability.
To protect your WordPress website from backdoors, you should regularly scan your website with a security plugin, update your WordPress, plugins and themes, harden your login credentials and use a reliable website hosting service.
Slaptažodžių spėjimas (bruteforce)
“Bruteforce attacks are one of the simplest cyber-attacks. These are attempts to break into a website, network or computer system using many combinations of usernames and passwords. If successful, hackers can take over the entire administration of your website, install malware, steal user information and delete everything on your website.
WordPress websites are a frequent target of bruteforce attacks because WordPress is very popular and many users use weak usernames and passwords. Such attacks can slow down or even completely disrupt your website by putting a heavy load on your server.
Nuotolinio kodo vykdymo (remote code execution) atakos
Remote code execution attacks are cyber attacks that allow an attacker to execute their code on a vulnerable system or network. This can lead to data theft, malware, network disruption or other harmful actions.
WordPress websites can be vulnerable to remote code execution attacks if they use unpatched or insecure plugins, themes or an unpatched version of WordPress. Attackers can exploit these vulnerabilities to insert their code into WordPress files, databases or URL parameters. For example, in 2023. A critical remote code execution vulnerability was discovered in the Elementor Website Builder plugin that could affect up to 500 000 websites.
Įterptinių instrukcijų atakos (Cross-site scripting arba sutrumpintai XSS)
Cross-site scripting (XSS) is one of the most common and dangerous security threats on the Internet. XSS attacks occur when cyber criminals embed malicious JavaScript code into the content of other websites to steal or manipulate visitor data, redirect them to fake pages or perform other harmful operations12. XSS attacks can affect any website that uses user input in its output, and they are very common among WordPress websites.
SQL injekcijos atakos
SQL injection attacks are one of the most common and dangerous threats to websites that use databases. SQL injection attacks occur when an attacker inserts malicious SQL commands into a website form or address to access or modify the contents of a database. SQL injection attacks can allow the attacker to:
- Scan or delete private data such as user passwords, credit card numbers or personal information.
- Modify or add data, such as inserting advertisements, links or malicious code into pages of the website.
- Causing website malfunctions.
- Use the database as a point of resistance to compromise other systems or networks.
WordPress is the world’s most popular content management system (CMS) that uses a MySQL database. WordPress websites are particularly vulnerable to SQL injection attacks because:
- Many WordPress sites use the standard database extension “wp_”, which is easily guessed by attackers.
- Many WordPress websites use unofficial or untested theme or plugin developers, which may have security vulnerabilities or even be specifically designed for malicious purposes.
- Many WordPress websites are not regularly updated or checked for malicious files or code.
SQL injection attacks can have serious consequences for WordPress websites and their owners, such as:
- Losing data or content that would need to be restored from backups or recreated.
- Losing the trust or loyalty of visitors or customers if their data is stolen.
- Loss of revenue or reputation if the website is infected or disrupted.
- Financial damage if sensitive personal data is stolen.
WordPress saugumo gerosios praktikos
Now that we’re done with the scary part – what can happen if we don’t take care of the security of the website. The security of websites, including those using the WordPress content management system, can be improved by following good practices. This does not eliminate the likelihood of a website security breach, but it does significantly reduce the likelihood of it happening. Some of these tips are applicable to most sites (e.g. strong passwords, two-factor login, SSL and firewall), others are specific to WordPress sites (e.g. use only trusted themes and trusted plugins). To keep your website secure, it is important that you follow as many of the tips listed below as possible.
Naudokite saugius slaptažodžius
We thought we’d have flying cars in the future, but even this year there are still people who still use passwords like “123456”. It is very important that all users who have access to your WordPress website control panel use secure passwords. Even one weak password can cause trouble for all users. We suggest using a password management software that generates secure passwords and helps you remember which password you used on which website.
Naudokite 2 faktorių prisijungimą
2-Factor Login (2FA) requires users to authenticate using another device. This is one of the simplest and most effective ways to protect your accounts.
Naudokite patikimą ir saugų svetainių talpinimo paslaugų teikėją
Let’s talk about the hosting provider. Most people are looking for the cheapest website hosting plan, but the hosting provider plays an important role in keeping your WordPress website secure. The next time you choose a hosting provider, pay attention to the secure services offered by the hosting provider, such as a free let’s encrypt SSL certificate, security vulnerability detection, automatic updates, access control and automatic backups, and ease of recovery from them. Also check what steps the hosting provider takes to protect your data and restore it quickly in case of an attack or other disaster.
Naudokite SSL sertifikatą
An SSL certificate is a technology that ensures the secure transmission of data between a visitor’s browser and a website server. An SSL certificate protects the website and its visitors from third parties who may try to scan or steal personal or financial information. An SSL certificate can also help improve your website’s SEO performance, as Google and other search engines prefer email. shops with an SSL certificate.
Reguliariai atnaujinkite WordPress turinio valdymo sistemą, temas ir papildinius
Like most software, WordPress websites require regular updates to fix bugs, security vulnerabilities, improve performance, ensure compatibility with other software and sometimes add new features.
Apsaugokite savo wp-config.php failą
The wp-config.php file is an important WordPress installation file that stores database login credentials, security keys, table prefix and other settings. You could start by setting the appropriate permissions to ensure that only you (and the server) can access the file (usually this means giving 400 or 440 permissions). If you are using a server with .htaccess, you can also add the following code there (at the very top) to deny access to it:
<files wp-config.php>
order allow,deny
deny from all
</files>
Apsaugokite savo .htaccess failą
The .htaccess file is a special file that allows you to adjust access to your website. To protect the .htaccess file from unauthorised access, you can add the following code to it:
<Files .htaccess>
order allow,deny
deny from all
</Files>
This code will deny any request to the .htaccess file and return a 403 Forbidden error.
Apsaugokite savo wp-includes katalogą
wp-includes is the WordPress directory where WordPress core files such as functions, classes and libraries are stored. This directory is important for the performance and security of the WordPress website and must be protected from unauthorised access or modification. To protect the wp-includes directory from unauthorised access, you need to add the following lines to the .htaccess file in the root directory of your website:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Apsaugokite savo xmlrpc.php failą
xmlrpc.php is a WordPress file that allows data to be sent and received between WordPress and other systems using HTTP as the transport mechanism and XML as the encoding mechanism. This protocol was developed to allow WordPress to communicate with other platforms such as mobile apps, other blogging platforms and the Jetpack plugin.
However, xmlrpc.php can also cause security problems and be the target of an attack. For example, xmlrpc.php can be used to try to hack into your WordPress website by trying to guess your password. In addition, xmlrpc.php can be used to send unwanted messages, known as pingbacks, from other websites.
It is therefore recommended to disable xmlrpc.php on your WordPress site if you do not need its functionality. You can do this by adding the following lines of code to your .htaccess file:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Išjunkite failų redagavimą iš administravimo skydo
By default, the WordPress dashboard allows administrators to edit PHP files such as plugin and theme files. This is often the first tool an attacker will use if they are able to log in, as it allows code execution. WordPress has a constant that prevents editing from the dashboard. Adding this line to wp-config.php is equivalent to removing the “edit_themes”, “edit_plugins” and “edit_files” options for all users:
define('DISALLOW_FILE_EDIT', true);
Apsaugokite wp-admin katalogą
Adding server-side password protection (e.g. BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s administration area, login screen and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual administration files. Many WordPress attacks are carried out automatically by malicious bots.
Typically, securing the wp-admin/ directory may compromise some WordPress functionality, such as the AJAX driver wp-admin/admin-ajax.php. Below are instructions on how to password protect the wp-admin directory:
1. Create an .htaccess file in the wp-admin directory.
2. Insert the following lines of code into the newly created file
AuthName "Admins Only"
AuthUserFile /home/user/public_html/example.com/wp-admin/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user yourusername
3. Change theAuthUserFile parameter to the path to .
htpasswd file.
4. Create the .htpasswd file in the wp-admin directory.
5. Generate the contents of the .htpasswd file using the following website https://hostingcanada.org/htpasswd-generator/
6. Paste the result into the .htpasswd file.
The most common attacks against WordPress blogs generally fall into two categories.
- By sending specially crafted HTTP requests to your server with specific exploit load data for specific vulnerabilities. This includes old/obsolete plugins and software.
- Trying to access your blog using brute-force password guessing.
The most important implementation of this “second layer” of password protection is to require HTTPS – SSL-encrypted connections for administration, so that all communications and sensitive data are encrypted.
Reguliariai kurkite savo svetainės atsargines kopijas
WordPress website backups are important because they allow you to restore your website in the event of damage, viruses, data loss or other problems. Backups store your website files and the database that holds all your content, settings and design.
There are several ways to back up your WordPress website, and I’ll give you the three most popular ones:
- Use the WordPress plugin. There are many free and paid WordPress plugins that allow you to create and restore backups directly from your WordPress control panel. This method is flexible and versatile, but requires additional installation and configuration. Some of the most popular WordPress backup plugins are UpdraftPlus, BackupBuddy and Duplicator.
- Use FTP and phpMyAdmin. This is the lowest level and most complicated way to back up your WordPress site, requiring you to connect to your server via FTP and manually copy all your site files to your computer. You will also need to connect to your database via phpMyAdmin and export the entire contents of your database to an SQL file. This method is highly technical and time-consuming, but it gives you full control and flexibility.
Ištrinkite nenaudojamus temas ir papildinius
Deleting unused wordpress themes and plugins is important for several reasons, such as:
- Security: unused or old plug-ins and themes may be vulnerable or contain malicious code that could affect the performance or security of your website.
- Performance: every plugin or theme you install increases server load and page size, which can make your website run slower.
- Tidying up: deleting unused plugins and themes also cleans up your site’s files and database, making it easier to manage and back up.
It is therefore recommended that you regularly check and update your plug-ins and themes, and uninstall them if you are not using them. You can also use managed wordpress hosting, which automatically updates your plugins and themes.
Naudokite tik patikimus WordPress papildinius ir temas
Pirated WordPress themes and plugins are dangerous for your website and your visitors. Pirated versions may contain malicious code that can spread viruses, steal data, display unwanted advertising or redirect visitors to disreputable websites. In addition, pirated versions do not receive official updates that fix security flaws and add new features. Therefore, if you want to have a safe, secure and professional website, it is recommended to use only licensed WordPress themes and plugins that guarantee quality, support and responsibility.
Naudokite tinkamą failų ir katalogų leidimų lygį
Some WordPress features are very handy because they allow various files to be written by a web server. However, allowing write access to your files is potentially dangerous, especially in a shared environment.
It’s best to restrict your file permissions as much as possible and only release them when you need to allow write access, or to create certain folders with fewer restrictions so that you can do things like upload files.
Here’s one possible scheme of permits.
All files should belong to your user account and be written only by you. Any file that requires write access from WordPress should be written by the web server, if your hosting setup requires it, this may mean that those files need to be group-proprietary to the user account used by the web server process.
/
The main WordPress directory: all files should be written by your user account only, except for .htaccess if you want WordPress to automatically generate redistribution rules.
/wp-admin/
WordPress administration area: all files should only be written by your user account.
/wp-includes/
Most of the logic of the WordPress application: all files should be written only by your user account.
/wp-content/
User-submitted content: intended to be written by your user account and the web server process.
Inside /wp-content/ you will find:
/wp-content/themes/
Subject files. If you want to use the built-in theme editor, all files must be written by the web server process. If you don’t want to use the built-in theme editor, all files can only be written by your user account.
/wp-content/plugins/
Additional files: all files should only be written by your user account.
Other directories that may be present with /wp-content/ should be documented according to which plugin or theme requires them. Permits may vary.
Kaip pakeisti failų teises?
If you have console access to the server, you can change the file permissions roundtrip using the following commands:
For folders:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
Failams:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Naudokite tinkamą vartotojų ir rolių valdymą
WordPress is a popular content management system that allows you to create and manage websites. WordPress websites can assign different users and roles that determine what they can and cannot do on the site. In this article, we’ll give you a brief overview of how to properly manage users and roles on your WordPress website.
WordPress has six standard roles: Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each role has a set of permissions called Capabilities. Permissions include tasks such as writing and editing posts, creating pages, categories, moderating comments, managing plugins, themes and other users. The site owner can assign a specific role to each user using the Administration screens > Settings > General. It is also possible to add or remove permissions using the add_cap() and remove_cap() functions, or create or delete new roles using the add_role() and remove_role() functions1.
The Super Admin role gives the user all possible permissions. This role is only for multi-level sites, where Super Admin can manage network administration functions and all other functions1. The Administrator role gives the user all administrative permissions on one website. The Editor role allows the user to publish and manage entries, including entries from other users. The Author role allows users to publish and manage only their own posts. The Contributor role allows users to write and manage their own posts, but not to publish them. The Subscriber role only allows the user to manage their profile1.
Managing the users and roles of your WordPress website is important for security, efficiency and quality. The following principles should be followed when managing users and roles:
- Assign users only the permissions they need to perform their tasks. This will help avoid mistakes, conflicts and abuse.
- Create and use customised roles if the standard roles do not meet the needs of the site. This will help to optimise work processes and provide flexibility.
- Regularly checking and updating the list of users and roles to remove inactive or redundant users. This will help maintain order and security.
Naudokite „Cloudflare“ CDN
Cloudflare is a content delivery network (CDN) and security company that can help WordPress websites improve speed, reduce load and protect against hacking, DDoS attacks and other threats. Cloudflare acts as an intermediary between your website and its visitors, filtering out inappropriate traffic and serving content from nearby servers.
Cloudflare can help with WordPress security in the following ways:
- Cloudflare uses its network intelligence and community data to detect and block malicious IP addresses, bots and malicious requests.
- Cloudflare also offers additional security features such as the Web Application Firewall (WAF), which can protect your website against a variety of vulnerabilities such as SQL injection, XSS attacks and brute force attacks.
- Cloudflare can help your website stay up and running even when your main server is down or under heavy load by hosting your static content on its CDN and displaying an Always Online page if your website is unavailable.
Turėkite testinę aplinką pakeitimų testavimui
A test environment is essential if you want to try out your wordpress changes before moving them to a real website. This helps to avoid errors, malfunctions and data loss that can result from inappropriate or incompatible changes. The test environment also makes it easier to experiment and learn about wordpress features and capabilities.
There are several ways to create a test environment for wordpress. One is to use a special program that allows you to install wordpress on your computer and act as a local server. These include XAMPP, WAMP, MAMP and others. This method requires some technical knowledge and configuration, but offers a great deal of freedom and control.
Another way is to use online services that offer free or low-cost test wordpress websites. These services include Qsandbox, WP Sandbox and others. This method is simpler and faster, but has some limitations and drawbacks, such as the temporary expiry date of the website, limited data content and functionality.
Naudokite tinkamą svetainės saugumo audito sprendimą
A WordPress website security audit is a process that checks whether your website is resistant to hacking, viruses and other threats. The audit analyses security policies, security management and potential risks related to your website’s code, data and content. The aim of the audit is to find and eliminate vulnerabilities that can be exploited by malicious users and to offer reliable solutions to improve the security of the website.
There are many tools that can help you perform a security audit of your WordPress website. Some of them are:
- Wordfence is the most popular WordPress security plugin that protects your website from hacking, malware, DDoS attacks and other threats. Wordfence also provides site security scanning, notifications, firewalling, two-factor authentication and more.
- Sucuri is a comprehensive WordPress security platform that offers website security scanning, malware removal, firewall, CDN and SSL certificate. Sucuri also helps speed up website performance and improve SEO.
- iThemes Security is another powerful WordPress security plugin that includes many features such as a password strength meter, file comparison, bad user blocking, backup creation and more. iThemes Security also allows you to set a security rating and tips on how to improve it.
Patikėkite svetainės priežiūrą profesionalams
Website maintenance service to help you keep your WordPress website secure and stable, and to help you resolve any problems that may arise. This service may include:
- Website vulnerability analysis and remediation
- Site backup and restoration
- Installing website updates
- Installation and configuration of website protection against malware and hacking
- Providing website security policies and recommendations
- Preventing and responding to website security incidents
- Website hosting
With a website maintenance service, you can improve the reliability, speed and performance of your WordPress website, as well as reduce the risk of data loss, reputational damage or legal issues, saving you time in providing support and resolving problems.
