From its inception over 11 years ago, the popularity of the Wordpress Content Management System (CMS) has grown by leaps and bounds. It has become the number one way for individuals and business alike to create a presence on the Internet. To help visualize and understand the volume of Internet activity generated by Wordpress users, take a look at the real-time statistics provided by Wordpress.com HERE
This popularity, however, has not come without a price...
As a provider of services relating to the deployment of Wordpress, we have certainly encountered our fair share of the websites that have been hacked, accessed by unauthorized users and otherwise destroyed by malicious content injection.
In short, Wordpress websites have become a target for exploitation...
Because of this type malevolent activity, it is necessary to have multiple layers of security in place to protect your website content and reputation. Unfortunately, there is no one system that can identify all of the potential threats that a Wordpress website may have to endure.
Keep the following items in mind when evaluating how secure your Wordpress website is and the administrative computer's that access it:
- With web applications such as WordPress, attackers can exploit vulnerabilities in such things as 3rd party plugins, themes as well as antiquated or outdated application code. This type of exploit can be very difficult for security systems to detect. This is due to the large number of plug-ins, themes, custom application code and the thousands of potential variations of each.
- FTP users that have an extremely poor password such as "password1234" are prone to exploitation by a “bot” or other autonomous password harvesting application. In most cases, this can be avoided by creating passwords with decent complexity and the use of FTP credential brute force protection.
Ultimately, there are still a few basic things you can do to both mitigate an existing compromise as well as help protect against another one in the future, some of these things are as follows:
- Download the website files to you local computer and use an application Grepwin to scan files for keywords and or custom regex searches. (Note: Make sure you set your FTP client to maintain the file modification date on transfer or download. This will allow you to search for files on your local computer and organize by modification date, many times leading to a list of files that were recently changed by unauthorized users.)
- Install security plugins and modules such as Wordfence or All in one WP Security & Firewall to assist in monitoring page changes, access and activity.
- Restrict administrative access to only specific IP addresses. Providing exclusive access to files such as the wp-login.php, can limit the possibility of a brute force attack on the Wordpress login page.
- Confirm that theme, plugins and application code is up-to-date to avoid possible exploitation and or remove any Web Application plugins or modules that are not needed.
- Update all Web Application administrative user credentials. If a compromise has already taken place, updating and administrative user password is an absolute must. It is also a good idea to create a process of routine password auditing as an increased security measure.
The following link is also worth reviewing if you are interested in getting more information about Wordpress Security Practices: http://codex.wordpress.org/Hardening_WordPress
If you find that you are a victim of this type of malicious activity, please don't hesitate to contact our Technical Teams for advise and assistance.