NTS Forums

Please login or register.

Login with username, password and session length


Welcome to the Newtek Technology Services Forum!

Author Topic: Wordpress Security Practices  (Read 1005 times)

Offline Jason [NTS]

  • Jr. Member
  • **
  • Posts: 158
  • Karma: +4/-0
    • Newtek Technology Solutions
Wordpress Security Practices
« on: February 09, 2016, 02:16:38 PM »
From its inception over 11 years ago, the popularity of the Wordpress Content Management System (CMS) has grown by leaps and bounds. It has become the number one way for individuals and business alike to create a presence on the Internet. To help visualize and understand the volume of Internet activity generated by Wordpress users, take a look at the real-time statistics provided by Wordpress.com HERE.

This popularity, however, has not come without a price...

As a provider of services relating to the deployment of Wordpress, we have certainly encountered our fair share of the websites that have been hacked, accessed by unauthorized users and otherwise destroyed by malicious content injection.

In short, Wordpress websites have become a target for exploitation...

Because of this type malevolent activity, it is necessary to have multiple layers of security in place to protect your website content and reputation. Unfortunately, there is no one system that can identify all of the potential threats that a Wordpress website may have to endure.

Keep the following items in mind when evaluating how secure your Wordpress website is and the administrative computer's that access it:

  • With web applications such as WordPress, attackers can exploit vulnerabilities in such things as 3rd party plugins, themes as well as antiquated or outdated application code. This type of exploit can be very difficult for security systems to detect. This is due to the large number of plug-ins, themes, custom application code and the thousands of potential variations of each.
  • FTP users that have an extremely poor password such as "password1234" are prone to exploitation by a “bot” or other autonomous password harvesting application. In most cases, this can be avoided by creating passwords with decent complexity and the use of FTP credential brute force protection.
  • It is not uncommon that a potential cause of the exploitation of a Wordpress website is due to the Webmaster's PC being infected with some sort of Malware or Virus. There are many Malware applications out there which are designed to steal FTP login credentials and send them to a remote servers. Then, this server will inject the victims website with malicious applications such as shell scripts, root kits, password harvesters, JavaScript injections or hidden iframes pointing to malicious websites, or worse.

Ultimately, there are still a few basic things you can do to both mitigate an existing compromise as well as help protect against another one in the future, some of these things are as follows:

  • Download the website files to you local computer and use an application Grepwin to scan files for keywords and or custom regex searches. (Note: Make sure you set your FTP client to maintain the file modification date on transfer or download. This will allow you to search for files on your local computer and organize by modification date, many times leading to a list of files that were recently changed by unauthorized users.)
  • Install security plugins and modules such as Wordfence or All in one WP Security & Firewall to assist in monitoring page changes, access and activity.
  • Restrict administrative access to only specific IP addresses. Providing exclusive access to files such as the wp-login.php, can limit the possibility of a brute force attack on the Wordpress login page.
  • Confirm that theme, plugins and application code is up-to-date to avoid possible exploitation and or remove any Web Application plugins or modules that are not needed. 
  • Update all Web Application administrative user credentials. If a compromise has already taken place, updating and administrative user password is an absolute must. It is also a good idea to create a process of routine password auditing as an increased security measure.

The following link is also worth reviewing if you are interested in getting more information about Wordpress Security Practices: http://codex.wordpress.org/Hardening_WordPress

If you find that you are a victim of this type of malicious activity, please don't hesitate to contact our Technical Teams for advise and assistance.
Server Operations Department

Offline nesir

  • Hosting Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • New Perspective studio
Re: Wordpress Security Practices
« Reply #1 on: August 30, 2017, 06:27:27 AM »
I stumbled upon this thread about wordpress by chance. I have only recently implemented it within some of my pages. Creating a theme bases on my static html and then via php converting them into dynamic web pages and then this seems to have worked well for me. I hear alot about worpress security issues but i was under the immpression that it was a thing of the past.... this is usefull information to me indeed.

I was wonder if you have time perhaps you could do something on the search engine optimisation of WordPress , while i do fine with static HTML i am somewhat struggling with WordPress redirects , https mixing with http pages , url's that contain symbols. I have searched the php files but cannot find where this data is listed. As an alternative i downloaded a search engine optimisation plugin which offered much of what i was looking for. However it seems that it does not resolve the issues so it needs to be done within the php and not admin. Maybe it is because i migrated this site into WordPress.

its come to the point where i have stopped google with my rbt.txt file from crawling wp as a temporary measure because it the errors, none which can be seen from a users perspective are costing me on seo.

However like i said if you have some spare time , please share your tips and thoughts on search engine optimasation in WordPress.