5 WordPress Security Threats You Probably Don’t Know About

5 WordPress Security Threats You Probably Don't Know About

When it comes to my online activity, security is something I have always been fairly conscious of. But in my opinion, making sure that your WordPress site is secure is not something that you can ever do too much of.

That fact was recently driven home to me when Limit Login Attempts (which I have installed on my blog) started reporting multiple login attempts from more than one IP address. I also discovered that someone had attempted to login to my Facebook account. I also suggest changing your admin login URL

With those recent events still fresh in my mind, I thought I’d take the opportunity to focus on some security threats concerning your WordPress site that you may not even be aware of. Whilst there are plenty of basic steps you can take to improve the security of your site (such as changing the default “admin” username and setting strong passwords), you may want to check these ones out too.

5. Published WordPress Version Information

By default anyone can find out what version of WordPress your site is running if they know how. This is not a good thing, because if you are running an older version of WordPress, unscrupulous hacker types will be able to target specific security vulnerabilities that have since been patched by more recent updates.

The first thing I will say is this — you absolutely should update WordPress (as well as your themes and plugins) as soon as new versions become available. Prevention is the best cure, as the timeless saying goes. However, it is still a good idea to remove version information from your site.

This information is stored in two places:

  1. Your page header meta
  2. Your readme.html file

To remove the information from your page header meta, paste the following code into your active theme’s functions.php file:

function remove_wp_version() {
     return '';
}

add_filter('the_generator', 'remove_wp_version');

As for the readme.html file, just rename it to something completely random (like “23bd8.html”). No one’s going to be finding that in a hurry.

4. Access to Theme/Plugin Files

You’re probably familiar with the theme and plugin file editors:

Theme File Editor

Pretty darn handy, but also a huge security issue should someone gain access to your dashboard. And in general, using the editors is bad practice as any incorrect PHP code can “break” your site (which will then require you to gain access via FTP).

With that in mind, I would recommend that you disable the editors and edit theme and plugin files via FTP only. Doing so is a piece of cake — just include the following in your functions.php file:

define('DISALLOW_FILE_EDIT', true);

3. Universal Registration Option

This is a real simple one — is your WordPress site currently set up so that anyone can register as a user? This is only necessary if you are running some sort of community site (as opposed to a “normal” website or blog). So if you are not, you would be best served by preventing people from having the opportunity to register.

You can do so via Settings > General in your sidebar:

General Settings

Whilst someone registering for your site in a limited role does not give them a huge amount of access, it does give them more than is absolutely necessary, which is why you should remove the option.

2. Login Name Confirmation

By default, the WordPress login screen will inform you as to whether you have got the username or the password wrong:

Invalid Username Invalid Password

This effectively makes it twice as easy for hackers to gain access to your site — they can figure out what your username is without having to know the password. It is not information you should make readily available.

As per usual, this issue can be remedied with some code in your functions.php file:

function failed_login() {
     return 'The login information you have entered is incorrect.';
}

add_filter('login_errors', 'failed_login');

Now when there is a failed login attempt, there will be no specific information concerning the username or password.

1. Brute Force Login Attempts

Finally, and along the same lines as the penultimate security issue, we have brute force login attempts.

This is when someone will attempt to gain access to your site by attempting an enormous number of different username and password combinations. Such a process is of course made far more difficult by adding the above code to your functions.php file, but you can all but eradicate the chance of a successful brute force login attempt by limiting the number of login attempts by a specific IP address.

My personal recommendation is to install and activate the Limit Login Attempts plugin (mentioned at the beginning of this post). This simple plugin offers you the ability to customize how many login attempts someone should have, and how long they are locked out for if unsuccessful. I consider it a must-have for any WordPress blogger.

Tip: Make your login pages unique with these plugins

What Security Issues Do You Consider a Threat to Your Site?

I am of course just scratching the surface here, but I consider the above tips pretty effective methods for closing potential security vulnerabilities in your WordPress site. I don’t want to frighten you into thinking that WordPress is an inherently unsafe content management system (because it isn’t), but it is better to be safe than sorry.

With that in mind, I’d love to know what suggestions you have for making WordPress more secure. Let us know in the comments section!

Creative Commons image courtesy of vrogy

Tom Ewer

Tom Ewer is the founder of WordCandy.co. He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not working, you're likely to find him outdoors somewhere – as far away from a screen as possible!

43 Comments

  1. Daniel Kian Mc Kiernan

    a secret m-character username and n-character password provides less security than a public username with a secret password of m+n characters chosen randomly from the allowed set. Use and require strong passwords, and don’t fret about concealing usernames.

    1. Daniel Kian Mc Kiernan

      I provided a link to an ad-free site in which my point was mathematically explained, but an admin here had a felt need to remove that link. I will not make the mistake of bothering with ManageWP.com in future.

  2. Ollie Treend

    You should also disable user enumeration, which allows an attacker to easily gain a list of valid usernames on the website. Without doing this, it effectively renders point 2 (Login Name Confirmation) relatively useless, as usernames can still be guessed.

    The easiest way to block that is to install the plugin Stop User Enumeration, available here: https://wordpress.org/plugins/stop-user-enumeration/

  3. Jafar

    I have a wordpress blog. I enabled anyone can register and as an author option. I want all the posts from authors to be verified before publishing. I want the user registration to be approved by me. Please help me in settings.

  4. Shahzad

    I am sorry but i have a feeling you didn’t cover all aspects of it. Reading all comments is not easy so it will be good help if you can update your blog with a new list or publish another one. Thanks

  5. Toko bunga

    nice article fred 😀

  6. Southland

    Hiding the version number will also mean that ManageWP will no longer be able to auto update your site. I made this mistake and was advised by ManaeWP to switch off the hide version security.

  7. Prevoty

    While many security precautions/plugins cover the basics, they still do not combat hackers who inject malicious code masked as content into comment boxes and other user input form fields (aka cross-site scripting (XSS)). 7 out of 10 sites are at risk, and many hacks can be traced back to these injections.

    After years of research, we developed a solution that deals with the holes in WordPress and third-party themes by proactively scanning all content passing through.

    SmartFilter is a free, cloud-based plugin that acts as a preview layer to automatically sanitize and validate all incoming content for you. Unlike traditional firewalls, it does NOT rely on blacklists or past definitions so it’s never a day late.

    We take the guesswork out of dealing with modern attack vectors and made the technology we use to protect large enterprise sites available to the everyday WordPress user.

    Try it out at http://wordpress.org/plugins/smartfilter/ and let us know what you think!

    -Audrey

    1. coffre-fort infosafe agréé

      that is true, safes are needed for storing data and goods ( coffres forts en français )
      La sécurité des valeurs et données doit également être prise en compte par l’installation d’un coffre-fort agréé ou d’une armoire forte pour armes.

  8. Fred

    Hi Tom, Thanks for a great post, I’ve incorporated some of your ideas in a video tutorial on WordPress security and given you a credit. You can view it here http://www.northstar-website-design.com/video-tutorials/002-wordpress-security/

    1. Tom Ewer

      Author

      Very cool Fred!

      1. Fred

        All I need to learn now is how to stop saying “er” all the time!

  9. Bodhi Singh

    Please be gentle- n00b here. I am trying to be the best wordpresser I can and I read and try to act upon lots of great information like that presented here. But one thing that puzzles me is this: I don’t know what to do about conflicting information I read.

    a) Update your WordPress, themes, and plugins to the latest versions/updates
    b) install tools like “Limit Login Attempts”.

    But if my WordPress is at version 3.3.3 or 3.3.5 or whatever, and the plugins page says “Compatible up to: 3.3.2”, should I still try to install it? I don’t know if I am savvy enough to determine whether or not it is working correctly or not.

    Any hints on what my best course of action should be? You guys seem to know your stuff, so I hope this isn’t a flame-able stupid question.

    1. Pixolin

      In the end a plugin is just an enhancement of the core software, an addon. That’s why I always would recommend to update to the latest WordPress core version, which hopefully will take care of all safety issues known to the point of release.

      You wouldn’t try to keep your favorite browser or operating system up to date by fetching the latest addons and widgets, would you? Oh, and you would also miss the nice features that have been integrated into the newest version. It’s absolutely worth a look!

      The fact that a plugin is “old” doesn’t mean necessarily, it is broken. The core developer have done a great job to add functionality to WordPress while old functions still work. However, as some functions get deprecated, I would prefer sticking to plugins that get updated regularly, too. And if not, well, perhaps there is a better plugin available which offers even more?

      1. Bodhi Singh

        Thanks! That makes me feel better. Although you said it much better, thats how I was feeling bout it.

        Thank you for taking the time to answer my question.

  10. brasofilo

    If by any chance some plugin doesn’t behaves right, DISALLOW_FILE_EDIT may be the culprit, check: http://wordpress.stackexchange.com/q/54208/12615

    1. brasofilo

      Correction: the culprit is the plugin that doesn’t counts on this constant being set.

  11. marrie

    good posts. I’m very big on security and I check almost every day for my updates to my themes and pluggings. I’m not a very good wordpress user so I can’t offer any sage advice but I just want to say good posts and good comments. I will try the update plugging someone mentioned, where it can email you if you get a pluggin update.

    1. Charnita Fance

      Hi Marrie,

      Yes, if you’re using ManageWP to manage your blog(s) then you can receive emails whenever there are new updates available for the plugins that you’re using.

      Also, depending on your Web host, you may receive an email when there is a new update to WordPress.

      ~Charnita

  12. Indrek K

    Please stop regurgitating the same old advice about hiding WordPress version numbers – not only is it present in basically every article titled “10 [essential/important] WordPress security [tips/tricks/plugins/steps]”, it’s pretty much useless.

    First of all, you should be *always* updating your WordPress version, so you’ll be running the latest version anyway.

    Second: hiding the version number does not stop the bots from attempting to exploit your site. Bots usually just try every possible exploit.
    “All of the WordPress exploit code I’ve seen doesn’t look at your version number. It just tests the exploit.”
    (http://www.stateofsearch.com/google-now-warning-wordpress-users-they-need-to-update/ –> comments)

    Third: if you do get hacked, it will be because of a badly coded plugin. WP core is tested for security problems, while plugins usually are not. So for the typical hacker who is going for low-hanging fruit, it would make a lot more sense to target widely used plugins or themes instead of (old versions of) WP.

    Stop wasting your time on this, install Wordfence or some other plugin which solves most of the problems presented in this article and spend your time on setting up a proper backup/notification/monitoring system instead.

    1. Tom Ewer

      Author

      Hi Indrek,

      First of all, you might be in a position where you can’t upgrade WordPress — e.g. working on a legacy site or for a client who doesn’t want to upgrade.

      Second, I’d rather err on the side of safety. You’ve not presented me with any conclusive evidence that bots don’t check version numbers.

      Third, that’s a wild and sweeping statement, not to mention untrue.

      Cheers,

      Tom

      1. Dre

        Hi there.

        The note about versions is pretty accurate. Removing version number is pretty much irrelevant in terms of automated attacks. Although it may help a bit to avoid script kiddies that may be looking for this info, it’s not a big risk reduction technique, and it’s more of an obscure practice than anything.

        Attackers using automated scans (which we see 1000’s of them daily in our honeypots), do not look for versions specifically. What they automate is code to check for vulnerabilities found in old versions of WordPress, plugins, themes, etc. When the vulnerability is found, they insert command and control scripts/backdoors to then own your environment. From there the fun begins.

        This is like changing your database prefix, or removing admin. In the end, all obscure practices that are giving more false sense of security than anything.

        Concentrate on minimizing vulnerabilities in your environment by having ALL software updated, removing software/files/etc. that aren’t needed, and you’re in a better overall security posture. If you supplement that with least privilege via access control, proper credential management, and minimizing the ability for PHP to execute arbitrarily, you have yourself a pretty low risk set up.

        Best,
        Dre

      2. Indrek K

        Hi Tom,

        First of all, sorry about the harsh tone in my comment. It was my initial reaction to seeing another security-related article presenting mostly low-priority security advice (there’s so many of them..). I now realize that you’ve also written a more thorough post covering the basics.

        However, even though I made some generalizations, I stand by my opinion.

        In the situation where you are unable to update your WP installation or plugins for whatever reasons, you should focus your efforts on actually preventing the vulnerable code from being exploited. This would be an interesting and probably more useful topic to cover.

        You’re right about my third point though, I’m not really sure what I was trying to say.

  13. Peter Netz Lassen

    It seems that the more security I install and the more time I spend setting all kind of “PROTECTION” the more afraid I get and the more attacks I get!! Hmmm Am I attracting this? or it just because I use to live in “La la land” not knowing I was under attack?? Why is there so much evil out there – Why do they always destroy… while others are building!!? Maybe the security plugins warns the people that there might be stuff worth protecting?? 🙂

    Anyway… I use BETTER WP Security but I spend 36 hours tweeking!!! 🙁
    The plugin is very sensitive and I suspect it for not respecting the blog is located in /blog
    Or it could be another plugin with a CONFLICT?? …that keep writing to the roots htaccess – This causes a 500 server error? – And the mess is not over… The plugin keep updating the htaccess in /blog and the something else is writing to the root 🙂

    Any tips..?
    I use manageWP – But now GatorHost has BLOCKED writing to the /blog htaccess making it impossible to connect to my ManageWP dashboard?? 🙁 – But the blog is running … and running…. (I am @ the crime scene every time 🙂 I Know !

  14. pawan

    i pasted “login information you have entered is incorrect.” code to my site and now i am not able to login into my site. even the password is not able to reset.

  15. Rafal

    Hiding Meta Name generator is not enough, as it is also appeneded to the scripts version number.

    Please see: http://frankiejarrett.com/2012/05/how-to-hide-your-wordpress-version-number-completely/

  16. Pixolin

    I don’t agree with your recommendations to hide the version information. Using your function you still find the version number easily by either looking into the feed (http://yourdomain.com/?feed=atom) or searching for JavaScript, that was enqueued e.g. In a plugin without providing a version number (WordPress adds it’s version number instead then!).
    Better use a plugin as e.g. WP Security Scan by Website Defender which offers to remove the version number consistently. And even better, upgrade to the latest WordPress version as soon as possible.
    Besides that I miss a couple of steps to harden a WordPress install as mentioned in the Codex at http://codex.wordpress.org/Hardening_WordPress which reach from a secure password up to server settings.
    I also don’t see any reason to deactivate the theme editor. Of course, every tool is crap in a fools hand — another reason to avoid working as an admin whenever possible. But once I have administrative access to the dashboard I certainly won’t need a theme editor to add malicious code (as long as I can upload plugins or any other kind of (“media-“)file).

    1. Pixolin

      Ups, the plugin I meant is “Secure WordPress”: http://wordpress.org/extend/plugins/secure-wordpress/

  17. Missy

    What about the Wordfence plugin, will it cure the issues above? Specifically #2 – login name error message.

    Please advise.

    1. Charnita Fance

      Hi Missy,

      Yes, the Wordfence plugin can help with issue #2 among other things. This screenshot gives you a glimpse of the features that you can enable/disable.

      http://s.wordpress.org/extend/plugins/wordfence/screenshot-5.png?r=623903

      And here is a direct link to the plugin: http://wordpress.org/extend/plugins/wordfence/

      ~Charnita

      1. Missy

        Thanks much, Charnita. Appreciate the follow up.

        1. Charnita Fance

          You’re welcome!

  18. Marcus

    I once spent a month fighting off a hacker in Azerbaijan. Not a good time at all. That experience forced me to read up on WordPress security.

    As you mentioned, one of the main vulnerabilities is out-of-date WordPress installations, themes, and plugins. I use Softaculous on my web host to install WordPress, and they’re pretty good about sending e-mails on updates to WordPress core. But you won’t know about theme or plugin updates unless you log in to your WP dashboard.

    Then I discovered UP Updates Notifier. This plugin e-mails you about updates to WordPress core, themes, and plugins. Saves me the trouble of remembering to log in regularly to check for updates. The best defense is having everything current with your WordPress site.

    I’d also recommend a security plugin that includes a firewall to block most intrusion attempts. There’s an older plugin called WordPress Firewall 2 that works quite well. I’ve heard good things about newer plugins like Wordfence Security and Better WP Security.

    Updates, limit login attempts and a firewall plugin would give your website good security.

    1. ManageWP

      Of course ManageWP will also send you an email about available updates 🙂

  19. ericshefferman

    For as long as I can remember there have been constant warnings about WordPress displaying the version number and how that makes it vulnerable to hacking.
    Since I can’t see any reason for legitimate users of my basketweaving website to care about the version of the software running the website, it seems that the only purpose of this “feature” is to make websites more hackable.

    1. Shawn

      It’s actually required for WP stats functionality and to enable third parties (such as on the forums at wordpress.org) to be able to help you troubleshoot your site. While that doesn’t mean you should necessarily have it exposed, it’s not without purpose.

  20. Ben Hodder

    Hi Tom.

    When I try to add any of the edits to the functions.php file, my site fails to display. Not entirely sure why this would be.

    1. Tom Ewer

      Author

      Impossible to say without seeing what you’re doing! You’re probably just missing the opening PHP tag or something — I’m sure if you submit a question via the WordPress.org forums they’ll have an easy answer for you.

  21. Devtard

    I think that the most dangerous security threat is represented by plugins and themes with security holes or backdoors. People who want to break into your site won’t usually use brute force to guess your password, find bugs in WP core etc. That is too difficult.

    The most effective way to hack a website is to create a good plugin and put a backdoor in its code. 😉

    1. Tom Ewer

      Author

      It’s certainly up there as a big risk, but we were looking at less common threats in this post 🙂

    2. carter

      Is there something specific to look for in plugin code that can point toward the possibility of a backdoor? Are there “backdoor code validator” services I can run a plugin through before installing? I’m pretty conservative about trying out plugins from small, non-commercial developers, but still.

      1. Shawn

        There are a number of things to look for, including ‘base64’, ‘uploadify’, ‘gzinflate’, and ‘eval’ – but this isn’t even remotely an exhaustive list.

      2. Charnita Fance

        I’m not sure about a validator, but Smashing Magazine provides some extremely helpful info about Backdoors here.

        ~Charnita

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!