Initially started as a blogging platform has turned into a lifesaver for many startups, companies, influencers, and bloggers. WordPress powers over 43% of all the websites, which account for a whopping 64 million websites. With 661 new WordPress sites going live each day and an army of 50,000 plugins available at disposal to accomplish different needs, it has evolved into a powerful website builder and a robust content management platform (CMS).

But before we go into WordPress security, how has it caught momentum so fast, with new and updated versions popping in every quarter?

First, it’s free, open-source, and second, customizable. From a developer’s perspective, you don’t have to worry about authorization issues because there are 6 different out-of-the-box user roles available at your disposal.

Now that we have the basic knowledge at hand, let’s discuss some of the security measures you can take to harden your security while installing a fresh version of WordPress.

1. Get rid of the default username and common passwords.

We all have made this mistake. “admin” accounts for the most common and frequently used username on the internet. What do I need to brute-force into your account? Only the username and the password. Half of an attacker’s work is done if the username is known. They only need to brute-force the password now. But sometimes, this is also not a barrier. Many admins use common passwords at the top of any password wordlist easily available online.

In addition to the website, the default or common login and password apply to the database configured to work with your site. Also, make certain that it is not accessible to the general public.

As a result, it is recommended that you choose a passphrase or a password that contains lower- and upper-case letters, digits, and other special characters. Remove the administrator’s username as well, or impose rate limiting. It is possible to add a cherry on top of the cake by implementing two-factor authentication.

2. Outdated core software and plugins.

WordPress is the most commonly used CMS on the internet, making it the perfect target for hackers to look for security loopholes in the WordPress Engine. To address these issues, WordPress developers issue updates every quarter. It’s recommended to install updates as WordPress won’t automatically install updates for you. WordPress relies on themes and plugins to improve the overall appearance of the website. These plugins and themes also represent a concern because some plugins may contain vulnerabilities that might allow the WordPress installation to be hacked. As a result, it should be necessary to update the plugins regularly.

3. Authorization Issues

WordPress comes with 6 default out-of-the-box user roles for different job descriptions. There might be no authorization issues in the core WordPress application, but it is your responsibility that you don’t give a user any permission more than what is required.

For example, an author whose job responsibilities only entail posting content to the website can be granted admin access occasionally.

Because of this, we have protected access rights.

4. Disable the wp-json api

WP-Json is a json API included with WordPress that is enabled by default and displays information about all registered users (username, profile picture, name, etc) and the website itself. If enabled, it will assist with the enumeration of users.

Following the installation of WordPress, it is necessary to disable this feature because it may reveal sensitive user information, which could result in brute force attacks and other actions on your installation. Several plugins are available that can be used to totally block this feature, but it is always suggested to disable the wp-json function in order to prevent user information leaks and to keep your website secure.

5. Xmlrpc.php enabled.

XML-RPC is a feature of WordPress that allows you to conduct a variety of functions from your phone, such as posting blogs, connecting to your site from a smartphone, and integrating trackbacks and pingbacks, among other things.

However, on the other side, this may also be exploited by attackers to brute-force passwords and launch a distributed denial of service attack, putting your favorite website to a grinding halt. As a result of using the XMLRPC file for the brute force, there is no rate limiting on the endpoint, allowing for the brute force to be completed quickly so it is always advised to disable the pingbacks in the xmlrpc file.

6. Directory listing enabled.

Wp-content is the directory in which WordPress stores all of the files, plugins, and other content that is uploaded. To prevent public access to this directory, it is critical that the permissions on this directory be appropriately defined, such that public access to this directory is prohibited.

Some of the core directories that contain sensitive data and files are:

• wp-content/
• wp-includes/

You should ensure that the user gets a 403 (forbidden) error if a user visits these web pages. These might leak some of the private or sensitive images from the website.

7. Wordfence

A WordPress endpoint firewall such as Wordfence can be used by application owners to protect their WordPress applications from malware and other threats. All of these features, as well as its own database of malware signatures, harmful IP reputation, creating login more secure, IP Blocking and two-factor authentication protection, all serve to secure WordPress applications from being compromised.

Conclusion

WordPress is a fantastic platform for showcasing your product, showcasing your talent, and marketing your goods. However, there are situations when certain functionalities turn into vulnerabilities, which can result in a major security danger to your website and your business. As a result, it is essential that you keep an eye out for these security vulnerabilities and fix them as soon as feasible.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!