WordPress Security Threats That You Should Look Out For

WordPress Security Threats That You Should Look Out For

on Mar 6th 2013 with 18 comments

When running a website on WordPress, it is sensible for you to pay attention to security. There are constant threats to blogs and sites running on WordPress. Oftentimes, you will find out about a security breach after it has happened.

The better option is preventing the threats from materializing than reacting later. Being proactive with WordPress security might be the best thing you ever did.

Here are five WordPress security threats you should look out for and also how you can prevent them.

Login Using Different Combinations

Unauthorized users can attempt to login to your website using a variety combinations of usernames and passwords. With the programs and tools available to them, they will be able to get in eventually. This is known as brute force login.

The good news for you is that you can prevent this by installing a plug-in. The Limit Login Attempts plug-in places a quota on the number of login attempts a user can make. Extending beyond that number, the user is locked out.

Confirmation of Login Information

A major drawback of the current WordPress login form is that it informs the user which part of the login information he/she has gotten wrong. For instance, if the username is correct and the password wrong, WordPress informs the user about it. This makes it easier to use brute force login as the hacker has a clear idea of whether he/she needs to change the username or password.

This issue can be resolved by entering this line of code into your WordPress theme’s functions.php file:

function failed_login () {
	return 'the login information you have entered is incorrect.’
}
add_filter ( 'login_errors', 'failed_login' );

Global Registration Open

Any person from around the globe can register on your website. This is a feature of all WordPress websites, but is disabled by default. Unless you are targeting a worldwide audience with your side, you should leave this option disabled.

To ensure it’s disabled, go to the Settings tab and access the General settings. There, uncheck the ‘anyone can register‘ checkbox. Also, select ‘subscriber‘ as the New User Default Role as an extra precaution.

Access to Editors

It is usual for WordPress site owners to provide access to editors. While it certainly helps with the design and layout of the website, it also poses the risk of someone gaining access to your dashboard. From there on, that person can change the theme, layout, background, etc., of your website. Enter this line in your functions.php file to prevent unauthorized access:

define ( 'DISALLOW_FILE_EDIT', true );

WordPress Version

Any person with even basic knowledge of WordPress can find out which version of the platform your website is using. Then, they can target particular vulnerabilities in the said platform version to access your website. You can prevent this by changing the information in your page header meta and also in the readme.html file.

To change the meta, use this code:

function remove_wp_version () {
	return '';
}
add_filter ( 'the_generator', 'remove_wp_version' );

As for the readme.html file, just change the title to anything off the top of your head. Only make sure it wouldn’t be easily deciphered by a hacker. You can even remove it entirely if you wanted to, or just remove the version number from inside the file.

Conclusion

These are five WordPress security threats you should look out for and the ways in which you can prevent them. By no means are these five the only security risks you entail when running a website on WordPress. There are many other ways and tips you can use to make your WordPress site secure and safe from any intrusion or malware. Start by addressing these five threats to get off on the right foot.

 
Enjoyed this Post?

Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!

By

Rollover to read this author's bio or click through to see a full list of posts by this author.

Michael Brown is a WordPress enthusiast, Freelance Writer, and an Internet Marketer. He holds a Bachelor of Commerce Degree and loves writing in his free time.  

Plus Premium
 
 
Note: Want to add some source code? Type <pre><code> before it and </code></pre> after it. Find out more
  • Patrick Ducat

    Useful information. Thanks!

  • http://twitter.com/blobfolio Blobfolio

    We’ve built a couple of great security-minded plugins http://wordpress.org/extend/plugins/apocalypse-meow/ and http://wordpress.org/extend/plugins/look-see-security-scanner/. Not only does Apocalypse Meow lock out users after a certain number of failed login attempts, it also lets you specify minimum password requirements for your users, prevent the direct execution of PHP in wp-content, renames the default admin user, and much more.

    The Look-See Security Scanner helps you monitor the integrity of you WP installation so you know exactly when you’ve been hacked and which files are compromised by verifying the integrity of all WP files and identifying all file changes since the previous scan. It also allows you to analyze your configurations for any vulnerabilities and lets you know how to fix them if any turn up.

  • http://www.patricealbertus.net/ Patrice Albertus

    …was expecting little more, but thanks for the filters. Have a look on “Better WP Security”, free plugin that does really hard security tweaks!

  • http://twitter.com/centerdrive Todd Smith-Salter

    I’ve always used the shorter `remove_action(‘wp_head’, ‘wp_generator’);` to remove the WordPress generator meta tag. Works a charm.

  • Andrei

    WordPress version is also visible on /wp-login.php source code.

  • http://josephscott.org/ Joseph Scott

    A major drawback of the current WordPress login form is that it informs the user which part of the login information he/she has gotten wrong

    WordPress has considered usernames basically public information. Finding a valid username on a WordPress site is very easy, so trying to hide this on the sign in page really doesn’t buy you anything additional security.

    Any person with even basic knowledge of WordPress can find out which version of the platform your website is using.

    Correct, and removing the generator doesn’t change that. It is virtually impossible to hide which version of WordPress you are using. There have been multiple projects that will fingerprint a WordPress install and tell you which version it is running. Removing the generator tag doesn’t buy you any additional security.

  • hillsid3

    Fail.

  • http://twitter.com/itinmind Frederic Sune

    I think there is an error to disable the access editor with the code line define ( ‘DISALLOW_FILE_EDIT’, true ); You need to put this line in the wp-config.php file not in the functions.php file

  • Pingback: WordPress.com testing promoted posts with iReach, a PR Newswire company | Open Knowledge

  • Pingback: WordPress Security Threats That You Should Look Out For - Crow Computer Repair

  • Pingback: A Small Orange Weekly Digest: 3/4 – 3/8 | Web Hosting Blog at ASO

  • limecanvaswil

    @twitter-25569739:disqus is correct, the DISALLOW_FILE_EDIT should go in wp-config.php file and not functions.php

  • Pingback: This Week In WordPress: Mar 11, 2013 - Max Foundry

  • http://www.ruturaaj.com/ Ruturaaj

    There are some more easy & important steps which Author has skipped to mention in this article for some reason. Here are a few I wish to share with you all…

    Create your own Salt keys for your WordPress installation. WordPress provides https://api.wordpress.org/secret-key/1.1/salt/ API End-Point URL to create your own Salt keys. Create your own and paste those in your wp-config file.

    CHMOD your wp-config file to make it read-only. I always CHMOD my wp-config file to 444.

    Rename your wp-content folder. WordPress allows us to rename the wp-content folder using “WP_CONTENT_DIR” and “WP_CONTENT_URL” constants in your wp-config file. Rename it to something else than wp-content. This may help you save your theme, uploaded files, plugins etc from hacking or code-injection.

    Change default database table prefix. Default is “wp_”, change this to something else at the time of installing WordPress.

    Never create/leave users with User names like “admin” or “administrator” or “owner”. I also prefer to change the admin rights of first User that I created at the time of installation of WordPress and make it “Subscriber”. The first user created at the time of installation always has ID = 1 in Users database.

    Use plugins like Login Log” or similar to keep track of Logins. This is especially useful if you run a multi-user website.

    These are just a few steps you may take from your side and at least make your WordPress Installation hard to break, if not totally secure. I hope this comment helps.

    • http://wp.tutsplus.com/ Japh

      Thanks, @ruturaaj:disqus :)
      This certainly wasn’t a comprehensive list, in fact, we have other articles that also provide further security recommendations.

      Thanks for your additions too!

      • http://www.ruturaaj.com/ Ruturaaj

        Yes @JaphThomson:disqus, I totally understand your point of view. Thanks so much for your kind words; it’s always a pleasure to be a part of conversation here and honestly share whatever I’ve learned over a period of time with you all. :-)

  • http://www.blackbookoperations.com/ Black Book Operations

    Though some useful tips were given here, I’ld rather stay away from plugins (unless they are really really needed/good) to unclutter the active plugin list. Hardcoding most of these tips n tricks in the functions.php of the theme you are using is a much better approach (that and the htaccess file as well as some other places you can secure your wordpress installation on). All the previous, of course, building on top of “common sense” and “critical thinking”.

    • http://wp.tutsplus.com/ Japh

      Thanks for your comment Black Book Operations. However, using plugins rather than hard-coding into your functions.php file is actually the industry best practise approach.

      You can read more about it here: http://wp.tutsplus.com/articles/general/functionality-plugins-vs-themes/

      • http://www.blackbookoperations.com/ Black Book Operations

        Well, “best practice” depends on the situation I guess. Problem with plugins is that before you know it, you are running tons (50+) plugins on a single wordpress installation. Agreed, you can use the functions.php file to selectively activate plugins, ONLY when they are needed on certain pages, but that again means you will have to do some extra coding effort (which strays away from the “plug n play” principle for plugins). So, yes, use a plugin if you only use a few (and the query load isn’t too high) but out of experience I have noticed that some plugins are really “heavy” (especially on shared hosting platforms). That said, some plugins are rarely updated, which may leave security gaps in the future. So in conclusion I have to say, I am pro plugins, but use with care, I am also against plugins if it is little effort to hardcode it into the theme directly. (depending on the functionality of course) and since security is rather important for any installation, I rather add it to the theme itself (or the childtheme if you want to keep the original seperate from your custom build). opinions may defer of course ;) still a nice read here!

        • http://wp.tutsplus.com/ Japh

          Number of plugins really doesn’t have any effect on the performance versus the same functionality in your functions.php file. Also, it’s considerably easier to debug an issue by turning plugins off and on than by commenting chunks of code in your functions.php file ;)

          Really I can’t see many advantages to pushing extra functionality into your theme instead of using a plugin, even if it’s just a few lines of code. However, one big disadvantage is losing all those changes if you should happen to update your theme in the future. Plugins will survive the update fine, theme customisations won’t (unless you use a child theme, but then, you might as well do it properly and use a plugin!)

          • http://www.blackbookoperations.com/ Black Book Operations

            Oh but I completely agree on using “extra functionality” through plugins, but if it concerns basic security (not extra functionality) I would hardcode it. Of course, we all have our personal views on what is “extra” and what is “basic” in the end. I mean, some plugins I use are indeed really useful and handy across many themes. It also depends on whether you use a theme you have coded yourself rather than one you just bought or use, coded by someone else. (With that I just want to say that a self-built theme is very easy to understand/update/troubleshoot whereas a “third-party” theme might indeed be very hard to update/troubleshoot if everything is hardcoded.) I guess I have to shake your hand here somewhere on the middle ground ;)

  • http://www.expertvillagemedia.com/ Amit

    Thanks .. Thats great info. We can also install a simple plugin, wp security and change these things -

    -change admin url

    -change admin username

    -use a strong password

    -lockout failed login attempts

    -update wordpress timely.

    Doing these things can also secure your site upto much extent.

    Best Regards

    Amit

    http://www.expertvillagemedia.com/harden-the-security-of-your-wordpress-based-website/

  • Pingback: A Small Orange Weekly Digest: 3/4 – 3/8 | VpsTop - list of cheap top webhosting providers

  • Pingback: نکات و افزایش امنیت وردپرس | پیکور

  • Pingback: نکات و افزایش امنیت وردپرس » مقاله لینک

  • Pingback: The Best WordPress Posts Across the Blogosphere in March 2013

  • Pingback: March’s Best ExpressionEngine, WordPress, and Magento | @nexcess

  • Pingback: Угрозы безопасности WordPress, которые следует учитывать | Wordpresso