03
- January
2021
Posted By : Michele Pariani
A few easy tricks to improve the security of your WordPress website

In this blog post, I will show you six easy tricks to improve the security of your WordPress website.

Create a new administrator and delete the default one

Why?

Each new WordPress website has a default administrator. Now let’s assume that an attacker targets my website. They can easily find out that the content management system (CMS) for this website is WordPress by using a Chrome extension like Wappalyzer. Then they can find the WordPress default admin usernames with a Google search and enumerate users on my website thanks to a flaw on the WordPress login page.

By entering username=”test” and password=”test”, an attacker learns that “test” is not a valid username. This is an example of information disclosure that helps threat actors to enumerate the users on a webserver.
WordPress should change this message to the more generic “invalid username or password”.

Knowing the administrator username reduces the search space for dictionary attacks and brute force attacks. Now if the admin password is also common1 or weak, the attackers will take over the website in a matter of minutes.

How?

Add a new user2 with role “administrator” with a strong password. I like my passwords to have at least 20 characters (a mixture of lowercase, uppercase, numbers, and special characters). Then login with the new admin account and set-up 2FA right away (see below), and delete the default admin user3.

Add the recommended security headers

Why?

Security headers add an extra layer of protection to SSL4.

  • HSTS: This header forces the browser to do all requests to the website domain over HTTPS.
  • X-Content-Type-Options: The browser is forced not to guess what kind of data is passed. If the extension is “.pdf”, the browser will expect a PDF file.
  • X-XSS Protection: It will block the page in the browser from loading if reflected cross-site scripting (XSS) is detected.
  • Expect-CT: In order to prevent fraud, the SSL Certificate Authority has to log the certificates with the Certificate Transparency (CT) framework.
  • Referrer-Policy: A referrer header contains the address of the previous web page from which a link to the currently requested page was followed. The policy “no-referrer-when-downgrade” does not include the origin, path, and query string of the URL when the protocol security level is downgraded (HTTPS→HTTP).
  • Content-Security-Policy: This header is another method to force requests to the website domain over HTTPS.

How?

Open the .htaccess file on your server5 and add the following lines:

Add the following security headers to your .htaccess file.

Hide the PHP version from the HTTP Response Header

Why?

By default, the Apache server running my website exposes the PHP version in the HTTP Response Header. That is, it makes the PHP version that I use public on the Internet. This is particularly dangerous when the PHP version is an old and vulnerable one. An attacker could look for exploits against this specific version, and maybe get a reverse shell on the server.

The PHP version is visible in the HTTP response Header.

How?

Open the php.ini file on your Apache server. Set the expose_php variable to Off. Restart php-fpm and apache.

The PHP version is not visible anymore.

Enable auto-updates for WordPress, plugins, and themes

Why?

It is important to install the newest stable software releases as soon as they are available because they usually contain security patches. Enabling auto-updates takes this task off of your mind.

How?

  • WordPress: Go to Dashboard > Updates. Under “Current version”, click on “Enable auto-updates”.
  • Plugins: Go to Plugins > Installed Plugins. Under the column “Automatic updates”, enable auto-updates for every single plugin used. Delete inactive plugins.
  • Themes: Go to Appearance > Themes. Open the current theme and click on “Enable auto-updates”. Keep only one other theme as a backup. Delete all other inactive themes.

Use Two-Factor-Authentication for each single user

Why?

This adds an extra layer of protection to the authentication process. If the password of a user is cracked or leaked accidentally, the attacker will not be able to authenticate on the website (at least not easily).

How?

Install and activate the WP 2FA plugin as the admin user. Force each user on the blog to add 2FA to their account without delay.

Make sure that only used server ports are open

Why?

Open ports on a server are a security vulnerability that can potentially allow a hacker to exploit services on your network. If those services are unpatched, a hacker can easily take advantage of the system after running a port scan.

How?

Go to https://www.shodan.io/ and enter the IPv4 address of your server. Under “Ports”, you will see the open ports. If any port that you are not using is listed there, close it right away.

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

  1. The most common passwords in 2020: https://nordpass.com/most-common-passwords-list/
  2. Do not use common admin usernames.
  3. By deleting the default admin user, you also deleted the user with ID=1, which is by default the admin ID. This can help you protect your website against e.g., SQL injection attacks.
  4. SSL certificates are what enable websites to move from HTTP to HTTPS.
  5. I used FileZilla (FTP) and Notepad++ to access and edit this file, respectively.

Leave a Reply