Photo credit: The sublime Milosz Klinowski
WordPress is the world’s foremost content management system powering tens of millions of websites across the world. The platform is incredibly flexible powering everything from blogs to major corporate sites to eCommerce retailers.
However being the most popular CMS means that hackers will always try to find ways to target and compromise the platform and the millions of sites on it. Here is our list of the most common WordPress security issues and how to fix them.
Poor Username Policies
While it may be obvious that setting a username as admin or siteadmin is not a best practice, there are countless other ways that poor username choices can lead a site to be compromised.
The first way is setting usernames to be exact employee names or initial + last name. Often the people accessing your site backend to contribute content or edit posts will use their WordPress password for other services and if a service is compromised then it’s easy for hackers to then try and successfully access your site. If a hacker can successfully guess a username, they can use brute force login techniques to try and guess the password and with frightening speed.
When assigning usernames for staff … use a naming convention that will be easy to remember but won’t be obvious to guess.
Allowing User Enumeration
Another way that hackers can gain access to username lists is with scripts that spam requests by taking advantage of WordPress URL redirects. A script can spam requests like domain.com/?author=1, domain.com/?author=2 … and so on and WordPress will resolve those numbers to user names.
Once a script gathers a list of user names, it can then attempt to brute force passwords and gain access similar to the above loophole. The solution is to edit the functions.php file so that it doesn’t route those requests to IDs or block those requests overall at the server level.
Missing HSTS Headers
These headers increase site security by ensuring browsers always access the HTTPS version of a site. If someone types in the domain or clicks a link to the site that doesn’t include https:// a browser may first connect to HTTP before routing to HTTPS and that non-secure to secure handoff can be a target for malware attacks.
Get these added to your site and improve your overall security in minutes.
Missing Content Security Policy Headers
These headers reduce vulnerability to XSS (Cross Site Scripting Attacks) by instructing browsers that they should only load scripts and resources from trusted domains.
Missing Secure Referrer Policy Header
If an external resource is compromised (example: a site you link to on your blog) and is accessed from the site, having a secure referrer policy header protects the amount of information sent to a hacked site and in turn could protect the site from exploit attempts
Not Appending External Links
Add rel=noopener to all external links. Should any external site get compromised, this will help prevent users from being redirected to a malicious URL and mitigate any SEO issues from Google seeing a link to a less reputable domain.
Security has unfortunately become the most important thing online and having a secured site should be the most important priority for your brand and customers. There are a number of companies that provide secure hosting, vulnerability testing and web development services that provide peace of mind and prevent against attacks.
Personally this site is on WPEngine and I would endorse them.
One reply on “Common WordPress Security Issues and How to Fix Them”
WordPress isn’t a secure CMS by design. So why?