Top Seven WordPress Security Issues and How to Fix Them

WordPress security is more than updating themes and plugins or backing up a website. It is also different from periodic maintenance. If your site hasn’t been hacked, that doesn’t mean that is secure. Most likely, hackers consider it invaluable. The more important a site is or the more revenue it generates, the more hackers will attack it.

WordPress security is a never-ending process. Anytime a brilliant hacker finds a breach, he or she will take control of a website. However, a dispassionate attitude isn’t the solution.

You have no choice but to harden your website. There is no 100% secure website, and in reality, you don’t need such a website! All you need is that the earnings from hacking your website not to compensate the resources invested. The same as in any business, profit is the ultimate purpose.

This article is a good starting point to make your website genuinely more secure. Ill introduce seven common WordPress security issues and how to fix them. I have presented the issues in order from simple to complex, so it’s a good approach to resolve them in this order.

1. Default Admin User Account

Yeah, I know that this no-brainer tip disappoints you because you expected valuable tips that you weren’t previously aware of. However, many people use default the admin username, ‘administrator.’ When I say many people, I mean many! Rapid7 did a research study, and the results are shocking. ‘Administrator’ and ‘administrator’ combined are used by almost 50% of users. So it’s possible that a half of the readers of this article use the default admin username.

2. Weak Passwords

A weak password and the default admin username is a hacker’s dream. There are not enough words to describe how important is to have a strong password. Every extra character of a password significantly diminishes the chances of it getting cracked.

An eight alphabetic character password can be broken into five hours while a nine alphabetic character password needs five days! Check out this amazing resource to get more details about passwords.

3. Default Prefixes for Database Tables

Your WordPress database consists of many tables, and all of their names start with the prefix wp_. Once hackers can manipulate these table, they can do anything to your website. Rename them uniquely and unpredictably.

WordPress experts massively debate this security tip. Some see no value in renaming the tables. Their idea is that a savvy hacker has other ways to identify tables. However, you never know the knowledge level of the hackers who try to hack your website.

My conclusion is that you should change the prefixes of your database tables. You can do it manually or by using a security plugin.

4. Restrict Access to Sensitive Files

Some WordPress files contain sensitive data that are golden for hackers. It’s one of the most common WordPress security issues, and it can be fixed by adding the following lines of code into your .htaccess file.

   
Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all
</files>

HINT: .htaccess is hidden by default. Make sure that you set up the FTP client or File Manager to see hidden files. However, it’s still possible for websites to lack this file. To generate a .htaccess file go to Settings > Permalinks, and click Save Changes.

5. Brute Force Attacks

Brute Force attacks use the trial-and-error method to guess the credentials of a website. Hackers don’t have a watch light to guess the credentials; they use specialized software to do the guesswork for them.

It’s obvious that a unique administrator username and a strong password will complicate the guesswork of any software. However, it’s still not enough. Install a security plugin that limits the number of login attempts.

6. SQL Injections

SQL injections are one of the most pervasive methods of getting control of a website. Simple Query Language (SQL) is the language used to control WordPress databases, and hackers can inject SQL commands to get privileges and information. Hackers are creative, and they come with new types of SQL injections every day. Solutions against SQL injections are to control and validate user input (i.e., manually moderate comments), install a powerful security plugin, and add the following snippet to your .htaccess file.

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

HINT: Never ever add or remove a single line of code in your WordPress core without making a complete site backup first.

7. Cross-Site Scripting (XSS)

The mechanism of hacking a website through cross-site scripting is to insert scripts into it without the knowledge of the website’s owner. The code steals data from users, including credentials. For instance, a hacker uses an XSS vulnerability to generate a submit form on your most visited web pages. People will eventually provide sensitive data, even the login info for their PayPal accounts.
People with intermediary coding skills can check out this article from WordFence that thoroughly covers the matter of cross-site scripting.
Protecting against XSS vulnerabilities is a challenging task. One of the best methods is to use themes and plugins from quality vendors. Of course, there is no guarantee that these are invulnerable. Therefore, defense in depth is the best approach in this case. Use various security tools, such as the following:

• Online scanners
• Security plugins
• Periodic log checks
• Obscuring important files
• Updating WordPress core, themes, and plugins
• Restricting user privileges

Honourable mention: HTTPS

Getting an SSL certificate has two significant advantages. The green icon padlock in the address bar confirms that the website is a trustworthy online presence. At the same time, HTTPS assures that the messages between the user and website are encrypted.

An SSL certificate makes your website more secure, and people have evidence that you are serious. Sooner or later, an SSL certificate will be mandatory, so it’s better to stay ahead of the competitors.
These WordPress security issues need special attention if you genuinely care about your online business. Unfortunately, many other security issues might damage your website.

How do you protect against hackers? Please share your methods of strengthening your website’s security, and let us know what you think about the above WordPress security issues.