sales@makkpress.com 1300 513 310

Improve Your WordPress Security With These 3 Quick Fixes



WordPress is the most popular Content Management System (CMS) to get your site up and running. Over 10 million sites on the internet run on WordPress i.e about 30% of the total. But due to its popularity, WordPress is also the most hacked CMS of 2018 i.e WordPress Security is most compromised in all CMSs in 2018.

In 2018 roughly 90% of the all hacked Content Management System (CMS) were WordPress sites. Most of these sites were running updated software and insecure configuration.

Thus, it becomes important for you to configure your WordPress installation correctly because the survey indicated these numbers to be increased by the end of 2019. Following is the list of essential configuration that you need, to improve your WordPress security by 10 times.

XML-RPC

XML-RPC on WordPress is an API, that allows developers program mobile apps, desktop apps, and other services for your platform the ability to interact with your WordPress site remotely. The XML-RPC API allows the remote user to do things like:

  1. Publish a post
  2. Edit a post
  3. Delete a post
  4. Update a new file (example: cover image for blog)
  5. Get a list of comments, etc

The XML-RPC provides remove access to your blog thus it becomes hacker’s favorite attacker vector when attacking your WordPress site and if not configured properly it can be easily exploited to gain full control of your site.

Disabling XML-RPC

If your site has no use for the XML-RPC API the thing to do is disable it as no matter how secure your WordPress installation is XML-RPC will provide a way for attackers to brute force their way in.

You can either to this manually or using a WordPress plugin.

To disable it you need copy-paste the code below in your .htaccess file in the root of your WordPress installation. This stops all requests to XML-RPC and thus no one is able to interact with it.root of your WordPress installation. This stops all requests to XML-RPC and thus no one is able to interact with it.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow deny from all
</Files>
# END protect xmlrpc.php

This method works best instead of downloading a plugin for only this purpose as .htaccess blocks all requests to XMLRPC and is a quick and simple method to get about it.

User Enumeration

The hackers can use some basic configuration flaws in your WordPress installation to exploit them to gain personal information about user accounts in your WordPress installation. This impacts your WordPress security on a major scale as this information can be combined with other attack vectors to hack your WordPress site.

The hacker can use 2 methods to do it. Below are the methods mentioned and how to stop them.

Author Archives

The easiest way to enumerate user account names is by fuzzing author archives. Hackers use automated tools etc to gain user account information. These automated tool makes GET request to your site’s author archives which resolve to account names.

http://example.com/?author=1
http://example.com/?author=2
http://example.com/?author=3
These requests resolve to the following URLs :-
http://example.com/author/admin/
http://example.com/author/user2/
http://example.com/author/user3/

Securing Author Archives

htaccess will help us here too. In order to stop user enumeration, you can append the following code into .htaccess file found in the root directory of your WordPress installation using your favorite text editor. Replace the abc.com with your site’s base URL.

<IfModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} ^author=([0-9]*)
 RewriteRule .* http://abc.com/? [L,R=302] </IfModule>

The code snippet here will deny access to all requests to author archives that contain integer as an argument. Thus, no one will be able to enumerate user accounts other than the admin user. Thus improving your WordPress security.

Detailed Error Messages

The Login form is another easy to enumerate usernames in WordPress. The error message on login form whenever entered a wrong username reveals whether the username exists on the site or not as shown in the image below.

Hackers can leverage this to enumerate all existing usernames using a brute force approach on the username parameter, i.e trying random usernames until one of the works.

Hiding Detailed Error Messages

For a simple approach, you can a plugin called Hide Login Errors here, this plugin will hide the detailed errors on the login page and will show only what is essential. To install it follow these steps.

From your WordPress dashboard:

  1. Visit Plugins > Add New
  2. Search for “Hide Login Errors”
  3. Install the “Hide Login Errors” Plugin
  4. Activate “Hide Login Errors” on the Plugins page

This plugin is regularly updated and can help you improve your WordPress Security. Also, you read more about WP security issue here.

WP Version Enumeration

Most of the WordPress core related vulnerabilities are indexed using the respective WordPress version number in the CVE database. Thus, if the hackers are able to enumerate which WordPress version you are running their life becomes a lot easier all they have to do is run the respective exploit to hack your WordPress site.

Therefore, it becomes important to configure your WordPress installation to hide its version number.

Hiding the WordPress Version

The best way to remove hide the WordPress version by editing the functions.php in your WordPress theme. The functions.php can be found at:

wp-content->themes->your_theme_name->funtions.php

Once you find the file simply add the following code snippet at the end of the file. This will disable the WordPress version number from showing up anywhere on your site.

remove_action(‘wp_head’, ‘wp_generator’);

Making the mentioned configuration changes will improve your WordPress security by a margin and thus securing your site from hackers on the hostile web.

Check the most comprehensive guide on WordPress security to fix more such security loopholes.

WP Hardening – Fix Your WordPress Security

Above mentioned are only a few of the many configuration vulnerabilities that hackers exploit in order to gain unauthorized access to your site. We recommend WP Hardening to provide 360-degree real-time protection for your WordPress against malware and hackers on the web.

WP Hardening is a WordPress plugin by Astra Security that performs a real-time security audit of your website to find missing security best practices. Using our ‘Security Fixer’ you can also fix these with a single click from your WordPress backend.

The WP Hardening plugin lets you achieve basic WordPress security measures without needing to install various other plugins. Installing several security plugins in order to improve your WordPress security ironically actually increases the risk of getting hacked & slowdown. Multiple plugins also ask for better maintenance, updates, which many webmasters failed to comply with. WP Hardening plugin solves this problem and more.

To install the plugin just follow these simple steps:

  1. Visit ‘Plugins > Add New’ in your admin dashboard
  2. Search for ‘WP-Hardening’
  3. Install WP-Hardening once it appears
  4. Activate it from your Plugins page
  5. WP-Hardening button will appear on the bottom left of your admin dashboard

In order to above-mentioned configuration with WP Hardening with just one click follow these steps:

  1. Click on the WP-Hardening button on the bottom left of your admin dashboard.
  2. Click on ‘Security Fixers‘.
  3. Enable the security options
  4. You are done! It’s that easy.

Securing your WordPress site with WP-Hardening can be done with few clicks. It is a one-stop solution for all your WordPress related problems. It is effortless to use and gets updated regularly to keep up with the ever-changing cybersecurity world.

Conclusion

WordPress security can be improved with a few simple tweaks in your WordPress installation. This blog addresses a few vulnerabilities such as user enumeration, WordPress version leaking, XMLRPC attack, etc but there a lot more vulnerabilities that hackers exploit to gain unauthorized access to your WordPress site.

In case, your WordPress website is hacked you can follow the mentioned comprehensive guide to fix it.

We recommend you to use WP-Hardening plugin to secure your site from those vulnerabilities. It an essential WordPress plugin if you want to secure your site from hackers.

NEED HELP? CONTACT US
CALL US: +91 7827262320

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

"request a Quote"

What makes us unique is our high level commitment towards what we do





Google Rating
Google Rating
5.0 star rating
x

Get a Free Website Audit Worth $449

Get a Free Audit of your website to Know what changes and updates are needed to improve your websites performance to generate more leads. Our Experts will do a Manual in-depth Analysis of your website for 1- SEO
2- UI/UX Conversion optimization.







x