43% of all websites are built in WordPress (W3Techs). Custom WordPress sites rely on plugins, themes, and other components determined by the website administrators. Because these extensible components are often created by third-parties, each custom addition is a potential attack vector that needs to be monitored and updated to maintain a secure website.
Website security is a critical aspect of your cybersecurity posture. This article reviews data exposure and other security issues when using WordPress as your content management system, as well as what actions website owners can take to limit access to exposed information.
WordPress Security Measures
WordPress is a popular open-source content management system (CMS) used widely around the world. With WordPress, websites can be created quickly and customized with a wide variety of themes and plugins. WordPress offers paid hosting through WordPress.com or free open-source options with WordPress.org, and many hosting providers include an option for WordPress hosting.
WordPress offers encryption by default over SSL (Secure Socket Layer) for all [.rt-script].com[.rt-script] sites. As part of the WordPress.com hosting package, all sites receive SSL/TLS certificates from Let's Encrypt. WordPress supports TLSv1.2 and TLSv1.3, as well as the HTTP Strict Transport Security (HSTS) policy to force secure connections. As part of the [.rt-script].com[.rt-script] hosting support, WordPress also provides additional security measures, including distributed denial-of-service (DDoS) protection and data recovery.
Because WordPress is a CMS configured by users, site administrators can take additional precautions to protect data through role-based access control, strong passwords, two-factor authentication, multi-factor authentication, and risk reduction through continuous monitoring. Keeping your WordPress core software up-to-date can prevent backdoors into your site and benefit your search engine rankings and overall SEO.
To protect your WordPress website, you first need to identify the potential attack surface.
Common WordPress Cybersecurity Risks
With custom configuration for a CMS like WordPress, the site administrator has a responsibility to limit potential risks and keep the site safe. A continuous monitoring tool like UpGuard BreachSight can help website administrators identify risks. UpGuard scans WordPress sites for seven risk findings that can expose user data.
- Insecure WordPress installation detected
- Outdated WordPress installation detected
As with any software, it is important to maintain a consistent update cadence to ensure that you are running the latest version. System updates typically include security patches and other bug fixes, so running an outdated version may mean that your website is not as secure as it could be. Updating to the latest stable version will help you avoid vulnerabilities present in previous versions and minimize the risk of attackers inserting malicious code through plugins and other avenues.
- Listable directories found
Asset hosting with WordPress follows a predictable directory structure. If the directory is listable, then anonymous users can access all files in that directory. For assets like images to be accessible on the website, they do not need to be listable and making the directory listable can expose other files that you wish to keep private. Open directories may expose data about your use of plugins, which can be exploited by attackers who know how to target weaknesses in specific plugins. Other files, like backups, user contact information, and user submitted data, may also be exposed by an open directory that may not seem directly accessible but can be discovered. As an administrator, you can disable directory listing in your site's [.rt-script].htaccess[.rt-script] file.
- WordPress XML-RPC API enabled
WordPress implements an XML-RPC interface for the WordPress API, enabling data transmission with HTTP as the transport mechanism and XML as the encoding mechanism. While running API calls for your WordPress site can help you facilitate updates and information requests through a command-line terminal or third-party application like Postman, this interface provides an additional attack surface to DDoS and brute force attacks. You can disable this interface with the .htaccess configuration file.
- WordPress version exposed
- WordPress plugin versions exposed
- WordPress user list exposed
Unintended data exposure can provide malicious attackers with information about vulnerabilities or user credentials that can be leveraged for exploitation of your site. If your WordPress version or plugins are exposed by your website's source, then your site remains vulnerable to attackers. If data about your users leaks through the users API, then attackers can use that information to attempt to brute force credentials or otherwise pursue privacy exploitation based on user information.
Continuous monitoring for these specific configuration risks can help you ensure that your WordPress website does not constitute a security risk or otherwise expose your users' data.
How UpGuard Can Help
We scan. You benefit.
UpGuard has been running WordPress-specific security checks and scanning WordPress headers since 2019 to identify configuration issues that expose WordPress sites to attack vulnerabilities. The seven risk findings listed in the previous section for any WordPress installation are available to all UpGuard customers alongside scans for hundreds of WordPress plugins and vulnerabilities. To assess whether your WordPress site is vulnerable, log in to UpGuard and search for each of these findings by name in your BreachSight Risk Profile.
Additionally, UpGuard provides a public, free security report on WordPress that you can review to assess potential issues when using the platform.
How to Protect Your WordPress Site
Once you know the risks impacting your WordPress site, you can run any necessary updates or make any required configuration changes to protect your site. Site owners should follow security best practices and run WordPress updates:
- Updates: Maintain a regular update cadence for your WordPress installation, as well as any WordPress themes or plugins that you use. Audit your resources to remove any unused tools, and run automatic updates for your version of WordPress.
- Access: Apply the principle of least privilege to limit access to the site. Create new user accounts with limited permissions, limit login attempts to protect against brute force attacks, and remove the WP Admin access point to disable the WordPress admin dashboard. Update the admin username and login credentials to prevent bot attacks through your WordPress login page.
- SSL/TLS: Ensure that your site is protected by SSL encryption and that you take the necessary measures to strengthen weak SSL, renew SSL certificates before expiration, set up HTTPS, use HTTPS Strict Transport Policy, and protect your domain from expiration. Most hosting companies include SSL for site security.
- Server Hardening: Take necessary precautions to create layers between your server and potential attackers for a secure WordPress site. Follow recommended guidance for your backend setup, such as the Windows Server Hardening Checklist or How to Build a Tough NGINX Server. Create a content security policy to control how a user agent loads site resources.
- Configuration: Set up your configuration files, such as the [.rt-script].htaccess[.rt-script] file for an Apache web server, to remove common intrusion points like listed directories, the XML-RPC interface, and the WP-JSON users API. Update your login URL to something other than the typical WordPress dashboard. Disable file editing in the [.rt-script]wp-config.php[.rt-script] file to prevent attackers from editing your theme or plugins.
- Backups: Create a secure backup strategy so that you maintain a secure backup of your site if your site is compromised by malware, DDoS attacks, cross-site-scripting (XSS) attacks, security breaches, security vulnerabilities, or other security issues. Your web hosting provider may offer backups as part of the hosting package. Exposed backups are commonly sought after by hackers.
Your hosting provider might have additional parameters you can specify to protect your site from hackers and cyberattacks, such as web application firewalls (WAF) or malware scanning. While there are WordPress security plugins available, assess each plugin with due diligence to maintain a secure site.