Securing WordPress ... Or Leaving WordPress

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

rfrazier

Well-known member
Sep 30, 2020
320
100
Hi All,

My name is Ron Frazier. I've been a Security Now fan forever and a SpinRite user about as long. Thanks to Steve and Leo for all the good advice. Much of my security knowledge came from them. Then, I frequently go off on my own and do research. I often cite Steve's and Leo's work in my blog posts.

The following quote came from a post over in the Steve's Blog forum in the Welcome to the Blog thread. I decided to create a separate thread here solely about Securing WordPress ... Or Leaving WordPress.

This post came from OldAngryMan - https://forums.grc.com/members/oldangryman.2416/

Steve,

Couple of points on WordPress. I've been battling Brazilian and Russian hackers for almost a decade. I had to rebuild the website more than 10 times. Constant defacing, comment spams... I was an easy pick for these #$%&^*. Finally, I decided to stop and do some research. Apparently, I was not the only one pissed off enough to do something about it. One change to .htaccess to put new rewriting rules which disabled the listing of login names plus 2 free plug-ins to stop the brute force attacks, nasty URL formating, known email addresses and IP, country blocking, etc.... has put the source of my constant aggravation to an end. I haven't been hacked in over 6 years. And, I sleep like a baby not worrying about my website.

1. WordPress plugin - Stop spammers by Trumani

2. Wordpress plugin - Edit Author Slug by Brandon Allen ( I used something annoying that starts with "kissmy...."

3. Wordpress plugin - Edit User Name (to rename userid without needing SQL "update" skills)

4. Rename the default administrative account from "admin" to something cute and secret using plugin #3. Any attempt to use the default will be blacklisted by plugin # 1.

5. change user_id from 1 or 2 to something MUCH HIGHER value. :)

Easy peasy.

Finally, you will get one more source of entertainment and satisfaction: watching logs included in the plugin- #1, automatic blocking, sending to the penalty box, and knowing what the ridiculing message, that YOU can create, was presented to the poor soul.

WordPress security is a topic near and dear to my heart. I have been running my Ron's Tech Rant blog for years, although for the last couple of years, I've been tied up with other things and haven't written articles. All this while, I've been using WordPress. I've done lots of research into securing it. Below, I share what I found out. I don't consider myself to be a WordPress expert, just a guy that listens to Security Now and who wants to run a blog and not get destroyed.

About 4 years ago I was deep into the battle with the hackers. I ended up writing this blog article.

How To START Securing Your WordPress Site

Shortly thereafter, the people at WordFence Security noted that many WordPress sites were being attacked by hacked routers. So, I wrote up and published this blog article.

Beefing Up Your ROUTER Security

Here's a summary of the points in the WordPress article. But, see the article for much more elaboration.

01) Use LastPass or something similar to generate a really long password for the WordPress site login. I like to use 32 or 64 random characters generally. I usually don't use symbols. Some websites balk at 64 characters, so I gravitate to 32 mostly.
02) Install Google Authenticator or something similar on at least 2 of your devices. This allows you to use a time varying 6 digit code as your 2nd factor. If you lose or break one device, you must have a backup for all your access codes. Every time you store an access code on one device, do it to the others. If you lose a device and the person that finds it could use your Google Authenticator, you must reset the 2FA credentials on every site where you've used them.
03) Install WordFence on your site.
04) Upgrade to WordFence premium.
05) Learn to use the 2FA (2nd factor authentication) features of WordFence. WARNING - if you do this, you will be required to append SPACE WF CODE to your password to login to your admin page, where the CODE is the time varying number from Google Authenticator. Make a note to yourself. You can save the note in LastPass. Have LastPass fill in the basic password and then append the 2FA code yourself. If you don't do this, and just have LastPass try to auto login to your site, it will fail repeatedly and you will get locked out of your own site. If the WordFence setup asks you to generate and save backup codes for alternate access, DO SO! You can also save those in your LastPass record where your main password is stored. This pretty much ends anyone's ability to break into your site through the front door, unless you get a virus in your PC or something and it steals your data.
06) Scan your site and fix any problems.
07) Use the Live Traffic feature to see what’s hitting your site. If you have much traffic at all, you'll see lots of attacks, trying to access non existent plugins and such. You can also note which countries most attacks come from.
08) Learn to use Country Blocking and use if appropriate.
09) Reduce the page access throttling limits if applicable.
10) Learn to use the other options in the WordFence setup.
11) Learn to use the WordFence support ticket system to ask questions when needed.
12) Join the WordFence mailing list to receive email updates of important security news.
13) Minimize plugin and theme use to the absolute minimum.
14) Use a hosting provider that provides safe mode or managed mode or something similar. This way they keep the WordPress and plugins up to date. PAY to get this if needed.
15) PAY a little extra if needed to get an SSL / TLS certificate so you can run your site with https encryption.
16) Consider the plugins shown below.
17) Hopefully, your site won’t be compromised. But, if it is, I would wholeheartedly recommend hiring the experts at WordFence to clean it for you. That’s what I would do.

The moral of the story is: Yes I strongly recommend WordFence. Yes you must actively be conscious of and actively involved in the security of your site. Yes you WILL be under attack whether you know it or not.
I am not affiliated with Wordfence in any way other than as a user.

*** plugin - Wordfence Security

*** plugin - BackupBuddy

The following two get rid of the Gutenberg editor - just my personal preference.

plugin - Advanced Editor Tools (previously TinyMCE Advanced)

plugin - Classic Editor

plugin - Disable Comments

The following two disable some automation on WordPress that allow, among other things, hackers to attack your site at high speed with automation to try huge numbers of attacks very quickly.

plugin - Disable REST API

plugin - Disable XML-RPC

This helps Google index your site and notifies them of changes.

plugin - Google XML Sitemaps

This helps make sure every link on your site is secured by SSL.

plugin - Really Simple SSL

As I understand it, current forum settings will delete this post in 7 days after it's replied to last. So, if you want a copy of this text, grab it and save it.

NOW, having said ALL that and ALL that's in those articles, the volume of WordPress attacks over the past few years has just gotten too big to keep up with. Steve and Leo have mentioned using a static site instead and abandoning WordPress altogether. They mentioned a site generator called Hugo. With a static site, there's no PHP, no automation, no programs, no dynamic site generation. Nothing but text, images, links, CSS (I presume), and other basic HTML features. There's no admin, and no admin login. There's no WordPress and no WordFence and no plugins. There's just the login to your web space where you upload the static text, a login which you should protect the same way I mentioned for the admin login above.

I'm planning on moving my site to a static site when I can. I tried a HUGO export plugin but couldn't get it to work.

Steve and Leo, if you'd like to explain how to get going with a static site, either here or on the podcast, that would be great.

Hopefully, that information helps. Some is a little dated, but it's mostly still relevant.

Sincerely,

Ron
 
  • Like
Reactions: peterhatoz

Steve

(as in GRC)
Staff member
Feb 1, 2019
377
1
1,000
66
Southern CA, USA
www.grc.com
My 2-cents worth (though I've already had plenty of air-time on the subject with my captive audience) is that both of the postings by @OldAngryMan and @rfrazier serve to perfectly prove the point that I was making:

On the podcast I mentioned that I didn't want to invest in the time and trouble required to fight with WordPress's security, since I had made a single blog posting in a couple of years, yet the site stood there, taking incoming, 24/7/365.25. I salute the fact that those guys did choose to wage that war. I can certainly get behind that. But they are not the Average Joe or Jane “I just want to post to a blog” user, and the WordPress model is fundamentally broken when it requires that extreme level of involvement and expertise just to keep it out of the hands of attackers.

WordPress is the low hanging fruit of the Internet, and I'm glad that I sawed that branch off myself. Good riddance!
 
  • Like
Reactions: Wolfen

rfrazier

Well-known member
Sep 30, 2020
320
100
How To START Securing Your WordPress Site

Beefing Up Your ROUTER Security



Haha, I got a 503 response from WordFence on both of these links.

Hello @jem . I appreciate you trying to look at my blog posts and I'm sorry you got an error.

See, my site is REALLY secure. :cool: Just kidding. I just cleared the cache on my Firefox and went to the links myself. They worked OK for me and I'm not aware of any current problems with the site. I can speculate as to a few possible causes although I don't know exactly what happened to your request.

* The site is on a shared server. Maybe the ISP was having problems at that time.

* If you're going through a VPN, maybe that shared IP is also one where some attacks are coming from, and the site blocked the IP.

* If you're visiting from a foreign country, not USA, maybe it got blocked.

If you try again and still have problems, let me know and I'll try to troubleshoot or email you the text or something.

Sorry for the trouble.

Ron
 

AlanD

Well-known member
Sep 18, 2020
210
69
Rutland UK
I just tried it and got

Block Reason:Access from your area has been temporarily limited for security reasons.
 

rfrazier

Well-known member
Sep 30, 2020
320
100
I just tried it and got

Block Reason:Access from your area has been temporarily limited for security reasons.

Hi @AlanD , now I understand your situation, but not the other party that had a problem earlier. I forgot that Steve has such an international audience. I'm in the USA.

It turns out that I've got the European Union blocked out because of the General Data Protection Regulation that they imposed a few years ago, GDPR. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation It puts a whole lot of requirements on website operators for documenting personal data retention, privacy policies, and data retrieval. It also applies substantial penalties for non compliance. That was just too much mess for me to worry about. For what it's worth, I don't keep any data about you when you come to the site. As to what the ISP's computers keep, I have no idea. I'm sure they keep the visitor's IP, but I don't know what else. Sorry for the trouble.

Since troubleshooting Ron Frazier's blog is REALLY off topic for Steve Gibson's forum, let's take this specific conversation about the problem private. Send me an email to ronstechrant AT techstarship DOT com and I will be happy to email you copies of those articles if you wish. Obviously, if you email me, then I have your email address. As an alternative to email, you can hover your cursor over my picture, then click the Start Conversation button. Then, we could talk privately through the forum. If we do that, you can access the conversation via the envelope symbol at the lower right of the top brown banner here on the forum. I've never used that feature but I know it exists.

Thanks very much for your interest.

Ron
 
My 2-cents worth (though I've already had plenty of air-time on the subject with my captive audience) is that both of the postings by @OldAngryMan and @rfrazier serve to perfectly prove the point that I was making:

On the podcast I mentioned that I didn't want to invest in the time and trouble required to fight with WordPress's security, since I had made a single blog posting in a couple of years, yet the site stood there, taking incoming, 24/7/365.25. I salute the fact that those guys did choose to wage that war. I can certainly get behind that. But they are not the Average Joe or Jane “I just want to post to a blog” user, and the WordPress model is fundamentally broken when it requires that extreme level of involvement and expertise just to keep it out of the hands of attackers.

WordPress is the low hanging fruit of the Internet, and I'm glad that I sawed that branch off myself. Good riddance!
Another alternative is to pay someone else to do the WordPress security for you?

One of my client’s Wordpress website got hacked. Fortunately, he had Astra installed. It hardened his WordPress website. They helped him removed the malware in his website. Long story short, the hackers got in through a vulnerable plugin, which was then updated.
 

ScruffyDan

Member
Sep 23, 2020
12
4
If you don't want the responsibility of maintaining a Wordpress install on the public internet then I would look at a managed Wordpress service. Wordpress.com seems like the obvious choice but there are other options.

If you do want to run Wordpress yourself (and I have been doing so for more than a decade), the most important security advice is

1) Keep Wordpress up to date
2) Keep your plugins up to date
3) Limit the number of plugins you use
4) Only use plugins from reputable authors
5) Ensure your plugins haven't been abandoned by the developers
6) Do you *really* need all those plugins?
7) Consider putting someone like Cloudflare in front of your your server.

If you can live with no plugins Wordpress becomes much easier to secure

Of course if you are running your own web server you will also want to secure that as well.

But some of us, for reasons that I do not understand, find it fun to do this sort of thing...
 
  • Like
Reactions: DB2_1984

rfrazier

Well-known member
Sep 30, 2020
320
100
This seemed very timely for this discussion. It popped up on my podcatcher this morning from the WordFence Think Like A Hacker podcast, which I highly recommend.

WordFence Podcast

Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

For anyone concerned about WordPress security, I highly recommend WordFence. I have no affiliation with them other than as a customer.

WordFence

WordFence Mailing List

Ron
 
  • Like
Reactions: iSecurityGuru

Robert Hickman

New member
Oct 12, 2020
4
2
Wordpress is a horrible mess, its terribly written and extreamly slow for what it does. I dont reccomend using it at all. Howeaver ditching wordpress does not mean that one has to go all the way back to a static site as the op suggests.

There are many other content management systems that are way better than wordpress is. One of my friends uses silver stripe which is also PHP but much more modern in its design and way cleaner, and there are systems based on python, nodejs, etc, although i cant give any suggestions as i dont use those ecosystems myself.

Wordpress is a blogging engine that was bodged to do lots of other stuff. I suspect people only use it as the name is known. Use something else.
 
  • Like
Reactions: Steve

Steve

(as in GRC)
Staff member
Feb 1, 2019
377
1
1,000
66
Southern CA, USA
www.grc.com
@Robert Hickman : Nice to see you here, Robert.
And I confess that you're right in my case. Once upon a time the saying was “No one ever got fired for choosing IBM.” I certainly chose WordPress only because it was “the” blogging engine. I can't speak to the way it's written. Its core appears to be solid — at least from a base security standpoint — since it's almost always the add-ons that cause trouble. And there's clearly a need for add-ons, since no single solution can meet everyone's needs. Even this instance of XenForo has a handful of add-ons added. But they are typically UI and automation tweaks. I suspect that WordPress probably needs a big rethink.
 

Robert Hickman

New member
Oct 12, 2020
4
2
@Robert Hickman : Nice to see you here, Robert.
And I confess that you're right in my case. Once upon a time the saying was “No one ever got fired for choosing IBM.”

I agree, and thank you. Yes wordpress needs rethinkinking and has done for a long time. Wordpress is an early php project, and during that era there wasnt much awareness of good code structure, and many of the people writing in the language had no real training in programming. Its verry 'thrown together', and massively overcomplicated, which also makes it really slow, taking 200 to 400 ms to generate a page that other php cms systems can do in 20 to 30 ms.

Most other large php projects have gone through multiple major refactorings or even rewrites, as things were learned (drupal for example), but wordpress never has. Such major changes are required to simplify code, but break backwards compatibility, and wordpress has been unwilling to do so. Its much the same situation that microsoft windows is in i think.
 

uteck

New member
Oct 7, 2020
3
2
I use the free hosting from Wordpress.com since it means that they do all the security. Since the site is rather static I don't need any of the add-ons, which is why I choses the free hosted Wordpress tier. After doing support at a VPS company for a few months, most of what I did there was clean up peoples self-hosted Wordpress sites after they were hacked.
I have other things to do then update my sites security, which can be said for any self-hosted option. You have to use your laziness in the proper way to maximize your free time.
 
  • Like
Reactions: Robert Hickman

markscott

New member
Oct 1, 2020
2
2
The best thing I ever did to secure my WordPress site was put it behind CloudFlare. I was getting hacked every couple of months no matter what I tried. I haven't had a single incident since I switched it over several years ago. I even use the free plan.
 

JulioHM

Active member
Oct 25, 2020
37
16
Hi @rfrazier,

I do agree with @Steve, thought. If you can get away with not handling WordPress maintenance, that's perfect. For some people, though, that's not possible.

To increase security, I would recommend running WP inside an isolated container, with Docker being the most popular solution. Even at the basic level of orchestration -- meaning you run Docker containers manually -- it's possible to keep WP completely isolated from other hosts and network resources.

One of the best advantages of using containers is that everything inside it can be made immutable and impossible to change, much like an read-only ISO image. Even if malicious code is injected into the container, recreating it cleans up the installation and returns it to a clean version. With a good orchestration model, this restart can be made transparently every day.

Even the root user is different. Inside the container, root does not have as many privileges, and the container itself can be stripped of any other package/software that WP does not need.
 

rfrazier

Well-known member
Sep 30, 2020
320
100
@JulioHM That is an interesting idea about the containers. I've never had a chance to play with those. Similar idea to running in a VM I guess. I've just used a managed shared server at 1and1. I don't really have the funds to do a private server. They manage WP upgrades and WP has started upgrading plugins automatically. I try to run minimal plugins. I use WordFence security, which I believe to be one of the best products. Eventually, I'd just like to remove the attack surface entirely by using a static site. Hadn't got around to doing the change. Then I wouldn't need to subscribe to WordFence I'm pretty sure this forum system is running PHP, but hopefully it's fairly resistant to attack. And, we don't have hundreds of millions of viewers.

Ron
 

raciohurg

New member
Sep 13, 2021
1
0
Of course, it depends on why are you using Wordpress. In many cases, people choose WordPress because it's an easy platform to use if you're new to web development. However, WordPress also has a lot to offer if you have experience building websites. It's entirely customizable, and its plugin and theme systems can enable you to build almost any type of site you'd like. WordPress is easy for beginners, yet powerful for developers. For those looking to host WordPress, there are a lot of options available online, so you need to choose what fits you best.
 
Last edited:

rfrazier

Well-known member
Sep 30, 2020
320
100
It's been a while since I've been on this thread. For me personally, I just went with WordPress a decade ago because it was an easy solution to build a site. While I still haven't had a chance to change the site, I don't think I have any needs right now that a static site couldn't handle. It's a simple blog with only me as a contributor, no comments, no forums, no shopping cart, just words, links, and pictures. Others may have different needs.

Ron