This post was most recently updated on June 17th, 2019
As a wordpress is a open source we might think it is easy to hack, but if we take care of few things it is much more secure than any other websites.
Below are some tips for it which you can use while developing and testing phase.
|Verify that there are limited attempts for login should be implemented.||Ask your developer to use Login lock down plugin to be installed||As there are more chances by hackers to make brute force attacks to crack the password. Limit the login attempt is best solution on it.|
|Verify the security question is configured while loging to the application||Use WP security question plugin||Adding a security question to your WordPress login screen makes it harder for someone to get unauthorized access.|
|Verify that two factor authentication is implemented while login procedure||Google two factor authentication should be implemented to the WP website||The Google Authenticator app, which sends a secret code to your phone. This way, only the person with your phone (you) can log in to your site.|
|Verify that password field should have combination of uppercase, lower case, alphanumeric values and special characters.||Try to changed the password of newly created user
By default when new user is created in the WP string value is generated as a password, then user will be able to change the password of his choice. We can restrict him to enter the combination of upper/lower case.
|Password field should have validation to add upper/lower case, alphanumeric values and special characters|
|Verify that email id is use as username while login to your WP site||Ask your developer to implement the email id as a username for the login.||Using a email id is more secure than the username. As usernames are more easy to predict. Also any email id use for login is verified that user is a valid user at time of registration itself.|
|Verify captcha functionality is implemented while form submitting.||Ask your developer to implement the captcha for login.||To prevent a hacker to submit multiple request through scripting, captcha should be implemented.|
|Verify while resetting the password last used passwords should not be allow.||Previously used passwords should not be allow to use while resetting the password.|
|Verify that captcha is getting refreshed when login attempt is failed||1. Go to login page and enter wrong username or password
2. Enter captcha value
3. Click on login button
|When login attempt is failed the captcha value entered should get clear and new captcha should be generated for next login attempt.|
|Verify user gets automatically logout when user is in idle state.||Go to inactive user logout settings in wordpress admin side||
Logged in users can sometimes go away from screen, and this tends a security risk. Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.
|Verify user is not getting access after the end of session by using browser back button.||User is not getting access after the end of session by using browser back button.|
|WordPress database prefix should be changed||By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why it is recommend to changing it.|
|Verify that customized url is implemented for admin side of the WP website||Just adding /wp-login.php or /wp-admin/ at the end of your domain name is not a proper practice instead of this we should implement custom url||This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do|
|Verify ssl is used to the WP website||We can opt for a secure socket layer certificate available from market.
This also help to improve our ranking to google search engine as google prefers SSL sites other than non SSL
|WP website should have ssl certificate. We can check it in url of the browser with verifying https//|
|Verify regular scanning of WP site is done for malware and vulnerabilities||1. Go to https://sucuri.net/
2. Enter the url of WP website
3. Observe the report
|Report should show no malware and any threat to the website when scanning is done.|
|Monitor the audit logs regularly||Use WP Security Audit Log plugin it will help to find malicious activity from other users||When we are running a multi author website, sometimes its not possible to look in each activity happening to the website. Like changing themes, widgets as these operations have limited permission to use for admin. In that case audit log help us to restrict other users are able to change anything without your approval.|
|Version and plugins should be updated on the regular basis.||Not updating your themes and plugins can mean trouble. Many hackers rely on the mere fact that people can’t be bothered to update their plugins and themes. More often than not, those hackers exploit bugs that have already been fixed.
Most of the things in WP are updated manually but in case of plugins we received notification but we need to update it manually.
|All plugins installed for the website should be updated.|
|Verify that images use in WP websites are not hotlinked to the other sites.||1. Check whether the images of our websites are posted on another website.
For this we can use
2. Plugin to prevent hotlinking should be added to the WP website.
|When we pull a image from another website the image display in our website is hosted on another site’s server. By same means another person can also post an image from our website to his website, resulting our server bandwidth will get affected to show the image on their website.
There are several tools available to prevent the hotlinking.
|Verify all unwanted themes are deleted from the WP site.||1. Go to appearance and select themes
2. Search for inactive themes
3. Click on theme details and delete it
|Themes which are inactive may be potentially danger now or may be in future. Hackers may able to access the WP site by accessing the inactive themes.
If we want to use the themes again then we can download it but there is no point to put the inactive themes at our site and potentially door opens for hackers.
Same applies for the plugins also.
|Verify that user is disallow to edit PHP files in WP admin dashboard.||
To disable the ability to edit plugins and the theme file, simply paste the following code in your wp-config.php file.
|If we not restrict to edit the files, hackers may access to the site and edit the file and inject the code what they want, resulting the site may get hacked.
Access to the themes and plugins should be restricted.
|Verify the location of the web.config and .htaccess file||Hackers may access to the web.config /.htaccess file by entering url <sitename>wp-config.php
It will show a blank page but hackers may access this file by passing the right parameters from background. To avoide this
1. Go to your hosting account select file manager
2. Select a website go to document for root
3. Edit the .htaccess file and post below code
deny from all
Click on save changes
By this way we can restrict the access of our web.config file
|Verify that web.config file is not accessable to someone else and .htaccess file is not save in the root instead of that it should save in a folder to avoid hack it from the hackers.|
|Verify that version no of each plugin is hide.||To overcome this thing we can hide the version no we are using by simple following the below steps
1. Go to admin dashboard > appearance
2. Click on editor > select the active theme
3. Go to theme functions file and on a very top paste the below code
remove_action(‘wp_head’, ‘wp_generator’); //Remove WordPress version from site
4. Update the file. Now the version no in meta tag in source code is hidden.
Hackers can easily find the version of your wp site by simple accessing the html page using the view page source option. If we are not using the latest version, it will be easy to hack the site.
If attackers are known about the version of the WP you are using it is easier to plan attack for them so to prevent this hiding the version nos. is easy option.
|Verify that no null themes is used in the website||
Once you download a theme/plugin, your first task is to scan it for viruses or harmful worms
Open VirusTotal.com (a popular file and theme authenticity checker), and use it to upload the zipped file and scan it. If you get a red signal that means the file has been infected.
No null or cracked themes/plugins should be used to WP website.
There are a few sites that provide nulled or cracked themes. A nulled or cracked theme is a hacked version of a premium theme, available via illegal means. They are also very dangerous for your site. Those themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials. As there is a malicious code in your theme sometimes you even ends up with loosing your google ranking.
|Verify that no url manipulation is allowed to the website||1. Try to edit the url by changing the parameters
2. Use tools available for url manipulation.
|User should not be able to post data by tampering the inputs.x|
|Verify the file upload functionality of the website||1. If your website is having the file upload functionality Go to the file upload option available on the web site
2. Upload different type of files
|User should be able to upload only approve file types.
User should not be able to upload .exe files