In recent weeks, the 3B DFIR team have seen a notable increase in the number of clients seeking help with a data breach of WordPress environments.  Magento remains the most popular eCommerce platform in use globally but WordPress is on the rise with approximate 30% of the global share.  Has this rise in popularity, coupled with Magento 1 reaching end of life, turned the attentions of the attacks?  It’s far too early to answer that question at this time, but WordPress, if not secured appropriately is as vulnerable as early versions of Magento, making it a prime target for those looking to capitalise on low hanging fruit and the rewards that a card data environment breach can bring.

Like many content management systems, WordPress is designed to be easy to setup, configure and manage, without requiring an in-depth knowledge of web development.  However, this comes with grave risks, as security controls are not implemented by default and requires knowledge and experience to implement.  In addition, WordPress functions through the use of plug-ins which provide the configurable functionality to create the website you require.

At the time of writing this blog, on the WordPress official website there were 57,224 plugins available to customise all elements of your web site.  Of those plugins, one WordPress security company who seeks to identify vulnerabilities (WPvuldb), identified 47 vulnerable plugins in August 2020 that expose your website to such attacks as Cross-Site scripting, file upload, SQL injection, information disclosure, directory listing, PHP injection and file download.

WordPress is Open Source which relies on a global community who develop the themes and plugins. Whilst this may seem like a good idea, from an attacker’s point of view this means that all the code is publicly available for them to test, probe and exploit.  The WordPress plugin store also lists the volume installations of each theme or plugin, letting the attackers know exactly the most popular plugins in use.

So if you’re running a WordPress website, or thinking about using WordPress, what can you do to ensure your not the low hanging fruit the hackers are looking for?

Following these simple steps will improve your overall security stance and prevent the most common WordPress breach – Compromised user credentials used to gain unauthorised access to the WordPress content management system.

1. Keep WordPress, Themes and Plugin Updated

Regularly check for updates to the core WordPress code and all themes and plugins in use.  You must ensure that you are using the latest version at all times.  The global WordPress community are doing what they can to identify vulnerabilities and notify the developers to release patched updates.  However, attackers continue to profit from web sites where vulnerable versions of software are still in use.  Subscribing to wpvulndb.com will alert you to any identified vulnerable software, allowing you to upgrade if a patch is available, or disable to vulnerable plugin until such time as a patch is released.

Any plugins and themes that are no longer required should be removed to prevent them exposing your website to vulnerabilities.  Just because a plugin is no longer in use, its presence within your web site may still expose you to its vulnerabilities.

2. Source Software from Recognised Distributors

Only install plugins from recognised and reputable distributors, such as the WordPress official store.  Due to the Open Source nature of WordPress anyone can develop software for it and make it available on the internet, including attackers who purposely embed back-doors or vulnerabilities. 

3. Manage User Accounts

All administrative access should be limited to only those who have a genuine business need and this access should be applied on a least privileged basis, meaning that access is granted only to minimum areas that the user requires to perform their role.  A regular audit of all user accounts should be conducted, and all unknown or obsolete accounts disabled and deleted.

WordPress began life as a content management system for creating blog sites and therefore contains functionality to allow anyone to register for a subscriber account, providing limited access within the CMS.  If you operate a web site such as an eCommerce store, there is no requirement to have subscribers in this fashion and as such this functionality should be disabled.  Recent vulnerabilities allow for subscriber accounts to escalated to full administrative accounts.

4. Protect Administrative Access

By default, the WordPress CMS login web page is located at the default URL of /wp-admin.  This default URL is widely known and publicly accessible, making it a perfect attack surface for an attacker.  The WordPress CMS login web page should be changed to a URL known only to those who require access.  This step will not adequately protect the login page and many of the WordPress plugins expose the URL so additional security should be applied, restricting access to the web page by originating URL.  This can achieve with either a .htaccess file or a plugin such as WPS Hide Login.

In addition, multi-factor authentication should be introduced for all administrative access, both to the WordPress CMS, all other administrative remote access such as cPanel or PHPMyAdmin, and any remote server access such as Secure Shell.

WordPress installs with a default API located at the URL /xmlrpc.php.  Many sites have no call for this API and therefore it should be disabled.  This API is vulnerable to brute force attacks as it is protected by the same usernames and passwords as used for administrative access to the WordPress CMS.

5. Strong Passwords

All passwords used across the WordPress CMS and all other administrate access should be of sufficient complexity that they cannot be easily guessed, or brute forced.  A strong password should meet the following standards:

  • Uppercase characters
  • Lowercase characters
  • Numerical characters
  • Special characters
  • Consist of a minimum of 10 characters

Administrative passwords should be changed on a regular basis, at least every 90 days.  Tools such as password managers or vaults are great ways to secure passwords and can be used to generate complex passwords that you don’t need to remember as they are stored in the vault.  Passwords used for administrative access must not be used elsewhere, such as for private use on social media of such like.

6. Security Monitoring and Protection

There are many plugins developed for WordPress to improve and monitor the web sites security.  You should seek to implement tools that can monitor file integrity for unauthorised changes, identify malware, and monitor incoming traffic for indicators of a compromise or attack (Web Application Firewall).  One fantastic tool that will provide all of this security functionality and much more is Wordfence.  Designed specifically to secure WordPress environments, their tool includes a WAF, malware scanner, vulnerability scanner, activity monitor, two factor authentication and country blocking.

 If you require any assistance securing, testing, vulnerability scanning or ensuring your WordPress environment is compliant to industry standards, please contact 3B Data Security.