Link to home
Start Free TrialLog in
Avatar of Lionel MM
Lionel MMFlag for United States of America

asked on

Wordpress Security

I just read a article this morning from Wordfence which seems to confirm a suspicion I had. Wordfence reports that hackers are targeting Wordpress sites. However my question is this, is it possible that depending on the theme and the plugins I use that my sites can be targeted? I have created two brand new Wordpress sites in the last month. Both sites have previously been up and running over two years or more and during that time none of my reports show any attempts to hack or access my sites. However since switching to Wordpress I have had to add Loginizer and Wordfence to my sites to protect them. The sites are using two different free themes and the one is getting attention from hackers in Russia and Germany (mostly) while the other is getting attacked from Russia and South Africa (mostly, in addition to others). Is it possible that something in the themes or plugins "announce" the sites to hackers, that somehow are exposing the fact that new Wordpress sites are now online? I am very new to Wordpress but find this very troubling that simply by switching to Wordpress that I am now encountering this new unwanted attention. I am on the same hosting company so nothing else has changed.
Avatar of Patrick Bogers
Patrick Bogers
Flag of Netherlands image

Hi,

Wordpress by itself is pretty save to use. The problems are often in vulnerable plug-ins.
Do your share on googling the plug-ins combined with the word vulnerable.
The reason you get attention now is that the www is constantly scanned where wordpress pages tend to be very interesting to hackers.

HTH
SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
hackers are targeting Wordpress sites
This is like saying "bank robbers rob banks."  

You can find out a lot about a site just by looking at the HTML document markup.  For an example of the kinds of things that are exposed, try BuiltWith and use your own URL.

WordPress gets hacked a lot because WP admins unwittingly install plug-ins that are written by idiots.  There are thousands of badly written plug-ins.  The worst ones are obscure, low-activity, unpopular, free.  Avoid these!

Here is a good strategy: Never add a theme or plug-in that is not widely popular and known to be security hardened, according to the official WP site.  Add CAPTCHA tests to all pages that permit client input.  Use Akismet.  Follow the WP developers communications on email, so you will get the first information about security fixes (make a search for "Make WordPress Core").  If you do those things you will probably be OK.
Avatar of Lionel MM

ASKER

I have not installed any plugins that were not part of the theme requirements other than the two I already mentioned (loginizer and wordfence). The only other that I did install was akismet to help cut down on the attempts to login to my sites. I am using free themes but ones available via wordpress (through my hosting company's interface). As I am new to Wordpress I did not want to pay for a theme yet, not before I knew was I was actually looking for, what I actually needed. Still the fact that I am now getting all this unwanted attention simply because I am using wordpress is what concerns me. When I was using NetObjects to create and publish my websites I had none of this--the one site for the past two years and the other for the past 15 years and now in the last month it has been relentless attempts. Thus it seems to me that somehow worpress is "announcing" itself to hackers:- "hey look this is a new wordpress site". I now see everyday people trying to get in using admin username, guessing at others usernames; I have had to resort to allowing only one logon attempt and then locking that IP out for 1 month to try to stop this activity. My question is still is this activity because it is a wordpress site one that hackers find appealing to try and hack? If so then I want to stop all the time I am taking trying to learn this CMS as a replacement for NetObjects.
My question is still is this activity because it is a wordpress site one that hackers find appealing to try and hack?
WordPress has been known to have a number of security flaws that a lot of site operators do not take the time to fix or mitigate, no matter how much information is out there. Therefore, WP sites become an appealing target. Being that you're using a web host that is known to provide WordPress to users if they so desire to use it, it makes it an even more attractive target. If you're going to keep using WordPress, what I will suggest is that you secure it. Check for default settings that are risks, and check for other settings that are potential risks. Same goes for plugins and themes. You just have to keep up to date with what's going on. (And honestly, you should be doing this with any site, regardless of what it's built with and who is hosting it)
@masnrock  you should be doing this with any site, regardless of what it's built with and who is hosting it

True but just like with a car, I have to keep my car maintenance up to date but I don't want to buy a car that is well know for poor quality and breaking down. I would prefer paying for a high quality car rather than a poorly designed one.
True but just like with a car, I have to keep my car maintenance up to date
You're already ahead of the game. Continuing your analogy, the problem is that too many people don't maintain their cars. Or for another way of wording it, too many people don't lock their car doors. These are the kinds of things that increase the number of people who target certain systems. Let me ask, have you tried to run any security scans against your WP sites?

If you wanted to look at another CMS, you could look at Drupal, but does it offer everything that you need (both in terms of features and plugins)?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks for all that--just had another attack, this time from France and they "guessed" at one of my admin logons--it is extremely obscure so how could they find it out. I do not use the standard admin username. Fortunately my defenses locked them out for using the wrong password, I have the lockout set to only allowing 1 attempt to logon. Is there a way I can limit admin logons to only one specific IP address?
it is extremely obscure so how could they find it out.

It's possible to get WordPress to reveal usernames based on ID numbers unless you set WordFence to disable that.  Since ID #1 is always the admin...

(The setting is: Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, and the WordPress REST API)

Is there a way I can limit admin logons to only one specific IP address?

Sort of.  You should be able to set your admin login as a blacklisted account, but then whitelist your IP in WordFence.  This should nail anyone who tries that username unless they are coming from that IP.  Lord help you if that IP changes, though :)
If it makes you feel any better, my WordPress sites (60+) are under near constant attack from bot networks but nothing comes of it due to my settings and good practices.  It just sort of fades into background noise after a while.
I'm just not used to all this I guess. I do use inmotionhosting for my hosting company and they have been pretty good over the last five years but as I say I have only started using WP in the last two months. They have an auto-update feature for Wordpress versions that I have enabled, plus Wordfence send me email when there are newer versions of themes or plugins. Wjat do you mean by using a "child" theme?

All I want is a website that has a few static landing pages (About, Contact, Services, FAQ, and Testimonials) for one site and the other is a personal blog so not sure if Drupal will work or not. Did look at it about 7 years ago and found it too difficult to understand.

I checked my Wordfence settings (Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, and the WordPress REST API) and I had it selected so they discovered that username some other way.
I am using "The Minimal" free theme from https://raratheme.com/wordpress-themes/ for my "landing pages" site and the "Great" free theme from http://alvele.com/ for my blog.
Drupal is still too hard to use for lightweight stuff. Joomla is more of a mess than WordPress in many ways.

For super-lightweight CMS needs, I would actually steer you towards something like Wix or Squarespace as they take on all of the headaches involved with hosting and security.

WordPress has a learning curve, just like any other web application.  If you want to use it, great but until you have some experience with it you may want to look at secure hosting (Again: WPEngine, DreamPress, Bluehost, Flywheel, Siteground) as those types of hosting usually remove the need for you to worry about security, caching, etc.  WPEngine, in particular, does a great job of this.  It's pricey, though...about double normal shared hosting costs.
What do you mean by using a "child" theme?

https://codex.wordpress.org/Child_Themes

It's a way of using a theme but as a separate theme that you can customize, modify, and hack without worrying about changes being blown away in an update.
I am using "The Minimal" free theme from https://raratheme.com/wordpress-themes/ for my "landing pages" site and the "Great" free theme from http://alvele.com/ for my blog.

Never heard of either of them.  Wouldn't trust any free theme that isn't available from the wordpress.org repository.
Wouldn't trust any free theme that isn't available from the wordpress.org repository
that is where I got them from -- did not go to their sites -- provided their sites as an FYI.
Both themes are available from the wordpress.org repository.

The Minimal - https://wordpress.org/themes/the-minimal/
Great - https://wordpress.org/themes/great/

Just to confirm, what version of Wordpress are you currently using?
It may have been too subtle, so I'll highlight it here again...
(or whose business IS to distribute insecure plugins and themes).
What Jason is proposing for your consideration is the possibility that someone who publishes a theme or plug-in might have malicious intent.  The unwitting users of the "free" software may find themselves victims of attack software, ransomware, or may discover that their new WordPress plug-in is designed to inject evil JavaScript into their site visitors' browsers.  That's why we only ever use themes and plug-ins from the official repository.  This is what I was referring to above, where I posted a link to the official repository.
It may have been too subtle

I was pretty proud of how I worked that in there.
One thing you should consider (and maybe you already have) is a plugin that eliminates the standard

www.domainname.com/wp-admin                   

You want one that has a different  login parameter (I'm sure other here will know which plugins will do that since I am not 100 percent uptodate on wordpress.)    So instead they have to go to a custom login such as  www.domianname.com/blahblahyahawhoopie  to get to the wp-admin login page.

Rowby
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I appreciate what you were trying to say and even though I got it on the first go around I don't mind the repetition as I get how important these issues are so thank you for your time in making sure I get the point. The only reason I was using the free themes was because I am in the process of learning WP and still not sure exactly what features I want so I tried to use free themes from the WP repository. I have learned along the way that it is a good idea to not use themes in their 1.? versions as these are not yet fully tested by community use so I do plan to delete my blog in the not too distant future and start over from scratch as that theme is a 1.2 version but that is not the one with the most attacks. I do plan to export all my content and import it back into my new site. I will also look into some of the hosting companies mentioned but I am familiar with siteground it is is no better than what I have now -- I was using siteground for about 2 years until I left because of support issues. I have heard of the plugin that gets rid of the standard login URL so I will look into that to help further secure my sites. Again thank you for your time and input thus far.
That's why we only ever use themes and plug-ins from the official repository.

There are a few exceptions to this.  Several theme frameworks are not available in the repo because they are paid objects.  Specifically Thesis, Genesis, WooThemes and Elegant Themes are all time-tested and secure platforms with development and security teams who address issues as fast as possible.
Recall my comment about my username being very obscure above? Well I just figured out how they "guessed" what it was. Both themes I am suing and as well as several other I tried since discovering this shows the blogs author even if try to hide it with a nickname -- however when you click on the nickname then the URL shows the actually username. That is how they are getting which usernames to try. How to I prevent that--granted I have it setup that they only get one try to guess and then are locked out for 1440 minutes but I would prefer a solution that will not even allow my usernames to be "guessed" at or discovered? Or is this a theme dependent issue? Thanks.
Sounds like you need to edit the theme to remove author links.
thanks for all the help