Within a month of building our first WordPress blog from the Azure Marketplace, we discovered that the website had been hacked. It had been injected with code we couldn’t find how to access and showed more than 20 additional blog posts pointing to random software download pages, all running from our custom domain with SSL!
We were fortunate to have noticed those extra posts as soon as we did – and before the domain’s reputation was compromised. We immediately deleted the hacked posts, and exported an xml file of our website contents for importing into a newly built ‘clean’ website infrastructure if necessary – which it was. Turned out to be faster and safer to rebuild the website than to discover exactly how and where ‘they’ had gotten in and the extent of the back-end infrastructure infiltration. Time was better spent learning how to secure and harden our WordPress website!
We really had no idea how vulnerable we had left the website – virtually all of the main ‘doors’ of illegal access to our admin dashboard had been left open! We had Azure Web Service Backups running automatically – but we were also backing up the corrupted elements of the website. A Restore was not the option to clean up the website – except we could have restored back to the point before we added any blog posts and hopefully, before being hacked. (We chose to totally rebuild the website infrastructure and apply the security and hardening we should have learned about in the beginning! After applying the new security elements, we imported the content.xml file without the ‘rogue’ posts and the website was up and running again – and as of writing this, has not been hacked again. But, it must be noted, keeping a site secure and active requires ongoing monitoring and action. A good security plugin to do that, helps tremendously)
Starting out, our understanding was that WordPress core software was very secure – but we hadn’t checked out the basic security concepts outlined by the WordPress Codex. We had wrongly assumed that using the Azure host platform, a custom domain and Secure Socket Layers (SSL), would suffice to protect our site and data while we got our ‘under the radar’ WordPress blog started. We should have done a cursory internet search on the ‘low-hanging fruit’ vulnerabilities of a WordPress site before making the site public. Just do a search on ‘WordPress Security Best Practices’ – at the time of this writing, you’ll get more than 5M results!
The WordPress Codex page on ‘Hardening WordPress’ is a good place to start learning about required WP security. “This article will introduce you to basic security concepts and serve as an introductory guide to making your WordPress website more secure.”
Our initial mistake? Embarrassingly, we didn’t insist on the use of strong WP generated passwords, but had allowed ‘weaker’ passwords for the convenience of two website administrators. That glaring mistake moved us to finally enforce using a Password Manager (LastPass) and only allowing WP ‘Strong-category’ passwords for all logins to the website’s backend. And then we read, reviewed & after testing many security options, ended up buying the iThemes Security Pro plugin to be able to easily implement most of the changes needed.
This is an excellent list of ’15 Ways to Harden the Security of your WordPress Site: (I’ve added in italics how we do each):
- Keep WordPress core, themes and plugins up to date (We now test all updates manually on a dev website first, and then apply the updates to the production sites. In the past, some automatic updates of WP, our Theme and the various plugins have had conflicts arise, potentially shutting down a website.)
- Only install trusted & current WordPress Plugins and Themes (As mentioned in Chapter 2, we use Divi – a premium theme that is constantly being updated, developed, and supported.)
- Remove unused Plugins and Themes
- Install a WordPress Security Plugin (We use iThemes Security Pro , a premium plugin, however the free ShieldSecurity is another excellent plugin to accomplish many of the basic WP hardening options)
- Have a reliable, tested backup/restore procedure (Azure Web Services Backup)
- Enforce Strong passwords and usernames (Done for us via iThemesSecurity Pro)
- Don’t use ‘admin’ as a username (Done for us via iThemesSecurity Pro)
- Limit login attempts (Done for us via iThemes Pro)
- Monitor incoming attacks (Done for via by iThemes Pro)
- Use SSL for Data Security (via Azure Web App Services)
- Hide your WordPress Version (We use this edited code from the online article to add to the child-theme’s functions.php file)
/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );
/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return '';
}
add_filter('the_generator', 'wpmudev_remove_version');
- Relocate or rename the Login page (Done for us via iThemes Pro)
- Secure the wp-config file (Done for us via iThemes Pro)
- Use a secure hosting environment (We use Azure Web App Services)
- I’ll add one more caveat – use a plugin that will block directory browsing to prevent access to the website’s directory listing. For example, WordPress does not prevent directory browsing in the wp-content/uploads Since all files uploaded to the site go here, private content is available to anyone who knows this vulnerability. This is also good test to check if your WordPress site is secure! (iThemes Security Pro allows us to block directory browsing on all of our public and private sites.) A website with securely blocked directory browsing will give this error when attempting to access the /wp-content/uploads page:
Using IThemes Security Pro, we have taken advantage of more than 30 features offered by the plugin, to protect our websites, from external and internal hacks.
It is ALSO important to do a full backup before making changes to plugins, or updating them. We have run into issues with having too much locked down when other plugins or even WordPress updates need to happen. And, like other plugins, free and/or paid for, we’ve run into updates that won’t install and have automatically uninstalled the plugin, when the update failed! We provide solutions for this and other problems we’ve run into, in the troubleshooting post – Use Azure’s Kudu UI to Fix WordPress Update Failures