This section describes the features that should be implemented in the WordPress security plugin.

What security measures are necessary for a WordPress site, based on WordPress attack methods?

The causes of WordPress hacking can be broadly categorized into the following five types.

1. Hacker logs in as administrator by breaking the administrator’s password by brute force

2. Hackers install or modify arbitrary files in the server by taking advantage of vulnerabilities in plug-ins, etc.

3. Hackers rewrite databases by exploiting vulnerabilities in plug-ins, etc.

4. Hackers take advantage of vulnerabilities in other websites on the same server

5. Vulnerability in the server OS or software itself is exploited

It is difficult to prevent the fifth type of vulnerability with WordPress hacking countermeasures. Also, since most websites are located on shared servers without root (OS-level administrator) privileges, it is the responsibility of the server administrator to improve the security of the server.

For this reason, a WordPress site should have a security plugin that makes steps 1, 2, and 3 as difficult as possible.

Let’s take a look at what features are effective for each of these.

Countermeasure 1: Hacker logs in as administrator by breaking the administrator’s password with brute force.

To prevent this attack, the following features should be implemented in the security plugin.

・Capture (quiz that only humans can understand) can be given to the login screen.

Prevent XMLRPC and REST API attacks

Change the URL of the login screen

Prevent WordPress user IDs from being compromised

Temporarily disable login after several failed login attempts (login lockdown)

Also, the most important thing is to make sure that the login password is complex. If the login password is sufficiently complex, the above functions will play an auxiliary role.

Countermeasure 2: Hackers take advantage of vulnerabilities in plug-ins and other vulnerabilities to install or modify arbitrary files in the server.

Exploiting plugin vulnerabilities is the most common attack method in WordPress. To prevent vulnerability attacks, the following features should be installed in security plug-ins.

・Prevent vulnerable plugins and WordPress versions from being compromised

Vulnerability scanning function

Prevent vulnerability attacks at the time of attack

A common way to prevent vulnerability attacks at the time of attack is to register multiple patterns in the HTACCESS file according to known vulnerability attacks.

Several security plug-ins have a “prevent version compromise” function, but in fact, there are very few security plug-ins that have a “vulnerability inspection function” and a “prevent vulnerability attacks in advance” function.

WP Doctor’s [Free] WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] includes both functions, so please use it if you like.

Another effective way to prevent vulnerability attacks is to frequently update your site’s WordPress software, themes, and plug-ins to keep them up-to-date. (This is because the program’s creator often prevents vulnerabilities with the latest version of the program.)

Countermeasure 3: Hackers rewrite databases to take advantage of vulnerabilities in plug-ins, etc.

This attack is called SQL injection, which uses a vulnerability in a WordPress plugin or other software to send malicious database processing code to a vulnerable program on the WordPress site and rewrite the database.

To prevent this type of attack, it is recommended to set up a function in the HTACCESS file to block SQL injection-specific strings in requests sent to the site, or to retrieve the entire request query and scan its contents in advance for SQL In addition, it is desirable for the security plug-ins to have a function that allows the security plug-ins to scan all queries for SQL injection-specific strings before passing the query through.

SQL injection attacks can only be blocked by writing settings to HTACCESS if the URL contains the attack string or if the request header contains the SQL injection attack. Injection attacks in POST format data cannot be blocked. The free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] also checks POST data and provides a real-time blocking function to prevent attacks.

We hope you will use this as a reference when selecting a security plugin.