Hello, this is Yoshida of WordPress Doctor. I would like to share with you the most basic things you can do to improve the security of your WordPress site. I can’t guarantee 100%, but I think it will improve your security a lot.
Introduction – Why hackers target WordPress and what they do
First, let us explain why hackers target WordPress. WordPress is a system used by an extremely large number of sites around the world. Vulnerabilities have been disclosed, and older versions of WordPress (especially 3.4 to 3.6) make it rather easy for hackers to gain administrative privileges and rewrite other people’s websites. This allows hackers to do a wide variety of things, but basically, they are doing hacking to gain various gains by tampering with other people’s websites without getting their own hands dirty. The types of things hackers do by tampering with other people’s websites are as follows
Sending spam emails from WordPress as a stepping stone.
Forcibly redirecting visitors to another site.
Forcing users to download malicious software
Selling goods on the site of a user who visited the tampering-source website.
Displaying arbitrary advertisement windows to users who visited the tampered websites.
Bundling a large number of tampering websites to build a botnet and use it as a stepping stone for DDoS attacks.
In many cases, the defacing of websites may cause inconvenience to others, making the responsibility for the defacing of websites rests with this site, which can be very dangerous.
How and from where are they hacking?
We believe that more than 70% of hacking comes from Russia or China. Therefore, it is very effective to enable security firewalls such as restricting access to the WordPress admin screen to domestic users on Sakura Server and WPX.
Click here for Sakura’s overseas IP blocking function.
As for how the hacking is done, there is software, which I will not name here, that scans WordPress and lists vulnerabilities, and the software also has the ability to take away WordPress administration functions through brute force attacks. The hacker first searches Google for a WordPress-specific string, finds a WordPress site, uses this software to get the WordPress version, and if it uses an older version of WordPress or a plugin, looks for vulnerabilities and tries to break in.
Some versions of WordPress allow users to gain administrative privileges simply by writing a specific string of characters in a comment field. (Conversely, they give up as soon as they realize that it is not easy to break into the system. (Conversely, they give up as soon as they realize it is not easy to break in, because not many people have that kind of powerful hacking ability, and there are 50,000 more vulnerable sites out there.)
Security Measure 1: Keep your WordPress and plugin versions up-to-date.
The three series of vulnerabilities in WordPress are widely known to hackers and are easy targets. Some of these vulnerabilities are so dangerous that they can be exploited to gain administrator privileges simply by writing in the comments section of WordPress.
http://サイトURL/readme.htmlにアクセスすると can tell you what version of WordPress you are running, so we recommend that you keep your WordPress up-to-date with the latest version every three months.
Plugins can also contain vulnerabilities and can be an entry point for tampering. In particular, some well-known plug-ins, especially those with tens of thousands of installations, are notorious for their vulnerabilities, so we recommend updating them every three months.
Security measure 2: Use strong login IDs and passwords.
New WordPress now automatically generates strong passwords. If possible, use the password as it is generated by this WordPress.
If you have updated from a previous version of WordPress and continue to use it, be careful if your administrator name is “admin” and your password contains only English letters. Please avoid “admin” as the administrator name and make sure that the password is at least 12 characters long and contains at least one single-byte alphanumeric symbol. You can change the password from “Users” -> “User List” in the administration page.
Security measure 3: Use a strong unique key for wp-config.php authentication
In some cases, the “Authentication Unique Key” in the wp-config.php file of a client’s WordPress site is still the same as it was in the initial version. The authentication unique key is used to make the WordPress password stronger when it is exchanged internally, so please use the one generated at the URL below (a unique key is automatically generated each time you access the site). (You can change the URL of the public site in the middle of the process without any problem.)
It is also a good idea to change the database prefix (prefix) to something other than wp_ before installation for security reasons. (Please note that changing this setting after installation will result in an authorization error, making the administration screen unusable.)
Security measure 4: Set permissions appropriately!
In WordPress folders, only the wp-content/upload folder, where images and other uploads are saved, is allowed to be written to.
Hackers take advantage of the lax permissions (write permissions on folders) to write tampered files to various files and folders. To prevent this, if you want to ensure strong security, change all folders and files except wp-content/upload to “not writable” permissions. (You will need to change the permissions back to the original and then update them when the system auto-updates.)
Security Measure 5: Prevent brute force attacks on wp-login.php xmlrpc.php
wp-login.php xmlrpc.php is a file that hackers access to mechanically enter the administrator ID and password by brute force in order to seize administrator privileges. This brute force attack can be prevented to some extent by locking the IP address after several failed login attempts or by installing a plugin that captures the login screen.
Loginlockdown
Captcha by BestWebSoft
Security Measure 5Prevent Comment Spam
WordPress comment boxes can be used anonymously, so they can also be used for comment spam (posting meaningless URLs in order to get links) and, in older versions of WordPress, for cross-site scripting and SQL injection (peeking into database contents). WordPress is a very powerful tool to prevent comment spam. Protect your comment section by using Akismet, a plugin included with WordPress to prevent comment spam, disabling comments, capturing comments, and other measures.
How do I disable comments?
Go to the WordPress admin page, Settings -> Discussion and uncheck “Allow comments on new posts
Security Measure 6: Install a security plugin!
Recently, various security plug-ins have appeared in response to the many cases of WordPress tampering. Site Guard is recommended for beginners.
It is the easiest security plugin to set up, as it can capture the login screen and perform brute force attacks just by installing it.
Although it is complicated and difficult to configure, we have installed and configured the following plug-ins for many of our clients
All In One WP Security & Firewall
Security Measure 7: Check your workers’ PCs for viruses and review FTP passwords.
WordPress tampering does not only occur on the web; FTP information can also be leaked to hackers via viruses. In fact, the risk of tampering damage also exists on the worker’s computer, so we recommend that you regularly check this computer for viruses using commercially available virus software.
In addition, once you have been a victim of wordpress tampering, you should suspect that your FTP password has also been leaked. Therefore, we recommend that you change your FTP password on a regular basis. (You can find instructions on how to do this on your server company’s website.
As an example, please refer to the following link for how to change the FTP password for sakura server.
How to change your FTP password
Click here for a vulnerability and security assessment of your site.
