All organizations should implement a strong cybersecurity program that includes regular patching and security software as a best practice. The more popular a program is, the more vulnerable it can be to sophisticated attacks, or even simply efforts to phish the credentials of key users. One such program is WordPress. WorldPress is an overwhelmingly popular content management system (CMS) used by organizations around the globe to power websites and web applications. It is an open-source CMS often paired with a MySQL or MariaDB database that offers many different options for customization including themes and plugin architecture. While all of these features make WordPress a highly desirable tool, they also make it a target.
What can make WordPress insecure?
Due to its overwhelming popularity, WordPress has a target on its back and is more likely to be targeted by hackers due to the sheer number of accounts. As we know, human error is a key factor in many security incidents, and the sheer number of WordPress users translates to a higher number of entry points for threat actors. Without using complex, unique passwords to secure your WordPress account, you are vulnerable to any number of potential attacks.
Another factor that can make WordPress insecure is its support for customization via plugin architecture. Basically, if you want to go beyond the core functionality of WordPress, you will need to add in some extra plugins. WordPress has their own plugins directory, but if you wander outside of this, be very careful of where you source your plugins from.
Exercise the same caution when downloading external plugins that you would when downloading a file from a website; always ensure the site is trusted.
Should my organization use WordPress?
There are many reasons WordPress is one of the most widely used content management systems worldwide. In addition to being highly customizable, it is also easy to use, giving organizations great flexibility over the implementation and management, and it is completely free. All of these allow you to build extensive functionality and expand your WordPress using plug-ins.
Is WordPress safe? Well, that depends on how you take care of it, just like any other program.
WordPress is no different. When regularly updated, WordPress has a strong security team that keeps the core of it all very secure. Their security team works around the clock to identify vulnerabilities and deploy patches, so be prepared when those new updates are released. With WordPress’ easy-to-use approach, it is just as easy to forget about it, leaving it vulnerable to exploitation without routine updates and support.
Exposed WordPress admin login
One of our most commonly seen contingencies these days is related to WordPress. Since WordPress is so popular we run into exposed admin logins more than we would like to. When these logins are publicly accessible, threat actors can target them to gain privileged admin access to companies' entire websites or content management systems. In many cases, this can lead to losing complete control of the domain. This specific attack tends to be a little easier for hackers due to the well-known address for this panel: all Wordpress systems have an admin login at “/wp-admin”. In order to prevent a brute force attack on your WordPress Admin page, we suggest the following:
- Implement WPS Hide Login Plugin: Adding this plugin would allow you to change the URL to your admin login of your choice. This makes it more difficult for the attacker to gain access to the login page if they do not know where to find it.
- Implement iThemes Security Plugin: Adding this plugin creates an overall security suite for your site which includes monitoring suspicious activity, preventing attacks, scanning for updates as well as changing backend URLS. It is ideal for organizations running multiple Wordpress sites.
How to secure your WordPress instance
Security can seem inconvenient and time-consuming, but small steps go a long way and there are many tools to assist with these steps. In addition to the previous recommendation to specifically protect against WordPress admin login brute forces, here are some steps that you can take to help secure your WordPress overall:
- Keep WordPress, plugins and themes up-to-date.
- Implement strong and unique passwords. Password managers help create and store passwords.
- Enable SSL to enforce a secure connection.
- Implement security plugins such as Google ReCaptcha, WPS Hide Login or plugins that scan your website for malware.
- Implement a WordPress Firewall plugin — a web application firewall (WAF) can prevent security threats from entering your site by monitoring incoming requests between your site and the internet.
- Eliminate the need for passwords by using a more secure way of logging in such as SSH keys.
- Implement multi-factor authentication (MFA).
- Make sure to secure any staging environments by making them non-publicly accessible.
Implement cybersecurity best practices
All security professionals know — no technology is completely secure. Proper schedules of patching and regular updates will help keep your organization’s WordPress instance from becoming the target of threat actors.
Coalition offers a wealth of resources to help businesses implement good cybersecurity practices, including our Cybersecurity Guide, which outlines additional best practices every organization should implement as part of a strong cybersecurity program.