Is WordPress safe?
The enormous popularity of WordPress makes it a valuable target for automated hacking attacks. From the point of view of a person who wants to gain benefits, e.g. in the form of data theft, creating a botnet or placing spam links, writing a bot that searches the Internet and uses errors in millions of websites is extremely beneficial. Once written, the program will be successively and automatically break into the pages and do what it was created for, bringing benefits to its author. Unless we fix a problem or protect ourselves in other ways and prevent malware from having free access to the site.
The statistically high number of attacks on WordPress is not due to the poor quality of the code, but rather to a combination of popularity, often amateurish approach to system management, random quality of add-ons and poor hosting. However, this does not mean that WordPress is not secure. Security updates are published on an ongoing basis, are installed automatically and apply even to older versions of the system. Hosting companies are increasingly willing to offer dedicated software to filter out unwanted actions, and there are plug-ins available to add custom security to the CMS.
Popular malware scanner for WordPress
More than two million active users – that’s the number of installations that Wordfence Security can boast of, which for many people is the basic line of defense and protection of WordPress. It is also one of the first repositories of plugins for “firewall”, “security” and “antivirus” in search results. No wonder – its usefulness, even in a free version, is very high.
Wordfence Security offers, among other things:
- Web Application Firewall, a firewall operating at the server level, before WordPress is executed, which, based on rules that are periodically updated, allows for the filtering of activities that are considered to be dangerous;
- Built-in scanner for CMS source files, plug-ins and templates, and even other files stored in the folder and subfolders where WordPress is installed. Importantly, the scanner not only informs you about the changed files, but can also compare them with the original, and can propose removing them (if they are not needed) or replacing them.;
- Protection against brute force attacks, which in practice means the ability to set limits for logging in attempts, password reminders, as well as limiting the availability of the website to unwanted robots;
- Anti-spam filter for comments;
- Immediate or regular notifications and Wordfence email reports containing information about attacks, unsuccessful logins, file changes, new users, etc.;
- A few additional, small tools, excluding for example the possibility to execute the code in the uploads folder, where WordPress by default collects the uploaded files.
New Wordfence interface shipping with version 7.0
The last version of this popular plugin has been completely redesigned. It’s true that many experienced users are frustrated with this change because it has led to a complete reorganization of all settings. From my point of view, however, this is a very good move. The specialized functions now have their own screens – Firewall, Scanner, Additional tools and General settings.
In the header of each subpage we will see simple counters showing the degree of implemented security measures. It is worth noting that for many of these options it is impossible to achieve 100% without buying a premium version. However, I get the impression that the authors of the plug-in approach the subject of security in a responsible way and most of the premium options concern precise settings that are not available or automated in the free version (for example, we do not have the possibility to set up automatic scans schedule – Wordfence will decide for us when to run them). The refreshed graphic design has gained in readability. It is more accessible to users, has a clear division into page sections and uses consistent communication by means of the same colours and icons. The limitation of the maximum width of the interface is also pleasing, which will be appreciated by the users of very large monitors.
How to configure Wordfence Security?
Although the plug is designed so that most of its functions will work immediately after installation, some require manual switching on.
After activating the plugin, you should see a message displayed at the top of the back page encouraging you to configure the Web Application Firewall. Although the firewall works as soon as you open the plugin, it loads as part of WordPress by default. The advanced configuration of this module makes it possible to filter out some attacks even before the basic functions of the system are started, so it is more efficient.
If we decide on advanced configuration, the configurator will guide us through this process, detecting the type of server software we use and offering file backup of .htaccess, and php.ini. The changes that will then be made concern the server configuration – if we do not have access to the page file system via FTP or we do not know how to restore the changes in the php.ini or .htaccess files in case of a crash – we should better not decide to take this step, because it may cause us to lose access to the backend of the page. In this case it’s worth asking for the help of an expert.
Fortunately, other plugin functions can be configured without any problems using the graphical interface. Individual settings should be adjusted to our needs – regardless of the fact that it is worth changing the default values, which I am writing about below:
Enabling the scanning of plug-ins and templates
By default, the scanner only analyzes files directly related to WordPress CMS and excludes installed plug-ins and templates from the scan. Fortunately, in the free version we can use the scan also in these areas of the system. To change the scanning settings, we must:
- Go to Scan subpage;
- Choose Scan Options and Scheduling;
- In section entitled General Options enable Scan theme files against repository versions for changes and Scan plugin files against repository versions for changes;
- Save changes by clicking Save Changes located in top right corner of the page.
On the next scan, Wordfence will analyze not only the main system files, but also the files of templates and plug-ins in search of malicious code.
Enable e-mail reports
Wordfence can send cyclical reports or immediate alerts about current events to the website. It is worthwhile to enable weekly reports – they offer a reasonable overview of the site’s status, for example, by informing you about outdated plug-ins. In order to include reports, we need to:
- Click Global Options on main page (Wordfence Dashboard);
- In Global Wordfence Options tab locate Where to e-mail alerts and provide our e-mail;
- In Alert Preferences tab check the areas of interest. I suggest Alert on critical problems and Alert me when there’s a large increase in attacks detected on my site;
- In Activity Report check Enable e-mail summary, and choose from the drop-down menu Once a week.
- Save changes by clicking Save Changes located in top right corner of the page.
With such a configuration, every week on our e-mail we will find a clear summary of the website status.
Disable code execution for uploads folder
There are types of attacks that allow you to load any file into the uploads folder, where WordPress stores the files you upload by default. However, you can prevent any code in this folder from being executed. To do this, you need to:
- Click Global Options on main page (Wordfence Dashboard);
- In Global Wordfence Options tab check Disable Code Execution for Uploads directory;
- Save changes by clicking Save Changes located in top right corner of the page.
The changes made make it impossible to run any script from the uploads folder.
Limitation of logon attempts – protection against brute force attacks
Instead of installing an additional, popular Limit Login Attempts plugin, you can use the options built into Wordfence. The firewall allows you to block too many login attempts and reset the password with the ability to specify the time of blocking and the number of attempts. In order to configure the lock it is necessary to:
- Navigate to Firewall subpage;
- Click All Firewall Options;
- In Brute Force Protection tab locate Lock out after how many login failures oraz Lock out after how many forgot password attempts and set the threshold at which the user will be locked;
- In the same tab locate Count failures over what time period and set the time for which threshold is counted (I suggest an hour) and below, it Amount of time a user is locked out set how long the lock will last (I suggest 24 hours);
- Save changes by clicking Save Changes located in top right corner of the page.
In the same area you can also enable automatic blocking after entering certain logins. Many scripts start with trying to log in to an “admin”, “administrator” or “root” account. Entering these logins will help you block unwanted actions before the limit is reached. If your account has such a login, you should consider changing it to a more custom and difficult to guess one.
Summary
Wordfence Security is the perfect sealing tool for WordPress and to inform administrators about risks. It is worth remembering that no plug is a panacea and will not protect us from every possible attack. Even the most sophisticated security measures will be useless if we log in via the “admin” account and our password is “administrator”. Hosting companies are also not without fault. Having a large number of scripts on one hosting account without the default “open_basedir” restriction can lead to mutual infection and the spread of malware within the hosting account – not all companies block such activities in the standard. In this case, protecting and cleaning one system from malware is pointless, as malicious scripts can happily wreak havoc on the other side.
The installation and configuration of this plugin adds a basic layer of security to your website and, just as importantly, offers e-mail reporting of problems encountered, allowing you to perform manual actions.
Wordfence is of course not the only solution of this type dedicated to WordPress CMS. If you are using a competing product, leave a comment below, and share your opinion on how does it compare to Wordfence. I’ll be happy to read what safety techniques you’re using on your website.