WordPress is the most popular content management system (CMS), with 45% of all websites running on this platform. But its popularity also attracts all sorts of cyber criminals who exploit many such platform’s security vulnerabilities.
We’re always looking out for ways to better your digital experiences with us on the service and security front. We’d like to draw your attention to new security vulnerabilities identified in two popular scripts – WordPress and Magneto. Please note that these issues are script-based and are not specific to OSS Prime platform in any way. Read on to know more about these vulnerabilities, assess whether you could be impacted and take preventive action.
WordPress Vulnerability A new, serious vulnerability, announced recently which has the potential to cause some damage and disruption. Some versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed.
Impact: If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
Steps you need to take:
Magento Vulnerability: This is a vulnerability that has been recently reported too. The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server.
Impact: The attacker can bypass all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system. This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise
Editions.
Steps you need to take: If you are using the mentioned vulnerable versions of Magento or other Shopping Apps, we would request you to patch it using the updates.
You can test whether your Ecommerce / Magento websites are vulnerability or not, using various tool.
We strongly recommend you access all your packages and patch them immediately to avoid any issues. In case you require any information regarding this email, please feel free to get in touch with us.
Use a Security Plugin
There are additional ways to harden your website to help keep it secure, such as changing database names and taking advantage of HTTP security headers. All of these require, for the most part, a reasonably high level of technical know-how and time.
Some security plugins also offer features including blacklist monitoring, file scanning, brute force protection, firewalls, and more. They can offer easy ways to tighten up your website security quickly and with limited technical experience.
Buy SSL certificate
Secure your website and customer data! SSL Certificates protect your customer’s personal data including passwords, credit cards and identity information. Getting an SSL certificate is the easiest way to increase your customer’s confidence in your online business.
Rock-solid security to boost customer confidence and better your SEO rankings. Our SSL certificates provide upto 128 or 256-bit encryption for maximum security of your website visitors’ data. Many customers actively look for the SSL lock icon before handing over sensitive data. Get an SSL certificate to increase your customer’s trust in your online business. Buy SSL certificate Now!
Take a Backup
Backups can be a woefully neglected element of WordPress maintenance. They do, however, play an important role in website security. Having a high-quality backup gives you the ultimate peace of mind that if the worst were to happen and your site was hacked and badly damaged, then you can recover quickly by restoring a previous backup. You can then apply any additional levels of security needed to avoid a hack being repeated.
The truth is, however, WordPress is secure: only 14% of WordPress security vulnerabilities come from core WordPress, and the WordPress organization follows rigorous processes for patching these issues. So, how do WordPress websites get exposed to hackers? More often than not, security vulnerabilities occur from insufficient maintenance.
Protect Your Computer, Avoid Being a Risk Factor
You might be wondering, what does your computer have to do with your website? Easy: If your computer is infected with a virus or other malware and you access your site or upload files to it, those files can infect your website as well. To avoid that, make sure to:
Refrain from using public wifi networks to access your site or use a VPN
Install antivirus software and a firewall and keep them up to date
Regularly run virus and malware checks on your operating system
Update your operating system and other important software (such as your web browser)
Build a Safe Foundation With Trustworthy Web Hosts
Your hosting company is usually the first wall hackers have to break through to access your site. For that reason, the first step towards securing your WordPress website is to invest in a hosting company that implements proper security measures. This includes support for the latest version of PHP, MySQL, and Apache as well as a firewall and 24/7 security monitoring. In addition, look that they offer SFTP or SSH connections instead of the less secure FTP.
Use Themes and Plugins From Trustworthy Sources to Avoid Compromising
As we have already settled, unreliable themes and plugins are one of the main ways WordPress websites get compromised. In order to reduce the risk of that happening, step one is to use only extensions from reputable sources.
That means staying away from nulled, torrented, “free” versions of plugins and themes. Besides cheating developers out of the fruits of their labor, you never know what kind of code might be hidden inside. By uploading them to your site, it’s possible that you are opening backdoors for hackers all by yourself. So, stick with reliable sources such as the theme and plugin directory on WordPress.org or trustworthy premium vendors.
Keep Your Files Secure: Disable the WordPress Theme and Plugin Editor
By default, you have access to a file editor in the WordPress dashboard under Appearance > Theme Editor and Plugins > Plugin Editor.
Check and Change File Permission Levels to Protect Data on Your Server
Files and folders in the WordPress directory on your server all have different permission levels. There are three types: read, write, and execute permissions. They determine whether users can access files, make changes, delete, and run them. Same with the content of directories.
If the wrong ones are in place, this can give people access to files they should not have access to and that they could use to take down your site. On the other hand, if permissions are too strict, they can disable some functionality.
You can check and change this with an FTP client. For example, FileZilla has a column called Permissions right in the user interface. If you have shell access to your server, you can change file permissions recursively with the following command:
For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Use the Latest Version of PHP to Take Advantage of Security Updates
PHP is what WordPress runs on. It’s present on the server of every website built with the CMS. Just like WordPress, the programming language is constantly under development. New versions come with performance enhancements but also vulnerability fixes.
For that alone, it’s important that you run the latest version. In addition, each new PHP version also only receives support and updates for two years. The currently supported versions are 7.4, 8.0, and 8.1, so it’s highly recommended that you are on one of these. Unfortunately, only a little more than half of the WordPress sites are following that advice.
Harden wp-config.php, Protecting One of Your Most Vital Files
define( 'WP_CACHE', true );
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );
define( 'AUTOMATIC_UPDATER_DISABLED', true );
define( 'WP_AUTO_UPDATE_CORE', false );
define( 'IMAGE_EDIT_OVERWRITE', true );
define( 'COMPRESS_CSS', true );
define( 'COMPRESS_SCRIPTS', true );
define('DISABLE_WP_CRON', true);
define(‘FORCE_SSL_ADMIN’, true);
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
The file wp-config.php controls lots of important functionality on your site, not least the connection to your database. Without it, your whole site breaks down. Change Your WordPress Security Keys. Time to learn to protect it.
Deny access to wp-config and .htaccess
order allow,deny
deny from all
order allow,deny
deny from all
Limit Access to wp-login.php to Your Own IP
In addition to the above, you can also add the code snippet below. This will disallow access to the login page of your site to everyone except for the defined IP. Be sure to fill in your own IP address to not log yourself out! If you don’t know your IP address, you can find it here.
# Limit access to wp-login
order deny,allow
deny from all
# allow access from my IP address
allow from XXX.XXX.XXX.XXX
You can also use this to limit access to wp-admin instead of password protecting it. Place an .htaccess file inside your wp-admin folder and include the following code in it.
#Limit access to wp-admin
<FilesMatch ".*">
order deny,allow
deny from all
# allow access from my IP address
allow from XXX.XXX.XXX.XXX
// Edit theme’s functions.php file and adding the following
// Remove WordPress version number from head section
remove_action(‘wp_head’, ‘wp_generator’);
// Remove WordPress version number from RSS feed
function remove_version_from_rss() {
return ”;
}
add_filter(‘the_generator’, ‘remove_version_from_rss’);
Quick WordPress Checklist:
1. Update WordPress Version Regularly
2. Use Secure WP-Admin Login Credentials
3. Set Up Safelist and Blocklist for the Admin Page
4. Use Trusted WordPress Themes
5. Install SSL Certificate
6. Remove Unused WordPress Plugins and Themes
7. Enable Two-Factor Authentication for WP-Admin
8. Back Up WordPress Regularly
9. Limit Login Attempts
10. Change the WordPress Login Page URL
11. Log Idle Users Out Automatically
12. Monitor User Activity
13. Check for Malware
14. Disable PHP Error Reporting
15. Migrate to a More Secure Web Host
16. Turn File Editing Off
17. Restrict Access Using the .htaccess File
18. Change the Default WordPress Database Prefix
19. Disable XML-RPC
20. Hide the WordPress Version
21. Block Hotlinking
22. Manage File Permissions
Our WordPress-only servers are updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates. Implement what you can and feel capable of. Security is an iterative process, not a one-and-done deal. You can always do more but the most important thing is to get started.
Your future self will thank you for your foresight.