Making WordPress Site – Spam and Hack Proof
WordPress is a powerful application in the world of CMS (Content Management System ) and anyone can start a website using a WordPress CMS within an hour just by using any standard hosting plan.
But there is a saying, with great power comes great responsibility and your superhuman skills should carry mindful steps when it comes to WordPress security.
Don’t worry I am not going to talk about something which is beyond your power to keep your WordPress website running securely 24×7.
As per statics, most hacked websites are WordPress websites, How much you may ask the answer is 90% of websites hacked around the globe are WordPress websites.
According to W3Techs, WordPress Market share, reviewed a CMS market share of 65% in 2022, 6 Feb. The growing popularity of WordPress gives a higher chance of you ending up setting up a website on WordPress.
And don’t get me wrong WordPress is a great tool when it comes to CMS and with the right knowledge and action will help you stay ahead of any Vulnerabilities.
As WordPress is open-source the code of WordPress is publicly available which helps attackers to look into code and find any vulnerabilities and use the same to attack any website.
Now let’s jump into the step by step process of securing your WordPress website
Table of Contents
Selecting A Right WordPress Hosting
Selecting the right web hosting for your WordPress website is very important when it comes to WordPress security.
Like no house is built to fit every type of family, similarly, no hosting services are structured in the same way and no hosting account fits all requirements especially when it comes to WordPress.
Our WordPress Hosting service is built from ground zero just for WordPress and is designed in a way to keep your website secure and fast.
For example last year a total of 780,627,213 attack attempts were blocked by our firewall in 2021, which is a 65% increase compared to 2020.
I broke down this data further to explain which attacks were most commonly attempted against our hosted WordPress websites.
Types of WordPress Attack
Bad Bots
Bad bots are software web applications that keep crawling the internet and run automated tasks with malicious intent over the internet.
Our WAF rule gets triggered as soon our WordPress hosting WAF rules detects malicious bots from accessing a website for reference, We detect and block the bad bot which tries to use a lot of resources or attempts to access repeated times to a restricted location like /wp-admin or /wp-login.php.
If you want to learn more about Bad Bots, this 1 hr long video from Netacea explains everything about bad bots.
Miscellaneous Attacks (Other Attacks)
The second-largest type of block fell under our other Attacks category for WordPress, which
includes blocks from attacks for remote code injections (which can lead to Deceptive site ahead warning from google), geoblocking, or spam
attempts (Like comment spam). under this category. I have included data from web attacks like SQL Injections (2.35%) and Remote File inclusion (4.16%).
Attempt to Access Directories
The wp-admin folder is the main admin area access for WordPress. Most of the users keep it open to the public however by using Cloudflare Zero Trust with our WordPress hosting account you can enable OTP base access to your WordPress admin area.
This makes all users who want to have admin access need to have a valid email address, or you can even specify an email address from only your domain name will get the OTP.
Attempt to Access Backup Files
Standard hosting accounts keep the backup files on the same hosting account, normally under public_html folder which is an extremely bad practice and could raise the chance of compromising.
Keeping your backup in a remote location makes life harder for hackers, and also provides an extra level of Protection Against Ransomware.
We use the Acronis Backup solution which gives complete protection against Ransomware, and data is stored at different locations.
Comments and XMLRPC Blocking
The comment function is one of the most powerful functions on WordPress.
By using XMLRPC which is a system that allows remote updates to WordPress from other remote or local applications the spammer can post a spammy comment which can not only affect your website but also your website visitors as they can get in a trap by clicking on a comment of your affected website.
This can be sorted out by using third-party commenting tools like Facebook comment or simple Google reCaptcha can bring down spammy comments drastically.
Cross-site Scripting
Cross-site scripting which is commonly referred to as XSS is so dangerous that google has declared a reward program for anyone who discovers a cross-site scripting vulnerability, Google will pay up to $10,000 in one of their web applications.
Cross-site scripting (XSS) was one of the most popular attacks for WordPress websites hosted in our hosting and which was blocked by our firewall. We analyzed and found 43% cross-site scripting of all vulnerabilities we worked on.
Protecting WordPress from Malware Attacks
Our research and experience have seen a large number of malware attacks happening on WordPress websites and different types of malware out there.
We use the state of the Imunify 360 which gives protection of the most common type of malware.
If your website is already affected by any type of malware, login to your Cpanel account and follow these steps:
- Login to Cpanel and under the Security section select Imunify360.
- On the Imunify360 dashboard, you will immediately find the dangerous file present on your WordPress website
- Delete the malicious file found by iImunify360 by clicking on the broom icon under the Actions section as seen in the screenshot below:
- Clean Up the affected file by clicking delete the file
If there are several dangerous files, you can use “Clean Up All” to delete all files in one go.
Remember to check the backup files from your Cpanel Backup option that we provide through Acronis.
Virtual Patching (Updating WordPress)
update_option() function of WordPress is a powerful function that helps WordPress admin to update plugins and update the entry in an options database table of WordPress.
If the WordPress plugin developer does not address permission of this function properly then an attacker can change the code as per his liking.
Here is the list top seven plugins that were impacted by this update_option() bug which was later addressed by the core development team of the plugin.
Plugin Name
|
Installations
|
---|---|
600,000+
|
|
800,000+
|
|
500,000+
|
|
Newspaper and other old tagDiv themes
|
400,000 +
|
200,000+
|
|
50,000+
|
|
40,000+
|
Note: I am not saying that the above plugin is affected by any kind of bugs. Rather a simple regular update of plugin / WordPress / WordPress themes can prevent several kinds of attacks.
Updating WordPress Automattically
Our system uses a WordPress toolkit that helps you maintain/update WordPress in a smarter way.
This helped 37% of our customers to keep WordPress and plugins up-to-date including the plugin listed above.
Conclusion
It has been noted from our study in 2021 alone, 58% of all WordPress websites were not updated to the latest version due to lack of technical know-how or incompatibility of custom WordPress theme to the latest version of WordPress due to which the hackers and spammer are getting easy access to a website managed through WordPress or other CMS.
Infections continue to find their way into your website code due to outdated WordPress plugins or cheap hosting with poorly configured servers.
Shashi kant Pandidhar
Leave a Comment
Get the latest news and deals
Sign up for email updates covering blogs, offers, and lots more.
Subscribe: Trusted By 1M+ Readers
Get the weekly Tech Update straight to your inbox.