This time, we will release the most basic skeam to improve WordPress security.
If you do this, we can not guarantee 100%, but I think that security will improve considerably.
Why hackers aim for WordPress and what they do
First, I will explain why hackers aim for WordPress.
WordPress is a system that is used on numerous sites around the world. Vulnerabilities are also publicized, and older versions of WordPress (especially 3.4-3.6) can easily take over admin rights and rewrite websites for hackers.
Hackers do a lot of things, but basically they do hacking to gain various things by using someone else’s website without getting their hands dirty.
・ Spam mail sent from WordPress
・ Forcing users who have visited the original website to falsify to another site
・ Allows users who visit the website to modify to download unauthorized software
・ Display an arbitrary advertisement window for users who visit the website
・ Build a botnet by bundling a number of websites that have been tampered with, and use it as a springboard for DDos attacks
In many cases, it will be very dangerous because the site will be tampered with that will inconvenience others.
Where and how are you hacking?
We believe that more than 70% of hacks are from Russia or China.
Also, as for how hacking is done, there is software that scans WordPress and displays vulnerabilities in a list, and that software takes the management function of WordPress by brute force attack Features are also included.
Hackers first search for wordpress-specific strings on Google, find a WordPress site, get a WordPress version with this software, and if thus site usse older versions of WordPress or plug-ins to be vulnerable, they try to break in.
In some WordPress versions, there are vulnerabilities that can be used to take administrative rights just by writing a specific character string in the comment field, so it may take only a few minutes to successfully hack.
(Many hackers give up immediately if they find it difficult to break in. Because there are many vulnerable sites)
1 Keep the latest version of WordPress and plug-ins
WordPress 3 and 4 vulnerabilities are widely known to hackers and are easily targeted. There are some very dangerous vulnerabilities that can be used to steal WordPress administrator rights by simply writing code in the comments.
If you access http://siteURL/readme.html under WordPress version 4 or below, it is easy to know the WordPress version, so we recommend that WordPress will be updated to the latest one every three months.
Plug-ins can also contain vulnerabilities and can be a backdoor to tampering. Especially for well-known plug-ins with tens of thousands of installations, if a vulnerability is found, a lot of damage may occur to websites at once. We also recommend frequent updates.
2 Make your login ID and password strong
The new WordPress now generates strong passwords automatically. If possible, use the password generated by WordPress.
If you update from a past WordPress and continue to use it, you should be careful if the administrator name is admin and the password contains only alphabetical characters.
The administrator name should be admin, and the password should be at least 12 characters including one or more alphanumeric characters. You can change the password from “User”-> “User List” on the management screen.
3 wp-config.php Make unique key for authentication strong
The unique key for authentication is used to further strengthen the WordPress password when it is exchanged internally, so please use the one generated at the following URL.
If it is before installation, it is also effective for security to change the database prefix to something other than wp_.
(Please note that if this setting is changed after construction, the management screen cannot be used due to a permission error)
4 Set file permissions appropriately
In the WordPress folder, basically, only the wp-content / upload folder where images and other uploads are saved is written.
Hackers take advantage of poor permissions (folder write permission) and write tampered files to various files and folders.
To prevent this, if you want to ensure strong security, change all folders and files other than wp-content / upload to “writable” permissions.(When updating WordPress or plug-ins, it is necessary to restore the permissions once and update them)
5 wp-login.php Prevent brute force attacks on xmlrpc.php
wp-login.php xmlrpc.php is a file that hackers often access to gain administrator privileges by mechanically entering an administrator ID and password.
In order to prevent this brute force attack, it is possible to prevent it to some extent by introducing a plug-in that locks the IP address if login fails several times or adds a capture to the login screen.
6 Prevent comment spam
The comment field in WordPress can be written anonymously, so comment spam and older versions of WordPress can also be used for cross-site scripting and SQL injection.
Use the plug-in Akismet to prevent comment spam that comes with WordPress, disable comments, and add a capture to the comment field.
6 Install security plug-in
7 Check the worker’s PC for viruses and review the FTP password
WordPress tampering does not always happen on the web.
FTP information may leak to hackers due to viruses.
Once you’ve been hacked, it’s important to check your PC for virus and change FTP information.