Lately, we’ve seen an increase in intrusions to WordPress installs. We all know it’s quite frustrating when you find out someone has maliciously infiltrated your software. As of late, it seems the intrusions are getting worse both in impact and sophistication.
In previous years, we’ve seen intrusions that resulted in everything from massive email blasts to additional distribution of worms and malware. Today, it seems that the attacks are more advanced. Recently, we’ve seen nefarious characters take over websites by forcing redirects to third-party addresses, sometimes to embarrassing (think adult content) destinations. In one case, the attack was so brazen to actually rewrite core files within the installation, even up to the .htaccess file (something which can be avoided – more on that later).
Many clients don’t understand why this is happening. How can a platform that is so prevalent have so many issues? Well, the answer is a bit complicated. First, you have the fact that it is such a popular platform. This makes the prospect of finding potential targets easy. Secondly, the platform is free and therefore attracts budget-conscious users. Not to be rude, but, WordPress users are less likely to spend the required budgets to maintain their installations in a safe and secure way.
That said, surely there must be something that can be done. So, I have assembled a few tips and tricks that you should consider as you build-out or maintain your WordPress-powered website.
First thing first… Install protection. This means utilizing plugins such as WordFence or similar. These plugins perform routine, regular scans of your entire installation looking for issues, and scoring them in terms of severity. It can find malware, outdated plugins, or other configuration issues which you should address to stay safe. These systems are valuable in that they are continuously running, and therefore can notify you when problems arise. Without such a monitoring service in place, your best shot of knowing you are in trouble is when it’s already too late, and your site was either compromised, taken down or otherwise infiltrated.
One key point about having a monitoring tool… Much like those commercials point out these days on television, a monitor and a responder are two different things. You need the know-how or knowledge to actually act on what these plugins recommend. While WordFence makes it easy to triage and even remove offensive code, oftentimes it recommends changes that a developer needs to make. Doing these changes yourself can be risky, so make sure you have monitoring in place in addition to a response procedure so you can actually act on what the monitors identify as threats.
Maintain a Development Environment
I’m always amazed at how many website owners don’t maintain a development environment outside of their live site. Not only is having a “sandbox” essential so you can test new features, content, and tools, but it is also important in that it will enable you to have a baseline to compare your live site against. Since so many vulnerabilities these days affect core code and components of the installation, having a dev site to revert your files from can make all the difference in a quick response.
If you don’t have a development environment, try to set one up. And if you do have one, try to keep it somewhat synced with the live site, just in case you needed to revert not only physical files but data as well.
Plugins are a constant cause of anxiety for WordPress users. The fact is, each plugin you have is another potential point of entry for an attacker. However, plugins oftentimes have dependencies with other plugins. Or, you used them in particular ways and updating them can affect that behavior. I rarely see any WordPress site, even a well maintained one, that doesn’t have at least one plugin out of date.
This is an ongoing challenge that requires commitment. You have to attempt to maintain your installation as well as you can, and that means keeping all plugins up to date. Attacks that come in via plugins are very difficult to address if you can even identify them in the first place. So, rather than try to chase down root causes each time there is an attack, attempt to alleviate your risk of attack by maintaining software that is up-to-date, even if this means absorbing development costs along the way.
Check Your Server
There are many things that you can do to prevent intrusions from getting the access that they need to do real damage. Unfortunately, most website owners have no idea what they are. For one, you should always triple check that permissions are properly assigned within your web server environment. Doing so can eliminate the possibility of outside actors getting access to files, and the ability to write or change file contents. In the above example, the server was hacked and the .htaccess file was modified. This file is the very first thing that is accessed each time a webpage is loaded. The hackers appended code to the file which redirected literally the entire site to another destination. With some system administration know-how, that can be avoided. It is best to speak to a qualified systems administrator for more information about this, as it isn't something that is easily done by the layman.
Hacked Once? Be More Vigilant
This is something that I think we could call a gut feeling more than anything else… But in my experience, sites that have been hacked once tend to get hacked again. If even years later. Of the hundreds of WordPress sites we manage, it seems to be the same domains we are cleaning over and over again. Once you let an attacker in a single time, even after cleaning they find a way back. It’s as if your domain is added to a list of targets and it can never be removed from it.
I suppose the only take away from this point is that you should do all you can to avoid being attacked in the first place. And, if you are hacked at any point, you need to be even MORE vigilant than everyone else.
As I’ve already said many times before – WordPress is a great platform for many things, but it has been stretched to do more than it should through the years and because of this, hacks and intrusions are becoming more than an annoyance but rather a significant risk. If you operate a WordPress-powered website, you must be on the lookout for security holes and mend those gaps as they are found. If hacked, you need to respond with a pre-defined procedure. And, most importantly, you must have software in place to aid and assist in actually diagnosing these issues. There is no light at the end of the tunnel in terms of WordPress security. It will get worse before it gets better. So, we all have to get smart and prepare accordingly.