WordPress Security

3rd December 2019

WordPress is a popular target for hackers because it has a large install base. Plug-ins make it flexable but there is no guarantee that code writen by 3rd parties is secure.

Had an incident where a WordPress site was undergoing a directory traversal attack. The site had WordFence security plug-in installed and got some decent alerts. Snippet of Log below.

November 22, 2019 11:48am  178.213.191.110 (Ukraine)     Blocked for Directory Traversal – wp-config.php in query string: file=../wp-config.php
November 22, 2019 11:48am  178.213.191.110 (Ukraine)     Blocked for Directory Traversal – wp-config.php in query string: wpabspath=../../../../../wp-config.php

WordFence also includes a 2fa plugin. It is easy to setup as you can simply scan a QR code with Google authenticator. It also allows whitelisting the static IP address of your business so your users don’t see anything different. Allows prompting once per 30 days per IP address. (note if your laptop moves between IP addresses this won’t really last 30 days) I like this to prevent password guessing without needing to turn on Captcha, which WordFense supports but is annoying.

Recommendations: Turn on auto-updating where it is available, unfortunately not all plug-ins support this. Update plug-ins that don’t on a weekly schedule. Make a calandar reminder so you don’t forget. Enable Two Factor Authentication on ALL of your Cloud based applications. Use strong password, ideally random 31 characters. Keep track of them in a password manager like LastPass for teams.