What are some of the security vulnerabilities with WordPress websites?
Number one thing to look out for is people. People create bad passwords, store passwords in public spaces, and click on malicious links. With this in mind making sure you secure your people and restrict people on a need to access basis can help limit these sort of attacks. Plugins are second, being that anyone can create a plugin and potentially upload it, there will be plugins with vulnerabilities. Some plugins will fix these issues while others don’t maintain the plugin. Third is Themes, with some not being properly maintained and others just having vulnerabilities. Fourth is WordPress itself, with any issues being quickly found after an exploit has accrued there is always the chance of finding and exploiting and issues on WordPress itself.
How do you harden WordPress website?
- Two FA
- Using strong and protected usernames and passwords
- Keeping plugins updated
- Using security plugins
- Blocking bots, scrapers, crawlers. Taking up bandwidth
- Using SFTP over FTP
- Making sure all files have correct permission as to not give more access than necessary
- Proper database configuration
- Securing the WordPress login page
- Proper 403 page against includes browsing/editing
- Getting SSL cert.
- Disabling XML-RPC due to it being exploited
- Disable file editing, and extra layer incase someone gets the permission to edit the files.
- Updating and harden HTTP security headers
- Don’t show WordPress version
- Disable JSON Rest API
- Users have proper permissions with only having access to what they need.
What plugins/resources are available for WordPress Security?
MalCare, Wordfence, All In One WordPress Security and Firewall, and Securi are a few of the popular plugin choices. These all having varying degrees of use with some helping incident response better then others or some having 2FA. Doing a quick google search will lead to the best results, finding the best maintained plugins is important for continued use, having a security plugin that isn’t maintained will actually cause more security risks.
Which plugin(s) do you think you will use and why?
I think I’ll use Wordfence, malcare, and Anti-spam. I’ll use these after looking at the default WordPress plugins and the webpages shared by the instructor.
What would you do if you are hacked?
Depending on the severity of it. I would consider a fresh install of WordPress if it can be easily resetup.
Next would be using a plugin to scan for malware. After that’s done looking at the most recently modified files to see if anything stands out. After that removing anything that was found and rerunning all the test to make sure it was removed. Updating all plugins and themes. Finally changing all user passwords.
What is SSL? How would you activate it in your domain?
SSL is in short a way to verify the integrity of your site when serving the clients. In the cPanel there is an option to secure the domain and purchase a SSL/TLS certification.