5 WordPress Security Threats You Probably Don’t Know About

When it comes to my online activity, security is something I have always been fairly conscious of. But in my opinion, making sure that your WordPress site is secure is not something that you can ever do too much of.

That fact was recently driven home to me when Limit Login Attempts (which I have installed on my blog) started reporting multiple login attempts from more than one IP address. I also discovered that someone had attempted to login to my Facebook account.

With those recent events still fresh in my mind, I thought I’d take the opportunity to focus on some security threats concerning your WordPress site that you may not even be aware of. Whilst there are plenty of basic steps you can take to improve the security of your site (such as changing the default “admin” username and setting strong passwords), you may want to check these ones out too.

1. Published WordPress Version Information

By default anyone can find out what version of WordPress your site is running if they know how. This is not a good thing, because if you are running an older version of WordPress, unscrupulous hacker types will be able to target specific security vulnerabilities that have since been patched by more recent updates.

The first thing I will say is this — you absolutely should update WordPress (as well as your themes and plugins) as soon as new versions become available. Prevention is the best cure, as the timeless saying goes. However, it is still a good idea to remove version information from your site.

This information is stored in two places:

  1. Your page header meta
  2. Your readme.html file

To remove the information from your page header meta, paste the following code into your active theme’s functions.php file:

  1. function remove_wp_version() {
  2.      return ”;
  3. }
  4. add_filter(‘the_generator’, ‘remove_wp_version’);

As for the readme.html file, just rename it to something completely random (like “23bd8.html”). No one’s going to be finding that in a hurry.

2. Access to Theme/Plugin Files

You’re probably familiar with the theme and plugin file editors:

theme-file-editorPretty darn handy, but also a huge security issue should someone gain access to your dashboard. And in general, using the editors is bad practice as any incorrect PHP code can “break” your site (which will then require you to gain access via FTP).

With that in mind, I would recommend that you disable the editors and edit theme and plugin files via FTP only. Doing so is a piece of cake — just include the following in your functions.php file:

  1. define(‘DISALLOW_FILE_EDIT’, true);

3. Universal Registration Option

This is a real simple one — is your WordPress site currently set up so that anyone can register as a user? This is only necessary if you are running some sort of community site (as opposed to a “normal” website or blog). So if you are notyou would be best served by preventing people from having the opportunity to register.

You can do so via Settings > General in your sidebar:

general-settingsWhilst someone registering for your site in a limited role does not give them a huge amount of access, it does give them more than is absolutely necessary, which is why you should remove the option.

4. Login Name Confirmation

By default, the WordPress login screen will inform you as to whether you have got the username or the password wrong:

invalid-usernameinvalid-password

This effectively makes it twice as easy for hackers to gain access to your site —they can figure out what your username is without having to know the password. It is not information you should make readily available.

As per usual, this issue can be remedied with some code in your functions.php file:

  1. function failed_login() {
  2.      return ‘The login information you have entered is incorrect.’;
  3. }
  4. add_filter(‘login_errors’, ‘failed_login’);

Now when there is a failed login attempt, there will be no specific information concerning the username or password.

5. Brute Force Login Attempts

Finally, and along the same lines as the penultimate security issue, we have brute force login attempts.

This is when someone will attempt to gain access to your site by attempting an enormous number of different username and password combinations. Such a process is of course made far more difficult by adding the above code to your functions.php file, but you can all but eradicate the chance of a successful brute force login attempt by limiting the number of login attempts by a specific IP address.

My personal recommendation is to install and activate the Limit Login Attempts plugin. This simple plugin offers you the ability to customize how many login attempts someone should have, and how long they are locked out for if unsuccessful. I consider it a must-have for any WordPress blogger.

What Security Issues Do You Consider a Threat to Your Site?

I am of course just scratching the surface here, but I consider the above tips pretty effective methods for closing potential security vulnerabilities in your WordPress site. I don’t want to frighten you into thinking that WordPress is an inherently unsafe content management system (because it isn’t), but it is better to be safe than sorry.