Web Servers - WordPress Vulnerabilities

Web Servers

We all here in WA are very familiar with web servers since we have WordPress sites. Web servers most often do host web sites that are typically open to the public, just like ours are in WA. I am sure though that everyone here has some concern for security, or maybe you don’t.

There are still people in the world who just don’t think about those types of things. They just set stuff up and go. As long as it works and they can do what they want… game on! I have literally seen just that in my time. I cannot blame them for this type of thinking. Everyone has reached a point where they had this moment…..

“What? I didn’t know you could do that! I wish I knew that before.”

I had plenty of these moments while going through my coursework in university when I studied cybersecurity technology. The number one lesson that I learned was the YOU CAN NEVER 100% STOP A HACK UNLESS YOU UNPLUG THE SYSTEM. Unplugging the system kind of defeats the purpose of you needing it though.

What you can do is strengthen a system as much as possible by using a variety of methods. What this will do is increase the time it takes for a hacker to gain entry to your system. The point is to build a deterrent. It isn’t much different than a wall or fence at your house. You attempt to keep people out. This does not guarantee success but, deters those bad actors from trying. Hackers will use customized tools to attempt to access systems. They are really after easy targets and when they go against a hardened target, they generally go away.

Yes, there are exceptions and if a system has critical information, hackers will not move on and continue trying to gain access. This is where it is vital to harden a system as much as possible. What this does is increase the amount of time it takes for someone to attempt a hack. It allows for someone who is monitoring to see hack attempts and perform key steps to ward off the attack.

We all in WA have WordPress web sites and learn how to generate a place where we can publish our thoughts in a blog, show off photography, or even share knowledge through a webinar and videos. Establishing a presence on the web is pretty much a requirement these days but, it needs to be done so safely. There are 5 levels of training for us to complete which is great but, I at this point, have not seen anything about security. I mean, I could be wrong so anyone please point me in the right direction. For now, I will press on with putting out a few ideas to securing our web sites. The following are only a small sampling of the large number of vulnerabilities that we face with our sites. They are the most common vulnerabilities still found today! I will explain a bit about what it is, how to help prevent a successful attack.

Common WordPress Vulnerabilities

The most common vulnerabilities:

1. Brute Force Attack

2. SQL Injection

3. DDoS Attack

4. Old WordPress and PHP versions

Brute Force Attack

What is it?

Bad actors attempt Brute Force Attacks to overwhelm systems by repeatedly trying to guess character combinations until successful. There are powerful tools available to hackers that automate the process. Although this is difficult to execute, it remains popular because administrators continue to use weak passwords that are easily cracked. This is especially concerning for WordPress sites because WordPress by default does not block multiple password attempts and can take place thousands of times a second.

How to prevent and fix it

The simplest way to prevent Brute Force Attacks is to use a very strong password which consists of a combination of upper and lower case letters, numbers, and special characters. Additionally, the password should be complex and not spell out names or words.

Two proven methods come to mind during my time in the military. First, establish Two Factor Authentication which requires two different types of login of users. Along with the username, you would typically enter a strong password as well as a key code or token received from a key fob or nowadays through your mobile device. These two different types of input when combined provides very effective protection for your account. WordPress does in fact have plugins that allow you to establish this capability such as ‘Wordfence Security – Firewall & Malware Scan’ and ‘iThemes Security’.

SQL Injection

What is it?

This attack method is one of the oldest but, still very effective against unsecured systems. An attack succeeds by injecting SQL queries which can be used to affect negative change or for destructive purposes. Injection can take place through forms or input fields on websites which are used to collect information and store it in some form of database.

The hacker who succeeds is able to manipulate database records and in WordPress web sites, are even able to acquire admin credentials giving them full access to the system.

How to prevent and fix it

WordPress has plugins to help you determine if SQL Injection attacks have been successful on your sites. The first that comes to mind is the ‘Wordfence Security’ plugin. Additionally, one of the easiest method to help prevent it is by simply installing the latest updates to your WordPress version which regularly addresses security vulnerabilities.

DDoS Attack

What is it?

The Distributed Denial of Service attack is very powerful and essentially floods devices with large volumes of requests to the point where the server just can’t keep up with the number of replies. It can get so bad that the system will slow down dramatically, eventually leading to system failure and shutdown. While a single Denial of Service (DoS) originates from a single source, the DDoS coordinates the attack using multiple infected systems from around the world simultaneously. These attack methods can be extremely difficult to prevent because they can be skillfully disguised but, there are processes which can help.

How to prevent and fix it

Preventing and fixing the problem from DDoS attacks does require some self-restrictions such as disabling the XML-RPC ability which third-party apps use to access our sites. Those of you who have not realized it yet would no longer be able to use the WordPress app on mobile devices. 8-( If you don’t use the app anyway then carry on.

If you are experiencing a DDoS attack then it is best for you to inform your customers to keep the abreast of events. Defense mechanisms are usually performed by entities outside of your control and depending on the severity of the attack, there is no guaranteed return to service time so make every attempt to avoid providing such announcements. The absolute best thing to do is speak the truth and let the authorities handle do their job.

Old WordPress and PHP versions

What is it?

WordPress sites that are not regularly updated are absolutely vulnerable to security related incidents. Hackers are ALWAYS looking for a researching new ways to exploit system vulnerabilities so sites should absolutely be updated as soon as possible. Never let yourself become complacent because it will sting. WordPress does utilize PHP and it too requires updating and patching regularly. Nearly 43% of WordPress sites still are using older versions of the software. Think of the implications of that! Each vulnerable system is a potential asset to a hacker who can collectively use these systems against you.

How to prevent and fix it

Prevention is a simple task of updating your software. Stay on top of this daily. Always perform a backup of your website before any updating so that if by chance there is a problem, you can revert to before the update or patch was installed.

One of the highest rated backup solutions is the WordPress plugin named ‘UpdraftPlus’ which even the free version offers a suitable means to fully backup your website files, database, plugins, and themes. It is an easy to use program needing only minimal technical knowledge.

I would like to conclude this post by expressing to everyone to take the time to think about how security can affect you while you complete your steps of training. It is essential for each of us to invest the time to understand how to recognize problems and the steps you can take to prevent or recover from an attack event.