Sunday, 20 January 2013

How To Secure WordPress Website From Hacking Attack

How To Secure WordPress Wesbite
Secure WordPress Website
WordPress is the world’s most popular publishing platform. Over 80 million websites in the world use WordPress Platform. It surpasses the digits of Blogger, Joomla, Drupal and Microsoft SharePoint. This popularity has attracted hackers to exploit this publishing platform. Though WordPress is considered as one of the most secure Platforms, but still hackers are able to exploit the vulnerabilities in WordPress. Below are some vulnerability in WordPress and we will teach you how to tackle with them in order to secure WordPress website from all possible hacking attacks.

1) SQL Injection Attack:

SQL is considered as one of the most dangerous vulnerability in web applications. SQL injection was the vulnerability behind the Sony, Infraguard, the Sun and other recent attacks.
SQL is the command language used by the MySQL database. These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site. Many of today’s web site defacement attack are accomplished by some form of SQL Injection.

Secure WordPress Website From SQL Injection Attack

in order to secure wordpress website from sql injection attack, follow these tips.
Most WordPress installations are hosted on the popular Apache web server. Apache uses a file named .htaccess to define the access rules for your web site. A thorough set of rules can prevent many types of SQL Injection and URL hacks from being interpreted.
The code below represents a strong set of rules that you can insert into your web site’s .htaccess file that will strip URL requests of many dangerous attack injections:
<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ – [F,L]
</IfModule>
Hackers, often use GET method to inject their “union+select+” queries or POST method from one server to another, if authentication has javascript filtering using their OR 1=1 method and the last but not the least, cookies. Cookies are used by very few hackers, however with the use of session cookies, their successful attempts are limited to minimum.
addslashes() is one of the function that a developer can use if !(get_magic_quotes_gpc). But, adding this line can be troublesome in most cases, where amount of variables are really high, it may make the code look sluggish to have mysql_real_escape_string() in every variable passed. To get rid of all these:
Go to your php.ini file and set:
magic_quotes_gpc = On
magic_quotes_gpc is by default set to Off for optimal performance of the server.
However, if you are using a shared/paid hosting and do not have access to php.ini file then add the following to your .htaccess file.
php_flag magic_quotes_gpc on
However, cannot promise that above mentioned “tweak” will work till eternity. You can never know what 0-day comes up!

2). Accessing Sensitive Files

When we install WordPress on the server, there are several files which contain very sensitive information about the configuration of the website. So if we don’t hide these files or make them private, hackers can access those files and then use it to hack the website.

How to Hide Sensitive files to secure WordPress website?

We have to add some commands in .htaccess file to hide files for hackers, crawlers, spiders and bots.
Open .htaccess files
Options All -Indexes<files .htaccess>Order allow,deny Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all
</files>

3). Default Admit username

One of the simplest ways to hack a WordPress based website is by landing on the login page and guessing the username and password. To make it worse, most of the webmasters don’t change the default administrator username “admin”, which is given at the time of installation. This makes the work easy as the hacker may try to log into account by guessing password using his social engineering skills.

How to secure WordPress website from this vulnerability?

You should create a different user to manage your WordPress blog and either remove the “admin” user or change the role from “administrator” to “subscriber.” Now even if the hacker is able to guess the correct password for the admin username, he won’t be able to get much from the website as his powers will be limited to just a subscriber.
You can actually create a completely random (hard to guess) username and then use your email address to log into WordPress. This will make a lot challenging for the hacker to guess your username and password.

4). WordPress Database Table Prefix

If you have installed WordPress using the default options, your WordPress tables have names like wp_posts or wp_users. There tables start with a default prefix “wp_”. For hackers, the ability to predict anything can provide an extra advantage. These tables contain all vital information about the website and can prove to be lethal

How to defend against it?

To avoid the predictability of guessing the database prefix tables, change the prefix of the WordPress tables. Though this method is not that good when you are being attacked by a Savvy Hacker, but it will keep you safe from script kiddies.

How to change Table prefix while Installing WordPress?

If you’re installing WordPress and you haven’t run through the install process, changing your table prefix is incredibly simple. During the install process, just set the Table Prefix to anything you’d like:
secure wordpress website by changing table prefix
secure wordpress website by changing table prefix
In case you have already installed WordPress with default table prefix, then download Change DB Prefix plugin and change the current table prefix.
This plugin is mainly useful if you have not changed the database default prefix (wp_) at installation time and want to change afterwards so it is possible by this plugin. With use of this plugin, you can easily replace your database default prefix or prefix to other keyword and you don’t need to change manually.
Download it from here: http://wordpress.org/extend/plugins/db-prefix-change/

5). Brute Force Attack

A common threat web developer’s face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.
An attacker can always discover a password through a brute-force attack, but the downside is that it could take years to find it. Depending on the password’s length and complexity, there could be trillions of possible combinations. To speed things up a bit, a brute-force attack could start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.
Hackers launch brute-force attacks using widely available tools that utilize wordlists and smart rulesets to intelligently and automatically guess user passwords. Although such attacks are easy to detect, they are not so easy to prevent.

How to stop Brute-Force login Attempts?

You can start by using strong password. Always use a longer and password consisting of alphanumeric letters. It will take longer for a brute forcing tool to login.
There is another way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts.
Another solution is to lock out an IP address with multiple failed logins. The problem with this solution is that you could inadvertently block large groups of users by blocking a proxy server used by an ISP or large company.
Other techniques you might want to consider are:
  • For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.
  • Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.
  • Use a CAPTCHA to prevent automated attacks (see the sidebar “Using CAPTCHAs”).
  • Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.
  • For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.
  • Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.
  • Use a CAPTCHA to prevent automated attacks (see the sidebar “Using CAPTCHAs”).
  • Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.

6). Nulled Plugins and Themes

Sometimes users want premium theme and plugins for free and for this they go to the unofficial market place. There they find premium themes and plugins and download them for free, But mostly all the themes and plugins are nulled. It means that they have black code in them. They are usually backdoored and can be used anytime as a shell to upload stuff on the web server and deface the website.

How to avoid it?

Download themes and plugins only from verified and trusted source. Like themeforest.net or pluginJungle etc.

1 comment:

  1. Enewmall, Online marketplace for selling and buying of products. cell phone cases and covers are 100% free, cheap ,no monthly fee, no listing fee, no sellers” fee, no transaction fee.
    Cell Phone Case

    ReplyDelete