Last updated on October 3, 2020
As time goes by this domain gets bigger and bigger… Thanks to you! With less than a year of life, Google Analytics has notified me that in March I surpassed the one thousand monthly users.
This is great news, but at the same time it has made me think that I should retouch a couple of things about blog security to be completely happy. After all, it’s a crime for a cybersecurity blog to lack it. For this reason, today I bring you the steps I have taken to secure wordpress.
Strong passwords and updated services. That’s the foundation on which everything else must be built. Be sure to periodically visit the admin panel to update any plugins, or new wordpress versions. That way you will prevent an attacker from exploiting a known vulnerability in an older version.
When creating users, wordpress indicates how secure the password you choose is. Make sure it is a strong password. If you want more information about strong passwords, I recommend you read this entry.
The top priority was to move from http to https. When you browse through http, the data is not encrypted. If there are sensitive information in those data, such as users or passwords, anyone who listens and intercepts the communication will be able to make use of that information and even modify it. Although it is true that in this particular case I do not offer the possibility of registration or login on my blog, it is still important to keep encrypted communications.
Through the https protocol, communications between the server and the client are encrypted, so no one who does a man in the middle will be able to obtain sensitive information. However, encrypting communications is not enough to obtain true security, since the authenticity of the server has not been demonstrated. Even if your connection to a server is encrypted, if that server has supplanted the legitimate one, it could be done with all the information you send while you think it is the real one.
To avoid these phishing attacks, SSL certificates are created. These certificates are proof that a certifier certifies that you are who you say you are. Therefore, this protocol is based on trust in third parties. There is a set of globally recognized certification bodies, and if one of them tells you that they trust that server, then you must do it too. But this method also has its drawbacks. There is a possibility that they hack into a certification body and start issuing false certificates. However, this is more complicated and easier to detect and eradicate, so this is the method used today to authenticate communications.
Today it is very easy to get one of these certificates, thanks to certification authorities such as Let’s Encrypt, which offers free X.509 certificates automatically, which greatly reduces the complexity of manual creation, validation, signing, installation and renewal of certificates.
From my hosting I simply had to press a button, but in a linux web server only a couple of commands are necessary to obtain the certificate.
Once you have the certificate, just install in wordpress the plugin “Really Simple SSL” to force all communications through https, and that way all links to the old web that led to http redirect to https and continue working.
Under the premise of having updated both wordpress and all the plugins we have installed, the biggest weakness we can find is in authentication.
Using the Google Captcha plugin, which adds a small challenge to verify that you are human, we prevent an attacker from using brute force to try to find out administrator credentials.
In addition, thanks to installing this plugin I’ve also gotten rid of the spam that bots usually leave in the comment box of each post.
When you install a wordpress, you always create a default user account called Admin, which has all the privileges. Knowing the name of the user account, it is easier to get the credentials, because you only have to try to find out the password.
It is very easy to check if a wordpress has the Admin account enabled or not, since wordpress allows the enumeration of users. You only have to try to authenticate yourself as Admin by entering any password. If you get an error message saying “Invalid user name”, it does not exist. But when the user is correct, an error message like the following appears:
As it is one of the first things you look at when attacking a wordpress, I’m going to “change the name”. It’s not possible to modify the user’s name once created, so I’ve removed the Admin user and created another one with administration privileges.
By implementing Google Capcha, I have already made sure that no one can do brute force by automating the entry of passwords with some program. But what if my password is more guessable than I think it is? What if a human begins to test and test, clicking correctly on the captcha?
The best solution to avoid this is to limit failed login attempts. If someone tries to access and fails a number of times, say 3, then the user is blocked, so that you can no longer attempt access. A message will be sent to the real user’s email address, and he will be able to login again.
To implement this in wordpress there is a plugin called Loginizer.
As I commented in the user modification section Admin, wordpress allows by default the user enumeration through its error messages. However, with the previous plugin, Loginizer, we can modify these error messages so that they do not reveal any information.
Finally, one of the best security plugins is wordfence, a monitoring tool that allows you to check the security of the wordpress, analyze it for malware and detect malicious injections, since it acts as a firewall:
In addition, this tool also prevents brute force attacks on the login, as Loginizer does. And without a doubt the most useful thing is the security notifications. Every time a plugin needs to be updated or any security incident occurs, it notifies the administrator via email. And once a week, it sends an email with all the incidents produced:
With these changes my website already has the basic security necessary to be protected against possible attackers.