WordPress is the most used Content Management System (CMS) on the Internet today. Many small and large businesses use WordPress for a multitude of reasons, including e-commerce, blogging, publishing news, socializing, and more. Although there are many options out there for building and managing a website, WordPress is extremely convenient and easy for most users that simply just want to stand up a website and get content published.
However, one of the biggest challenges that organizations and even individuals face is securing their WordPress instance. Being that it is indeed the most used today, attackers are constantly scanning WordPress instances to find security vulnerabilities and ways to gain unauthorized access. The fact that WordPress websites support plugins to increase functionality also increases the overall attack surface, providing attackers with more opportunities to eventually target one of them.
Web Application Firewall
One of the most effective ways to help prevent attackers from performing malicious actions against your instance is by utilizing a firewall that can detect abnormal behavior. There are a few different ways to accomplish this:
Software / Hardware Application Firewall
There are many WordPress plugins that are designed to serve as a firewall. One of the plugins that we've seen implemented in many instances is WordFence. After setting up the plugin in a test environment, we were able to determine many effective ways to utilize this plugin to secure your WordPress instance. One great feature in particular is that you have the ability to set up whitelist and blacklist rules, which works great for detecting malicious traffic. This is only one of many effective ways to prevent malicious activities against your instance.
One plausible scenario is that you can set up rules to block users that are continuously receiving HTTP 404 Not Found statuses. In many cases when malicious attackers are scanning a WordPress instance for vulnerabilities, vulnerability scanners are used and they leverage wordlists to attempt brute forcing hidden directories, themes in use, and even user accounts. These scanners typically generate at least several HTTP 404 Not Found errors over a period of a few minutes.
It should be noted that implementing such a rule would require administrators to perform a review of their instance to ensure users cannot receive HTTP 404 Not Found statuses under normal browsing activities. For example, if your website contains broken links and users visit run across these links, then this could potentially block legitimate users from visiting your site. There are many ways to determine if your website contains broken links – by leveraging online tools, browsing your site and visiting every URL visible, or even just clicking every link visible in your site map to see if there are other links present that may be dead.
Another plausible scenario would be to block any users that visit legitimate URLs that only authorized networks should have access to. For example, if an unauthorized user is browsing to the login page and they are not using a trusted source IP address, this is indicative of a user that is up to no good and potentially snooping around your site. In this case, you can add a whitelist to only trust users from a particular source IP address. In addition, you could temporarily block any users that are outside of this source IP address to hopefully deter attackers looking for an easy way in.
It should be noted that all rules implemented to restrict abnormal behavior should be implemented carefully to ensure that legitimate users do not accidentally get blocked from visiting your site.
Software / Hardware Application Firewall
As an alternative to using a plugin, your organization may find use in a software or hardware firewall that also monitors for such malicious traffic. These firewalls can provide just as much, if not more, functionality as plugins and may be more stable in some instances.
Multi-Factor Authentication (MFA) is one of the most critical means of protecting account authentication credentials. MFA essentially ensures that users cannot just login to your account by simply having your password. Due to the numerous ways that malicious attackers can obtain your user account credentials, implementing MFA is extremely critical to adding an additional layer of protection against your user account.
Although MFA plays a pretty significant role in helping protecting your user account, it should be noted that security researchers have discovered many ways to bypass MFA in some instances. For example, if you've previously authenticated to a website that require MFA and the application only validates your authenticity by tracking your user cookie, an attacker could steal these cookies if they have access to your system or through a man-in-the-middle (MitM) attack in some cases. Despite the possibilities of bypassing MFA, implementing this will reduce the overall chances of a successful account compromise.
Plugins are a convenient way to expanding the capabilities and functionality of WordPress sites. However, there are a significant number of security researchers that are hunting for vulnerabilities that exist in these plugins. As a result, the manufacturer of these plugins are constantly releasing patches on a regular basis. If your installation has been left unattended for even a week, most likely you will return with a number of plugins that require updating. Given the frequency of security vulnerabilities being released, it is absolutely critical to ensure your plugins and every component of your instance is up-to-date.
A honeypot is an environment, or a "trap", that is essentially only put in place to catch attackers that are up to no good. This could be a network segment, web application, or even a button that legitimate users should essentially never see or click. Malicious attackers are always looking for "hidden" areas on applications and enumerating services and applications for additional information that may be beneficial for them while performing an attack. Depending on the sensitivity and criticality of the data housed behind your WordPress instance, setting up honeypots may be beneficial.
Protecting your website from malicious attackers can be a challenge, especially considering that security vulnerabilities are discovered on a daily basis, sometimes multiple on the same day. All it takes is for one security vulnerability to be exploited and, depending on the data housed within your application and database, sensitive information could be revealed. Additionally, the successful exploitation of some vulnerabilities could even result in your website becoming unavailable to service legitimate requests or even limited to full access to the system hosting the application.
Part of our managed security and attack & penetration services include assessing your organization for security vulnerabilities, covering a number of environments – application, mobile app, wireless, internal, external, and more. Rather than your network staff having to continuously perform vulnerability scans and stay up-to-date on critical threats, our security experts can provide assistance and perform these tasks for you. Reach out to us to find out more information about how we're able to assist your organization with staying one step ahead of malicious attackers.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io