How To Prevent Attacks Against Your WordPress Account

Who is not familiar with one of the most popular CMS in the world called WordPress. This CMS is often used because it is easy to use and free. In addition, this CMS also allows its users to manage and use plug-ins and themes developed by its volunteer users.

Because it is free and easy to use, this CMS has many loopholes, especially in terms of system security. The following are some cases of attacks as well as some preventive steps that you can take in these WordPress system vulnerabilities.

{jistoc} $title={Table of Contents}

What is WordPress?

Before knowing what steps you can take to overcome loopholes in the WordPress system, you should know about WordPress itself. WordPress is one of the most popular and favorite CMS for web developers because it is easy to use and is open source. This software is used by the average community around the world with a ratio of 28.8%, according to W3 Techs.

Web pages are created using HTML, but when you use this CMS, you don't have to create everything from scratch. Especially if you only create content that you want to display without using HTML, then WordPress is the best choice you can choose.

Cases of attacks targeting WordPress

Because this software is open source, making this CMS vulnerable to infiltration. The following are some cases of attacks that have occurred and targeted WordPress as its main goal, including:

1. DDoS attacks exploiting the Pingback function in 2014

WordPress has a Web content management system that functions to accept requests or often referred to as Pingbacks (pinbacks) and is effective when used by default, which initially describes a reference URL link on the blog. This URL has a function to notify you of the statement.

This function is located in the WordPress dashboard, namely in the settings -> discussions -> “Try to notify all links included in this post” and “Receive new posts from other blogs (Pinback – Trackback)”. This is the acceptance setting of WordPress which is generally enabled by default.

Utilizing this function, the attack is carried out to reduce traffic from the target site that has been implemented by sending a large number of Pingback requests. This method is actually not a dangerous virus infection but only takes advantage of the loopholes in existing WordPress functions.

2. Attacks caused by REST API processing in January 2017

WordPress 4.7.0 to 4.7.1 have vulnerabilities that allow attackers to tamper with submissions by sending specially crafted requests. This condition is one of the loopholes found in January 2017 and is a serious problem for WordPress.

This loophole is in the content rewriting authority, where users who are not included in the authority who are able to write content, can actually rewrite the content by entering certain character strings only.

Knowing this, WordPress.org immediately opened a corrective patch of the existing loophole and issued a warning to its users. However, it was a little too late because the attackers managed to destroy many of their customers' files, as evidenced by the discovery of 1.55 million cases.

Then when a loophole is found in the WordPress system, what steps need to be taken?

When a system loophole is found, then the steps you can take include

1. Upgrade to the latest version

The first step is to regularly upgrade your WordPress version and update it regularly. In addition, you can also check notifications on WordPress, to make updates, especially in the WordPress dashboard.

However, before you make updates, make sure you have backed up the content data beforehand. To back up data, WordPress has provided backup plugins, which include “BackWPup” and UpdraftPlus”.

In addition, it is very important that you keep the content outside of WordPress by using the export function. However, in this case it all depends on the recovery situation, link reconfiguration can occur. Therefore, you need to know the mechanics of all backups in WordPress if you want to handle a lot of content.

2. Don't use minor themes or plugins

Minor themes and plug-ins will often stop the development of that version, not to mention if you find a loophole, you'll have a hard time fixing it or not being able to fix it at all. Therefore, we recommend that you use themes and plug-ins that already have a good track record and frequent updates.

3. Use the anti-spam comment feature by using the “Akismet” plug-in

One of the entry points for cyber attacks is through attacks using spam comments. That's why you need the “Akismet” plug-in installed by default. The plug-in was chosen because it is frequently updated.

4. Change your User ID and administrator password from default

Usually if you use the default mode, the username is of course “admin”. If you keep doing this, then it is not impossible that you will be exposed to brute force attacks that attack through passwords. Therefore, change your administrator user ID.

Not only that, you should also change your existing username and nickname to another name and change the display name on your blog to a nickname. This is because the username will be displayed on the blog article as it is.

5. Precautions against SQL injection and cross-site scripting

To take precautions against injection to SQL and cross-site scripting, it is recommended that you use a cloud of type WAF. This is because WAF has proven to be effective in tackling attacks and does not require special technicians in its application. Another advantage is that WAF is not just limited to WordPress.

6. Do not display file list in Web server settings

So that the public directory structure cannot be viewed using a browser or the like, we recommend that you review the settings contained in WordPress itself and make sure that the directory structure is not visible from the outside. The feature that you can use is the setting of the Web server mechanism contained in WordPress.

7. Restrict access to the dashboard login page (wp-login.php)

There are various features where you can restrict access by editing the “.htaccess” with reference to the web server. However, everything still depends on the server tenant, where the restrictions will be set automatically by the company that manages the server rental.

Therefore, once a vulnerability is found in WordPress, we recommend that you immediately respond to the action by checking whether there is an operating error or not, although this will be quite difficult to do. However, to anticipate it can be done by securing it first.