The popularity of the venerable WordPress web framework makes it a common target for malicious hackers. Fortunately, by this point WordPress is mature and audited from a security standpoint. If a security vulnerability is discovered, the WordPress developers will push an update, and your WordPress install can be updated to keep itself secure.
Some WordPress administrators start running in to problems with this update process when they choose to install third-party plugins and custom themes. As these third-party add-ons lag behind the development of WordPress itself, sometimes the website administrators will forego automatic updates as an update can break the site due to incompatibility. For this reason you will want to be discriminating in the plugins and themes you install.
Here are some steps you will want to take when choosing a plugin:
- Find it on the official wordpress.org plugin website
- Look at the user ratings and read the reviews. How many active installations does it have?
- When was the last update? How often is it updated?
- Check to make sure it is compatible with your version
- Take a look at the support forums and the plugin documentation
There is also a known security vulnerability with the default configuration of WordPress. This vulnerability exists in the XML-RPC functionality that was used for managing a WordPress website from a mobile app. Unless you are running an old version of WordPress, this functionality has been replaced by the newer REST API, and you will want to disable XML-RPC in order to properly secure your website.
To disable XML-RPC, open up the .htaccess
file and put this code in it:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Once you have changed and saved the .htaccess
file, your WordPress website will no longer be vulnerable to DDoS and brute force attacks via XML-RPC.