Вы находитесь на странице: 1из 142


WordPress Security
The complete guide to securing your website against online attack

Copyright @ 2021 Dermot Downey.

All rights reserved. No part of this book may be reproduced by any

mechanical, photographic, or electronic process, or in the form of a
phonographic recording; nor may it be stored in a retrieval system,
transmitted, or otherwise be copied for public or private use—other
than for “fair use” as brief quotations embodied in articles and reviews—
without prior written permission of the publisher.

To request permissions, contact the author at

To Kim, for your love, support and patience always.
Table of Contents

Introduction��������������������������������������������������������������������������������������� 06

Knowing Your Enemy����������������������������������������������������������������������� 08

Principles of Security������������������������������������������������������������������������ 15

If Someone Contacts You����������������������������������������������������������������� 22

End User Security���������������������������������������������������������������������������� 28

Server Side Security������������������������������������������������������������������������� 36

Protect the Login������������������������������������������������������������������������������ 53

Setting up a Staging Site������������������������������������������������������������������ 71

Backups�������������������������������������������������������������������������������������������� 77

Patching������������������������������������������������������������������������������������������� 93

User Management�������������������������������������������������������������������������� 102

HTTPS Secure Connections�����������������������������������������������������������111

Web Application Firewalls��������������������������������������������������������������� 124

Disabling Plugins���������������������������������������������������������������������������� 129

Continuous Monitoring������������������������������������������������������������������� 133

Logging������������������������������������������������������������������������������������������� 136

Conclusion�������������������������������������������������������������������������������������� 140

About the Author����������������������������������������������������������������������������� 142


Since its release in 2003, WordPress has become the leading platform
for building and developing a website. It powers over forty percent
of all websites on the internet, and over 500 new WordPress sites
come online each day. WooCommerce, a popular ecommerce plugin,
is used in over thirty percent of all online shops, processing millions of
sales each year.

A 2013 study found that 30,000 websites get hacked every day, and
given the growth in the number of websites since then, this figure has
surely grown substantially. The public internet can be a battleground,
and putting your website out there means exposing it to a consistent
level of scanning, probing and attacking. And while hundreds of
thousands of WordPress sites do get hacked every year, the reasons
for the attacks are quite consistent, predictable, and preventable.

Having a presence on the internet is critical for businesses these days,

so the solution is to understand the threats that are out there and know
what the right steps are to protect against them. In this book, we will
cover the fundamental principles of security, how they apply to your
website, and the key aspects you need to focus on to protect against
a successful attack.

If you are a website owner, the framework within this book will help
you ask better questions about the security of your site and have an
informed conversation with your website developer about how it is
being managed. If you are a web developer, this book will provide
more information on how to correctly secure your clients’ websites
and implement proactive solutions for your clients, rather than having
to deal with the aftermath of a website breach. While the cost of a
cleaning up after a website breach can vary greatly, an average figure
of $57,000 appears to be quoted often, and this is only set to increase.
As you begin to learn more about securing your site, you will find
the same principles can be applied to other areas of IT within your
business or home. Backups, patching, strong passwords, and limiting
user permissions, for example, apply equally well to other computer
systems. I would encourage you to explore where else you can apply
this knowledge too.
Your Enemy

If you know the enemy and know yourself, you need not fear the result
of a hundred battles.
If you know yourself but not the enemy, for every victory gained you
will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every
—Sun Tzu, The Art of War

Sun Tzu was a Chinese general, military strategist, writer, and

philosopher who lived around 500BC. His most potent contribution to
history was his writings on military strategy and tactics, collected in a
work called The Art of War. The Art of War has been a highly influential
text shaping military and business thinking for thousands of years, and
many passages are equally as applicable in today’s online age as they
were to ancient Chinese battlefields.

The field of computer security is often seen through the lens of a

battlefield. Aside from actual attempts to militarise the internet by
modern nation states, there has always been the concept of attackers
trying to find weaknesses in your online assets (your website) and
take advantage of them. One key concept in any battle is knowing who
is attacking you—or could potentially be attacking you—in order to
understand them, their tactics, and prepare a suitable defence.

Let’s take a look at who we are defending ourselves against, why they
are attacking, and answer the question of why me?

Putting your website out onto the internet means exposing it to the
ongoing drone of attack activity that is part of the background noise
of the internet. This year, hundreds of thousands of websites will have
someone successfully break in and attack their site. For the companies
that remove malware infections and restore hacked websites, three
quarters of the time they find it was a WordPress site which was
involved. Does this mean then that WordPress itself is insecure?

WordPress is the world’s most popular platform for building websites,

being used for many high traffic sites such as The New Yorker, BBC
America, Sony Music, Mercedes Benz, and websites for artists like
The Rolling Stones, Katy Perry, and Snoop Dogg.

WordPress is a Content Management System (CMS), meaning you

can create, modify, and manage your website via a human-friendly
interface without specialised technical or coding knowledge—though
possessing that knowledge can be beneficial. There are many CMS
platforms for building websites, including Joomla and Drupal, but
WordPress dominates with over sixty-five percent of market share.

What makes WordPress so popular is not only its cost (free), but its
ease of use overall. It provides a way for non-technical users to quickly
set up an attractive, powerful, and fully functioning website using
clickable menu options and drag and drop features.

But these features among users are also what makes WordPress such
a focused target for attackers. Criminals go where the crowds are, as it
increases their chances of success. Also, the very fact that WordPress
is so easy to use means you often have inexperienced administrators
running sites without realising what is required to manage and maintain
them on an ongoing basis, especially when it comes to online security.

In general, the term hacker is commonly used to describe someone

who maliciously breaks into websites and computer systems. But a
hacker, traditionally speaking, is someone who, when faced with a
problem, finds a workaround or solution to it. Legitimate computer
programmers wear the term with pride, as it implies ingenuity and
creativeness in solving problems.
The term began to gain negative associations when the ‘problem’ to
be overcome was that of security, and programmers desired access to
restricted areas of computer systems. Though it has been adopted into
everyday language as being someone who breaks into computers,
many people argue that a ‘hacker’ should not imply malicious intent,
and for this other terms were devised.

A cracker is a bad actor, someone looking to break into computer

systems for malicious reasons. Derived from the term used to ‘crack’ a
password, the term hasn’t achieved mainstream acceptance.

An attacker is another term that describes someone with both malicious

intentions and actions. Conjuring up militaristic images, there is no
ambiguity over whether this individual is here to fix something in a
creative way or wreak havoc on our website. Throughout this book,
this is the term I will be using as much as possible to describe the
people you will be defending your site against.

Let’s take a look at who some of these people are.

Criminal groups attack websites to exploit them for financial gain.

They will seek to redirect payments from your ecommerce store, inject
ads, or insert their own affiliate links in your posts. In a worst case
scenario, they may attempt to run malware known as ransomware,
which encrypts and scrambles all of the content on your server, and
then charge you a fee to restore it.

Hactivists are people who have political or religious motivations in

mind. These groups will often deface websites, putting up images or
slogans that support their cause in order to promote it to your audience.

Depending on the industry you are in, businesses have been known
to actively engage freelance computer programmers to attack the
websites of their competitors, and there are many services online
offering hackers-for-hire. These are very targeted types of attack, and
thankfully most companies treat computer security as a non-competitive
space. Most companies feel there are more than enough attackers
to go around already, but it should not be ruled out—particularly in
industries such as gambling.

Finally, the stereotypical idea of a bored teenager in their room hacking

away at online servers is very much real. Computer programming is an
area for teenagers to prove themselves and develop their skills. If they
succeed in breaking into a website, they can often deface it, though
some do try to exploit this to benefit financially. There are just as many
individuals who notify the website owner in order for them to fix the
issue, improve the security of the website, and make the internet a
better place. We will look at this practice in greater detail in a later

Whether the attackers you face are groups or individuals, the vast
majority of attacks on your website will come from automated scripts
or programs which scan the internet for websites they can break into.
These automated scripts run twenty-four hours a day, seven days a
week, and allow the person who runs the script to ramp up the number
of sites they can attack to a massive scale. This attacker also needs
not to get involved personally until they have a successful hit on a
Once someone has access to your website, what do
they do with it?

y Defacement – A popular option is to deface it in some way, to show

they were there. This can be done by replacing the front page with
a religious or political image, or the logo of a hacking group, similar
to spraying graffiti on a shop front.

y Affiliate Links – Insert or replace links in your posts, so they benefit

financially when someone clicks on them.

y SEO Spam – Attackers flood your posts and pages with hidden text
and links in order to boost SEO ranking for the other sites. As an
SEO tactic, Google and the search engines are aware of this and
are able to ignore it for ranking purposes, but will instead mark your
site as being infected and post a red warning page when someone
tries to go to your site from a Google search result.

y Redirects – This changes your site so that anyone visiting your

site is automatically redirected to a different site, usually related to
drugs, pornographic content, or gambling, for which the attacker
will get referral bonuses.

y Ads – An attacker may infect your site with ads that will pop up as
your visitors browse your site. Again, these are usually related to
drugs, adult material, or gambling.

y Malware – Attackers can upload malware which will infect the

computers of people who visit your site. It will also copy itself to
other websites which are being hosted on the same server so it can
infect their visitors as well.

y Extortion – An attacker may try to use the content of your website

against you. They may steal and threaten to leak private data, encrypt
the database so you can’t use it anymore. Then, they will demand
a monetary ransom in return for not leaking or unlocking said data.
y Attack other sites – If an attacker can get access to the server
running your website, they can use the resources of the server to
launch attacks on other online services or send masses of spam
emails. As their attacks are launched from your server, it would look
like it is you doing the attacking, which allows the attacker to hide
their identity.

Nothing an attacker will do is to your benefit. Some of

the impacts to your site are:

y Regulatory requirements – If your site gets breached and you

host any sort of personal identifiable data, under GDPR, you are
required to notify both the data regulatory authority in your country
as well as your customers. This is an uncomfortable thing to admit,
and can lead to fines, angry responses from customers, and even
civil litigation.

y Warning pages – When someone tries to visit your site from Google
or other search engines, if they don’t put up a warning page, search
engines may drop your site from ranking in search results.

y Site Suspension – your hosting provider may suspend your

website until you clean up the infection.

y Brand reputation damage – Visitors get the perception that you are
promoting adult or gambling sites, or that you are not serious about
security. It is embarrassing to be informed that your site infected
someone’s computer with malware, as they hold you responsible
for it. Security is a big trust factor for websites these days; so if
people perceive that you are not serious about it, it affects their
opinion of your brand.

y Downtime – You may have to take your site offline for up to a

number of days while the infection gets cleaned up and you restore
functionality. In this time, you lose the income from the site and
customers go elsewhere for the products or services you are
offering, meaning lost revenue.

y Lost time – Suffering a hack costs you more than money. You
have to divert your focus into cleaning up the site, hiring security
professionals or website developers, dealing with hosting providers,
moving your site if necessary, and so on. This all involves taking
time and energy away from what is most important, such as selling
your products or creating content to spread your message.

Why Me:

The question often arises: ‘Why would someone attack me? I only run
a small online shop or blog’. In reality, any website is of interest to an
attacker and attacks are almost never personal. The vast majority of
them are opportunistic, and done via an automated script or program
searching the internet for websites it can break into and infect.

No matter how big or small your organisation is, attackers don’t care
about your site specifically. If they can exploit it to spread malware,
attack your audience, make a statement, or make a financial gain for
themselves, then thats what they are interested in. If you are running
an online shop, you will be targeted. It only takes a few days for a newly
registered site to begin receiving attack traffic, so early, proactive steps
are vital to protect yourself.
Principles of

Security is not a thing you do; it is an approach, an attitude. It’s a way

of thinking, ‘There’s smarter people out there than me, and I don’t
know how they’re going to do it, but I’m going to be prepared.’

Throughout this book, we will be looking at how to keep your WordPress

website secure on the internet. But what does ‘secure’ mean? Yes, we
want to stay protected from infection, but rather than installing a bunch
of security plugins onto your site, let’s take a step back to understand
what we are trying to do and how we are going to keep out the bad


It is possible to commit no mistakes and still lose. That is not a weakness.

That is life.
—Jean Luc Picard, Star Trek

Everything in security is based on managing risks. When it comes

to securing your website from cyber threats, you have limited time,
money, and energy to spend; so where do you begin? There are many
different ways of attacking a site, and equally as many plugins that
you can install to protect it. But on the whole, every action you take to
secure your site is aimed at doing one, or both, of two things:

y Reduce the likelihood of a successful attack

y Reduce the impact of a successful attack

By looking at these two elements, what you are doing is measuring

risk. If you reckon, or can measure in some way, that the likelihood of
your site being attacked is high and the impact of such an attack to
your business or online presence is high, then you can say that the risk
to your site is high. Likewise if you can reduce either or both likelihood
and impact, your risk of attack is lowered.
When applying your security mechanisms then, you begin with your
higher risk areas as these are where you are less prepared, and focus
your efforts and resources on those ahead of lower risk areas.

Note that while we aim to reduce the risk to your site as much as is
possible, you cannot ever totally eliminate it. That is to say you can
never truly be 100% secure. There is always the possibility that an
attacker will come up with a new, clever attack tomorrow that no one
has thought of before and use it against your site. There is always a
risk to your site, even if it’s one that you never would have considered.
What would happen if tomorrow your web hosting company suddenly
went bust and turned off all of their servers? It may not be an attack in
the traditional sense, but it would bring your site offline and certainly
would have an impact on you. Are you prepared for it?

So, your goal here is risk reduction, not risk elimination. The more
security you apply, the greater it costs you. This would involve 100%
uptime, hosting your website on multiple servers distributed across
the globe using massive bandwidth connections for DDoS protection
against the largest traffic floods, going back to college to learn to
code so you can personally review plugins to ensure there are no
vulnerabilities, etc. So rather than eliminating risks, you manage them
in choosing a respectable and responsible host, configuring your site
appropriately, and putting sufficient measures in place like backups
and rapid or scheduled patching to achieve a cost-effective level of

Do all that is reasonably possible within your budget, expect it to fail,

and plan accordingly.

Attack surface

The second principle of security involves reducing what is called

your attack surface. This term is used to describe all the points
which an attacker could use to get into your site, and the less
there is to attack on your website, the better.

WordPress has enjoyed massive growth and popularity due to its

flexibility and ability to be heavily customised. There are over 58,000
plugins available in the official WordPress store alone, and it can be
tempting to install many of them to add feature upon feature to your
site. There is some debate over the maximum number of plugins you
should install, and whether they affect site loading and performance.
From a performance perspective, the number of plugins is not as
important as the quality of their code, i.e. how well they have been
written. From a security perspective though, there is no doubt that the
more plugins you install, the more potential vulnerabilities you expose
yourself to.

It is often stated that all software contains bugs, though that is not
to say that all of those bugs make the software vulnerable to attack.
Where a vulnerability is discovered, developers often try to get a patch
out as soon as possible, but sometimes they only become aware of a
vulnerability once attackers have exploited it to break into websites. In
such cases, there will always be some victims, and the update is then
about containing and limiting the extent of the problem.

So, even regular patching may not protect you. But if that piece of
software or plugin isn’t installed on your site, you were never exposed
to the risk in the first place.

Your aim should be to reduce the plugins you use to just those that
you need and no more. A recent study of 50,000 websites found that,
on average, there were twenty-three plugins installed per site. If you
have a lot of advanced features on your site, you could expect to need
and use over fifty plugins. The very popular wpbeginner.com site uses
sixty-two active plugins. It is also important to be aware that more
plugins means more troubleshooting if something odd starts to happen
on your site, and you will have to disable and selectively enable them
one by one to locate the source of the problem.

But your first and primary concern is to get your site working the way
you want it to. It is important that security does not dictate what you
can accomplish with the site, but rather enables and supports your
endeavours in a way that reduces your risk of attack. If you need fifty
plugins or more to get the full features out of your site, then that is what
is needed. The next question should be: ‘How do we do it securely?’
Defence in Depth

The most effective security is achieved through using the principle of

Defence in Depth. This is a practice where you are not dependant on
a single mechanism, but rather have multiple layers of security. Here
you are planning for failure, planning for an attacker to defeat one of
your defences, and ensuring there is something else in place limiting
what they can do.

It is often said that security should be considered more in terms of

an onion than an egg. An egg presents a hard exterior to the outside
world, but one swift crack and you’re straight in to the gooey centre.
An onion, on the other hand, has layers; and to get to the centre, you
have to get through each successive layer.

Consider the example mentioned above, where your web host suddenly
turns off all of their web servers. That’s okay, you have backups. Oops,
the backups were on the same server. That’s okay, you also have them
stored in your Google Drive.

If you receive an email containing an attached virus, you would be

considered the first security mechanism. You have to read the email
and judge whether it is malicious or not before opening the attachment.
If this security mechanism fails, then your computer’s security
mechanisms step in—the virus can’t install because you are not an
Admin on the computer, for instance. Say this fails also because you
are the Admin or enter the Admin password (you should be asking
yourself, ‘Why would an email attachment want to install itself on my
computer?’ ), then your anti-virus program steps in and blocks or
removes the offending file.

How many layers to put in place is something to be decided upon

based on risk (likelihood x impact). For your backups, while the impact
of Google Drive going down would be quite high, the likelihood of it
happening is very low, so you could deem that an acceptable level of
risk and be happy just to have backup copies saved there. Alternatively
you could say that you are not happy with having only one remote
backup copy, and so also send copies to Dropbox, and even save one
to your own server at home. Here then, you would have to decide how
well could multiple copies of backups be managed, and is there a risk
of getting confused between them all when you need to restore your

Security Never Ends

The final point to make is that security never ends. There are some
aspects where once you set your site up, you can forget about it—but
security is not one of those. Your site needs ongoing maintenance and
updates to ensure that it stays fully patched, backups are being taken
and tested, etc.

This is not to say that it requires daily or even weekly intervention

from you to stay secure. There are great automated features within
WordPress that take a lot of the maintenance out of your hands, such
as automated patching, firewall rule updating, and backups. No one
wants security to be your main job when running a site, but you do
need to be conscious of the ever-changing nature of online threats.
Attacks change rapidly, and new tricks and exploits are constantly
being developed to get around current defences.

But your greatest advantage is your own awareness and vigilance.

There are many people, both website owners and developers, who
assume that simply installing Plugin X is the golden key, and they are
now protected. But by staying alert to news of website hacks, looking
for details of how it happened, and asking, ‘Could that happen to me?’,
you can keep yourself and your business online and well-supported.

A note about the plugins used in this book

Throughout the book, I mention particular plugins and the role they
perform in securing your website. There are many plugins to choose
from in the WordPress ecosystem performing similar roles. The ones I
mention happen to be the ones I use on my sites and am familiar with,
but you may have different preferences. There are no affiliate links
used, nor do I earn a commission if you choose to use the plugins
mentioned in this book.

What is more important is that you understand the particular problem

or threat that needs to be protected against, and then choose your
preferred tool for the job.

At a number of points through this book though, I do offer my services

if you would like more help with securing your site. Websites are being
attacked every minute of every day, and I want to ensure that your
site and business are able to fend these off and stay online. If you are
interested in scheduling a free, no obligation 15 minute call, please visit
https://dermotdowney.com/index.php/call and we can discuss further.

If Someone
Contacts You

A friend of mine runs a successful online health and wellness store, and
received an email from someone claiming to have found a vulnerability
on his site. There was a lot of technical detail in the email, including
mentions of customer details being hijacked, passwords being stolen,
tricking users into entering their details in the wrong places, and so on.
Quite scary stuff on the face of it!

My friend didn’t know quite what to make of it, or do with it, and so he
did what most of us would do—he ignored it. Life is a busy place at the
best of times. And then came the follow up mail: ‘Is there any update
about my bounty for finding this bug?’

As more digital products have come into our lives over the past few
years and our lifestyles have become more reliant on online services,
finding security bugs in them before the bad guys do has become quite
a priority. And given the complexity and severity of some of these bugs
and vulnerabilities, the companies making these products and services
don’t always have the time or resources to find them.

Bug bounties are where the companies ask security researchers and
programmers to test out and hack into their product to find ways to
break it, with the offer of cash payments once they find and responsibly
disclose details of the bug to the company. Originally, tech companies
looked with disdain on people who notified them of serious security
products in their products. Apple was notorious for not responding when
notified of serious bugs and flaws in their products, and sometimes
even threatened researchers with legal action for not using the product
in strictly the way it was intended. After all, it meant work for them to
have to go in and fix these problems, which used up time and money.
They also potentially faced bad publicity if word got out about these
issues. And finally, fixing existing products distracted from getting the
next product out the door to paying consumers.
Eventually, with the explosion of online services and the embarrassment
from security researchers organising conferences to discuss and
publicise their findings, the big tech companies began to put in place
programs where researchers could disclose what they have found
quietly. In return, the company would commit to fixing it within a given
timeframe and reward them by paying them for their effort.

This has become quite a lucrative source of income for some especially
skilled hackers, but has also had the added effect of security researchers
looking elsewhere to see who can pay them for finding problems with
their sites or online services. There is a whole microcosm of less-
skilled hackers scanning the internet and websites now for problems
or vulnerabilities, and then seeking payment in return for details of
what they find.

This often comes with an implicit threat—if you don’t pay me for what
I have found, wouldn’t it be terrible if someone were to use it to bring
down your site?

At the same time, there are many security researchers who actively
seek out vulnerabilities and disclose these bugs discreetly to service
owners so they can be fixed. They believe in the openness and
community nature of the internet, and that helping to secure it benefits
everyone. One of the most active groups is the Dutch Institute for
Vulnerability Disclosure (https://www.divd.nl/), which has over 5,500
responsible disclosures to their name.

When Donald Trump was running for President of the US, they
discovered that his details were part of a database of LinkedIn user
accounts which had been stolen four years before, and released publicly
in 2016. They found that his LinkedIn password (yourefired) was also
being used for his Twitter account (note: password reuse), and set
about documenting and quietly reporting this to the US Government
authorities, as social media was a major part of his campaign efforts.
If you have an online presence and are contacted by someone claiming
to have found a flaw or vulnerability on your site, there is an established
process which is accepted as standard, and which puts you in control
of how to respond:

1. You ask the contact to provide full details of what it is they have
found without disclosing it publicly or to anyone else; called
responsible disclosure. You can’t move forward unless you know
what the problem is, and maybe the ‘data leak’ they have found is
the free PDF you are giving away to customers who sign up to your
email list.

2. You get someone to independently verify the seriousness of what

it is that was found. While the bug may sound scary and serious, it
may require more work on an attacker’s part to actually exploit it,
and the gain for them may not be worth their time were they to do

3. Finally, if your independent researcher agrees that a problem has

indeed been found, you decide what to pay the hacker. This may
seem like a great time to take the information and run, but on an
ethical level, the hacker has put time into finding and notifying you
of a problem which many others would not do.

Remember that all software will have bugs. All websites are
and will be at risk of some sort of attack. It comes down to the
security mechanisms you have put in place to account for these
(remember: defence in depth). In my friend’s case, what was
found was a feature all online stores would be exposed to, but
it would take a lot of work to exploit, and wouldn’t result in the
immediate access to customer details as was described in the
initial email.
You also have to judge the tone of the email. Was there an implicit
threat if you didn’t pay up, or was it done out of a genuine desire to
help? Remember, the power equation is all on your side, so these guys
are doing it without a guarantee of a payday, but what you get in return
is a more secure online presence.

If you are going to pay, base it on the seriousness of the problem and
what it would mean to you if someone were to exploit it (remember:
likelihood and impact).

Contact Information

One big problem security researchers come up against is how

to contact someone once they find a problem. A few years back, a
company called Cloud Pets put out a product which allowed parents
to record a message on an app and have it play back to their children
through a teddy bear. The problem was that all customer details and
2.2 million recordings were saved in a database which was accessible
from the internet and was not password protected.

Security researchers tried over a number of months to contact the

company and get them to listen, but it was too late and the database
was attacked and destroyed. The company went bust over this, and
there were legal cases over the breaches in data security, but the
problem of getting someone to listen is something that comes up in
the security industry consistently.

If you want to make it easier to be notified about security threats to your

online presence, put a specific section for this in the About Us section
of your website. It does not invite trouble to mention security concerns
on your site, and instead shows awareness and responsibility. You can
also have a specific email address that could be used to ensure you
receive alerts if someone does try to contact you.
Furthermore, there is a move to standardise a means for contacting
website owners about vulnerabilities. https://securitytxt.org/ details a
proposal to define the process for security researchers to disclose
security vulnerabilities securely. This involves placing a file in a known
location on your web site which contains details of the email to send
details of the vulnerability to, details for how to encrypt emails, and
links to your policy on handling security notices. Even having a specific
contact email or form on your contact page is a good thing.

Security concerns aren’t going away, and the more we come to rely on
the internet for our businesses and online lives, the more important it is
that we accept that vulnerabilities in our systems may well be present
and discovered. You need to make it easy for security researchers
to contact you and have a plan for accepting and reviewing such
notifications. The quicker you are able to respond to such emails, the
quicker you will be able to secure your website.

End of Chapter Checklist:

‰ Add a section to your site explaining how you can be contacted for
security concerns

‰ Engage with people who contact you regarding security

vulnerabilities; don’t ignore them

‰ Have a process for verifying the risks of what they have reported
with a trusted technical source

‰ Have a policy regarding compensation for notification of serious

End User

Amateurs hack computers; Professionals hack people

– Bruce Schneier, cyber security expert

In March 2016, John Podesta was busy working away on the electoral
campaign for US presidential hopeful Hillary Clinton when an email
popped up in his Gmail inbox. The mail, appearing to come from
Google, reported it had blocked someone from the Ukraine from
logging into his account. Google is smart enough to know that, even
if the correct password is used, a new login from a location or country
you have never logged in from before probably means trouble, so they
often ask you to verify this new location first. Podesta was curious and
asked his IT team to take a look.

The campaign team replied saying that the mail looked legitimate and
recommended Podesta change his Google password—standard and
good advice, seeing as it looked like someone actually had his Google
password. Although the IT team sent him a link to reset his password
in their email, Podesta instead used the link which was in the original
email and set up a new password in the page that it brought him to.

It turned out that the email had not come from Google to begin with,
but from a team of Russia-based attackers. When Podesta set up a
new Gmail password, he did it through a copycat site the attackers
had set up, so they now also knew what his password was. What
followed was a seven-month period in which the attackers had access
to thousands of emails in Podesta’s Gmail account, which were then
released publicly in order to influence the outcome of the 2016 US
Presidential elections.

The following year, in the French Presidential election, the same thing
happened. The contents of Gmail mailboxes from five individuals
close to the Presidential candidate Emmanuel Macron were released
publicly in hopes of swaying the public vote.

What happened to each of these individuals was that they had fallen
foul of phishing emails, where legitimate-looking emails are sent to
people, instructing them to do something urgent and take some action
using a link provided in the email or a file attached to the mail. In the
cases above, the link brought the users to a page that looked very
similar to Google’s password reset page, but which was in fact set up
by the attacker; and thus they were able to see the new passwords
being entered.

While these stories are of very high profile people, the truth is that
this sort of attack happens every day to thousands of people across
the world. Phishing emails are still one of the most effective ways
of attacking an individual or organisation as they talk directly to the
person sitting behind the screen and the words can directly influence
you to do something. The phrasing of the email is used to gain your
trust, raise your curiosity, or exploit your fears of something negative
happening, ultimately leading to you clicking on the link or opening the
attached file.

File attachments in phishing mails will often turn out to be a computer

virus of some type, and commonly this will install what is known as a
key logger on your computer. A key logger is a small program that sits
quietly on your computer, watching and recording the sites you visit
and everything you type, including your passwords, and then sends
this data back to the person who sent you the virus. They can then
impersonate you by using your details to log into the same sites and
take control of your accounts.

What they are hoping to get are your bank details, and many people
and companies have had their accounts emptied as a result of this.
But if attackers can make money from breaking into your website as
well, then that’s what they will do. People have found their ecommerce
payments being redirected to different bank accounts, viruses being
planted to infect visitors to their site, or their website being used to
send spam emails; all as a result of losing control of their passwords.
Sometimes, the attacker may choose to deface your website, redirect
traffic to competitor websites, or simply delete the whole thing—just
because they can.

Attackers also know that people are typically lazy when it comes
to passwords, and use the same password across many different
accounts. So if they know the password you use for your website,
there is a good chance you use the same password for your social
media accounts, other online accounts, and maybe even your bank.
Known as Credential Stuffing, they then use automated programs to
try your account details to log in to numerous other online services,
and if you share passwords between your grocery shopping site and
your Facebook account, then they can take control of these from you.

Ninety-one percent of data breaches start with a phishing attack, and

the impact of a successful phishing attack can be quite high. There is
rarely one big red flag indicating that an email is a phishing attempt,
but rather a series of orange flags you raise in your mind as you read
it. To reduce the risk of it happening to you, it is important to learn to
recognise a suspected attempt:

• Do you know the sender? Many phishing emails are sprayed out
into peoples’ mailboxes in the hope that someone will click, and
typically a small percentage do. Be suspicious of mails coming
from people or companies you do not know or trust.

• Does the email address you personally? If a company is

legitimately emailing you, they will include your name in the
mail, and the content will be relevant to you. In general, phishing
mail attacks are not directed to you personally, and start with
a general greeting (‘Dear Sir/Madam’), and discuss something
not related to you (‘You have won our national lottery!’). There
are more targeted attacks, where the attacker has taken time to
personalise the phishing mails, but these are most often seen in
attacks against high-value websites or individuals as they take
time to research and personalise.

• Is the email trying to get you to click a link or open an attachment?

A phishing attack works if they can get you to visit or activate
the item they have sent you. Unfortunately, email is being used
as a common way to share links and files, so we are getting
used to doing this.

• A key element of a phishing attack is invoking a sense of urgency.

They want you to click the link or open that attachment now,
rather than waiting to think if it all makes sense. The mail could
be warning that an account is being frozen, a bank transfer is
about to take place, or an important mail is stuck in a spam
filter and will be deleted if you don’t take immediate action.
Whatever the case, they are looking to invoke an emotional,
knee jerk reaction and have you take action right away rather
than thinking about it, allowing yourself time to be suspicious or
double-check the information.

• Check for spelling mistakes, errors in phrasing, or anything that

doesn’t make sense in general. Use your intuition, your gut
instinct, and realise that there really is no such thing as a free
lunch on the internet. If you find yourself asking, ‘Why would
they send that to me?’, then listen to that suspicion.

It is often said that while amateurs target the computer, professionals

target the person, so an attack on your site may instead start by
targeting you and your personal laptop. Being aware of, identifying,
and deleting phishing emails is the first step in protecting yourself and
your personal computers from infection. In the Defence in Depth model
though, we have to go further. What if you fail to pick up on it (It’s early
and you haven’t had your coffee yet!) and open the file attachment?
What other defences are in place on your personal computer to limit
the effect of a virus laden file or link?
The first step would be to have password protection on the admin
account on your laptop. If the file is supposed to be a photograph or
PDF file, and it tries to install itself, this will prompt your computer to
ask you for permission to do so. Stop and ask yourself, ‘Why does a
PDF document, which is normally just opened and read, need to install

Many malicious attachments try and exploit out of date software on your
computer, so you need to look at what is installed on your computer.
Renowned security journalist Brian Krebs (https://krebsonsecurity.
com/) has three basic rules for limiting the majority of computer security

1. If you didn’t go looking for it, don’t install it – Only install something
that you went looking for in the first place. Don’t install anything
using the links provided by an email or website. If a site or email
says you need Java, Adobe, or any other program, use Google to
search for that program yourself and install it. Many attacks have
begun through a fake website or email convincing the user to click
a link to install malicious software.

2. If you installed it, update it – Keep all of your installed software up

to date, including your operating system. Many malicious files try
to infect a computer by exploiting out of date software, or known
software bugs for which patches have been released. By keeping
your computer patched and up to date you prevent these bugs from
taking advantage of these vulnerabilities.

Microsoft releases patches for its operating systems on the second

Tuesday of every month. If you get a prompt to install these, don’t
dismiss them—let your computer update. Also, operating systems
go out of support after a certain number of years. Microsoft stopped
providing security updates for Windows 7 in 2020, for example. If
you are still using this, or indeed an older operating system, you
need to upgrade to a modern operating system to stay protected.
3. If you no longer need it, remove it – If there is something installed
on your computer that you do not need nor use, remove it. This
prevents any bugs in it from being exploited, prevents you having
to update it, or forgetting to do so. This also reduces clutter in your
computer and stops something you don’t need from using resources
and slowing it down performance. Get very familiar with the Add or
Remove Programs menu on your computer.

When you are finished working on your website, writing a new post, or
updating the product listing, it can be convenient to simply close down
the window and go off about your day. Very often though, this does not
log you out of your website. This can be convenient, as you don’t have
to enter your password in order to log in next time you want to update
the site, but as is often the case, convenience and security are the two
factors that need to be weighed up against one another.

Make it a habit to log out of your website once you are finished updating
or editing it. If there is a chance for anyone else to use your computer,
they would have access to your website simply by going directly to the
login page. This can be a nuisance if you know the person, i.e. a family
member, or make a bad situation worse if you don’t, i.e. in the case of a
virus infection where an attacker has remote access to your computer.
Secondly, password managers make remembering long, strong
passwords and easy to use. Once you go to your login page, the
password manager will enter your login details and log you in; no
typing needed from you. Set it up so that the password manager logs
out of your account after a short time period, and when you close the
browser, so other people do not have access to this also.

Finally, use an up to date anti-virus program on your computer. However,

don’t rely solely on this as your only solution. Though often touted as
being the ultimate, if not only, tool needed for security, AV software is
only one part of an overall approach to security. AV does have a part to
play in a Defence in Depth model, but do not expect or rely upon them
to catch all problems or infections. You actually get a much bigger
benefit from regular patching, removing unneeded software, and not
using the admin account on your laptop, than from looking to anti-virus
to be the overall saviour from internet nastiness.

For personal and home computers, there are many free and paid
solutions. The free versions work excellently for scanning and detecting
known viruses on your machine, with additional features being offered
in the paid versions. If you’re looking for free AV software, check out
Avast or AVG, two established and well respected products.

For commercial or business solutions, there are fewer if any free

options, and licensing is the thing to consider.

Windows 10 does come with its own built-in anti-virus program call
Windows Defender. It is highly rated and what I use. There aren’t
many options to configure in it though, and the interface isn’t the most
attractive, but it is effective and runs by default if you have no other AV
product installed. Being Microsoft’s own product, it works well with the
operating system, has limited impact on system performance and gets
regular virus updates.

If you would like guidance or help with securing the laptops and
computers in your home or business, feel free to go to https://
dermotdowney.com/index.php/call to book a free, no obligation 15
minute call. We can go over where you are at currently, what you are
looking to achieve, and what the next steps are to take.
End of Chapter Checklist:

‰ Be wary of phishing mails, and know what signs to look for

‰ Discuss phishing attempts and recent near-misses with work

colleagues or staff

‰ Review the list of software installed on your computer(s) and

remove what is not necessary.

‰ Check that all installed software, including the computer operating

system, is fully up to date.

‰ If you are using a shared laptop, have separate accounts for each
user and password protect them. Give your users reduced privileges
and have a separate, password protected, Admin account for
installing software
Server Side
Luca runs an online shop selling woollen and printed silk scarves she
makes personally. She ran her store for a few years before her website
suffered its first malware infection. She found out after a customer
emailed to say they got a warning that ‘This site may harm your
computer’ when they visited her site. While it did not stop them from
browsing that time, it left enough of an impression for them to email
her to bring it to her attention.

Luca knew she had to act. She found a freelance expert online to clean
it up, and they notified her that there indeed was a malware script on
her site, which they then removed. They also submitted the site to
Google to remove the warning message. Job done, or so she thought.

A week later, Luca received an email on her phone from her web host
notifying her that malware had been detected on her site and they
were suspending her account. It was actually the second email they
had sent; she missed the first one a few days prior. This was again
disastrous news for her ecommerce store. If customers couldn’t get
to her store, they would go elsewhere, as there was no shortage of
options for customers looking for printed scarves online.

She got back in touch with the security expert she had dealt with, who
again found and removed the infection, and she notified her hosting
company requesting they release the suspension on her account.

Shortly afterwards, she got another email that her site might be hosting
malware, and she realised something major needed to be done. The
security expert had mentioned that, given the security precautions he
had taken on the first occasion, repeat infections may indicate that the
problem lies with her hosting account.

Luca had not been overly happy with the level of service from her
web host for the while, but it had never been a big enough of a pain to
justify the hassle of moving from them. There were just too many other
things demanding her time and attention in running her business. Now
though, she had had enough, and this was the perfect reason to make
the move she had been wanting to make.

She reviewed some other hosting companies, and finally settled on a

reputable one. She put aside some time from her schedule, moved her
site over to the new host, and tested it to make sure it was all working

It has been a number of months now since her last website infection,
and she has been able to get back to focusing on her online store
and providing custom scarves to customers. She feels confident that,
whatever the root cause was, changing her host certainly was a big
contributor to solving the problem.

Looking at the statistics of hacked websites provides some interesting


• 41% are due to the hosting provider.

• 29% are due to vulnerabilities in themes.
• 22% are due to vulnerabilities in plugins.
• 8% are due to weak passwords.

It is clear that the quality of your hosting provider has a large impact on
the overall security of your site. In situations where your site is being
run from a server which also hosts a number of other sites, unless
your web host has set it up correctly, then your security is only as good
as the security of the other sites. In fact, your security is only as good
as the security of the poorest site, and you don’t know who that is nor
have any control over them.

An infection on one site can spread to all other sites on that server, and
even if you clean up your site, it will quickly get reinfected. Let’s take
a look at the different models of hosting and the security implications
of each.
Shared hosting is a very common option for hosting a website. Your
web host puts your website onto a server with many other websites
and you all share the resources and power of that server. It is similar
to renting a room in a large house. You have your room for putting up
your stuff in, but you share the main facilities—kitchens, bathrooms,
water, etc—with many other tenants.

With shared hosting, your web host is trying to get as many websites
running on the one server as they can. If one website requires a lot
of power for it to run, then this comes at the expense of all the other
websites on the same server, who may end up running slower as a

In terms of security, an infection on one site runs the risk of spreading

to all other websites unless the hosting company has specifically set
up the server to isolate such issues. So in effect, your site could be as
secure as the least secure site on that server.

The benefit of shared hosting is cost. Hosting providers are able to

offer very low rates for shared hosting, and there are steps they can
take to properly segregate websites from one another so infections do
not cross-contaminate. A lot of the technical work of running a server
is taken care of for you as well, so you can focus on building and
maintaining your website.

Many sites and blogs start out on shared hosting until they find they
need to migrate up to a more powerful or managed platform as their
requirements or audience grows.

If you are on shared hosting and are interested to see what

other websites you share a server with, you can do what is
called a Reverse IP Lookup. This is a search which looks at the
IP address of your site, and tells you what other sites share the

same address. By doing a simple Google search for ‘reverse

ip lookup’ you will find a few different sites offering this, but
one I tend to come back to often is at https://hackertarget.com/

The next model of hosting to consider is renting a VPS, or Virtual

Private Server. This is where a web host splits a server into multiple
mini-servers, which you can then rent. This is similar to an apartment
building, where each tenant has their own private space to do with
it what they please, but they are still occupying a single structure
with shared access to the main utilities such as electricity, water and

A VPS offers great isolation and guarantees you a certain level of

server power, memory, etc, for running your website. Also, any security
problems or infections do not spread from one VPS to another, so
containment of such problems is much more secure.

The cost of running a VPS is slightly higher than shared hosting,

depending on how powerful you want your VPS to be, but the real cost
is in skillset. You are now responsible for managing and maintaining
a server, so you need the knowledge and skills to do this. You are
responsible not only for the security of your website, but also the server
beneath it.

The last hosting model is to rent a dedicated server. With this, you are
renting a full server for your own, private dedicated use. This is the
most expensive of the three options, and requires that you have the
skills and ability to manage and secure a server environment. This is
often used when a website or application needs the power of a whole
server for its own usage. If you are using this, you have a website or
app that is power hungry and generating enough revenue to justify the
With each of these options (shared hosting, VPS, and dedicated
server), there is also the option of having it unmanaged or managed.
Unmanaged means you are responsible for setting things up and
maintaining them yourself, such as patching, upgrades, backups, etc.
A managed solution means someone from the web host company
takes care of this for you, which can add to the cost, but allows you to
focus on maintaining your site without worrying about the underlying
technical aspects.

Fully managed solutions, such as Wordpress.com, Squarespace or

Wix, take full control of the running of the under-the-surface server
related tasks, allowing you to focus on your content and presentation
of your site.

Whichever option you choose, it is important to realise that web hosts

often limit their responsibilities to issues which affect the infrastructure
they provide to you, the customer. Their focus is on securing the
servers and network which they make available for people to use, but
the website that you run on top of those servers is your responsibility to
manage and secure. The more you pay, obviously, the higher service
you receive in terms of backups, patching support, etc, but you need
to understand clearly what security is taken care of for you, and what
is your responsibility.

GoDaddy Terms of Service

Server Hardening

This book is primarily aimed at WordPress website owners who

don’t have to or want to look after the server on which the website
runs. As we mentioned above though, if you are running a VPS or
dedicated server, this will be something you will also be responsible for
maintaining and securing.

We won’t be going into detail on server security in this book, but a

skilled server admin will be familiar with the threats to a server and
what to do to protect against them. But in brief, server security should
include at least the following:

• Using a supported operating system.

• Regular patching.
• Configuration according to industry hardening specs, i.e. CIS.
• Regular backups of important config files with restore testing.
• Separate users for each site.
• Network firewalling.
• Disable SSH access or only permit using cryptographic keys.
• Block frequent attacks by IP, i.e. fail2ban.
• Regular malware/rootkit scanning, i.e. clamav, maldet, rkhunter.
• Regular intrusion detection scanning, i.e. AIDE.
• Performance monitoring, i.e. munin.
• Log file reviews and separate partition for logging.


The database is where all of the data and content for your WordPress
website is stored. When a visitor comes to your site and opens a
page, WordPress quickly searches the database, extracts the text and
content needed, and presents it to the visitor in the format and layout
you have set up for your pages.

The data is stored in what are known as ‘tables’ in the database, and
the most common type of attack—known as SQL Injection—is where
a visitor sends a command to the database through either the URL
address bar of your site or a form in your website. What makes an
attacker’s job much easier is if they know the names of the tables in
the database.

Wordpress uses standard names for all of its database tables. If you
haven’t changed the name, then an attacker already knows what your
database table names are called. A simple way to protect against this
is to change the names slightly by changing the prefix—the series of
letters at the start of the database names.

Before you make this change, take a backup of your site in case
something goes wrong. If your database gets broken, you will not be
able to access your site afterwards.

There are many plugins which will allow you to do this, but I am going
to use iThemes (https://wordpress.org/plugins/better-wp-security/)
here, as it is a popular security plugin with a lot of other features we
will be covering in this book.

Changing the Database Table Prefix is available in the free version of

iThemes, so once you install and activate it, go to Security > Settings
in the Wordpress menu. Click into the Advanced features, to get to
Change Database Table Prefix, or use the Search Modules search
bar to find it.

iThemes Advanced features

iThemes offers you the option to backup your database, and this is
certainly a good idea. Alternatively, you can take a backup of your
whole site using the backup tool you have installed.

Back in the Change Database Table Prefix module, simply the drop
down menu to Yes and click Save Settings. iThemes will now run
through your database and change the table names and update the
Wordpress files so it knows how to access the data again now.

This is a simple task to do, and changing it once in the lifetime of your
website it will be enough.

File Permissions

File permissions control who can read or write to files on your server,
and whether they can run any scripts or programs in a particular folder.
It is an important part of allowing users or programs on a server just
enough permission to do what they need to do, but no more.

Having the permissions set correctly can prevent attackers from running
scripts and programs if they manage to upload them to your site, and
in a shared hosting environment, is also a step towards limiting the
damage an infection on another site can do to you.

To check the permissions on your site, go into the iThemes plugin

and click on the File Permissions module. Click on the Load File
Permission Details button, and you will see a display of the details of
the important folders in your website.

File and folder permissions are shown using a three digit number,
representing what the users on the server can do, i.e. read files,
write to files, and/or run scripts and programs from that folder. We
are not going to get into the details of understanding of the numbers
specifically, but where the values match the Suggestions, they are
marked in green, so those are okay. If your settings differ then those
are marked as a Warning and it is recommended you change them to
match the suggestions.

I need to correct the permissions of my wp-config and .htaccess files to match the
suggested values
1. Changing file permissions on the server is done from your hosting
account. Log in, find the File Manager, and click into it.

In the cPanel web hosting program, click to access the file manager

2. Using the directory structure, navigate to the file or folder you wish
to modify, right click on it, and select Change Permissions. (Some
file manager programs may call this CHMOD in the right click menu,
but it is the same thing.)

Use the left hand menu to navigate to the folder containing the file to be modified; in
this case it is in the main web directory, public_html
The permissions of this wp-config file are set to 666, allowing all users on the server
to read and write to, i.e. change, this file
3. Tick or untick the boxes until you get the correct numerical value as
suggested by the iThemes plugin. Then click Change Permissions
or OK to save.

That’s all that is needed. The permissions are now updated and you can
verify this by going back to iThemes and reloading the file permissions

PHP version

WordPress is a very user friendly platform, and allows you to manage

and create content without having to have a deep knowledge of
technology or coding. I know people who are complete technophobes
and still able to manage to create a beautiful, successful, and
functioning Wordpress website for their business thanks to its point
and click menus and overall user-friendliness.

As we mentioned earlier, all the information for your website is stored

in its database, and WordPress uses a scripting language called PHP
(Hypertext Preprocessor) to extract that information and present it to
visitors as they visit and move around your site. You don’t have to
know anything about PHP in order to run a Wordpress website, but it
is important that you are aware of it, as it affects the security of your
website and—like all software—needs to be managed and kept up to

The most commonly known language for designing web pages is

HTML (Hyper Text Markup Language). HTML defines both how a
webpage should be laid out and what content should appear on the
page. HTML webpages are saved as files on your web server and
shown to visitors when they visit your site. The content doesn’t change
for different visitors, etc.

But PHP is a scripting language which can be programmed to actively

change or do things depending on the visitor, the time of day, or other
events you choose. PHP can also communicate with a database, which
HTML cannot do. If a product has sold out, it can see that there is zero
stock left in the database and not display that item to a visitor, or add text
to the page to call it a ‘Best Seller’.

If someone visits in the morning, PHP can be programmed to show

them a clock and maybe a rising sun image in the background, but show
a different image to someone visiting in the evening. PHP is dynamic;
it can update the website as the person is visiting, and makes your
website function overall.

PHP is code that runs on your web server, and if there are any bugs
or security vulnerabilities within PHP, these can be exploited by an
attacker to undermine the security of your server. An attacker can use
a bug within the version of PHP you are using to upload and run code
of their own, and thus take over your server, attack your database, or
traverse (browse around) the files and folders behind your site and view
content you hadn’t intended to make visible or had stored in protected
areas of your site, such as a password protected video course.

PHP has gone through a number of revisions, and it is important to

keep your version up to date. This ensures that an attacker cannot
exploit any vulnerabilities present in the older versions.

The versions of PHP that Wordpress is being run on, courtesy of https://wordpress.
PHP Version Security Support Until

7.2 and older No longer supported

7.3 06-Dec-2021

7.4 28-Nov-2022

8 26-Nov-2023

Upgrading and keeping your version of PHP current has massive

security and performance benefits. The code that your website runs
on introduces new, more efficient features, and it has been proven to
reduce site loading times. For this reason alone, it should be a priority
over any of the tweaks or optimisations you might be testing with your

Given all of this, you might be wondering why people don’t upgrade
their PHP software sooner? Part of the reason is that people don’t know
about it, or perhaps don’t realise how important it is. Website owners
who are familiar with patching usually focus solely on keeping their
website patched, but neglect to maintain the server software which
the site runs on. There is also a sense of caution over fear of ‘breaking
something’. We will discuss this further in the chapter on Patching, but
you then need to plan for it rather than using it as a reason to ignore
patching altogether.

So, given the importance in keeping your software current, how do

we identify what version of PHP our website is using and upgrade it if
To identify the version of PHP your site is using

1. Log into your Wordpress admin dashboard and go to Tools >

Site Health.

2. At the top of the Site Health page are two options, Status and
Info. Click on Info.

3. Scroll down to Server and click to expand the information panel.

Look for the item called PHP Version.

Version 7.2 is no longer secure and so needs to be upgraded

Upgrading your version of PHP

When upgrading PHP, remember that new versions of software often

contain new features or change old ones. Some plugins or themes
may have been written to use specific codes or features of that version
of PHP, and if these change, then it could affect the performance of
that plugin or theme. You need to make sure your site will behave and
act the way you expect after the upgrade. You must also be ready to
fall back to the original version if something on your site fails.

This means having a thorough and written-out test plan so you can
test out every feature of your site, and taking a full backup of your site
before doing any upgrade. You should pay particular attention to the
plugins on your site, and test their functionality.
To avoid doing so on your live site, it is a good idea to test on a staging
site first. Your staging site has to be on a different server though. In
the chapter on Backup and Recovery, we will discuss setting up a
temporary site using UpdraftClone. This allows you to choose the
version of PHP on your temporary site so you can safely test the
behaviour of your site without affecting your live site.

If there are any problems, you can investigate them, look up solutions,
or contact developers or support teams and work on getting them fixed.
Once you are ready, you can then go back to your live site, upgrade
your PHP, and make any changes you need to resolve any problems
you discovered in testing.

Upgrading your version of PHP is done through your

hosting account

1. Take a backup of your site.

2. Log into your hosting account, and find and click into MultiPHP

3. Tick the checkbox beside the domain name you want to upgrade,
and from the menu on the right hand side choose an upgraded
version of PHP

4. Click Apply and the version should be upgraded immediately.

If you would like help in reviewing your server security, or hardening it

against online threats, please go to https://dermotdowney.com/index.
php/call to arrange a chat. We can discuss your current setup and
what needs to be done to improve it.

End of Chapter Checklist:

‰ Know what sort of hosting you are on – shared, VPS or dedicated

‰ Change the database prefixes at least once in your websites lifetime

‰ Use iThemes to set your site file and folder permissions correctly

‰ Know what version of PHP your site is on and when security support
for it ends

‰ Have a plan for upgrading PHP if needed and testing

Protect the
Since the dawn of time, people have had things they wanted to protect
or hide from others. Passwords are an easy and effective means of
distinguishing who has access to an asset and who does not. Roman
sentries used passwords to ensure only fellow soldiers and allies
could gain access to military areas, and Ali Baba famously got into the
thieves’ den by overhearing their secret phrase, ‘Open sesame!’

In a computing sense, passwords had their origin back in 1961, when

the Massachusetts Institute of Technology developed a new mainframe-
based computer system (the Compatible Time-Sharing System,
or CTSS), to which researchers were given access for four hours a
week. Computer time was heavily in-demand in universities back in
the sixties, and to control access to it, an engineer named Fernando
Corbató introduced passwords as a way to ensure researchers don’t
use more time than they were allotted.

It didn’t take long before eager PhD students figured out ways to
steal the list of passwords to extend their time on the system, and
thus began the game of cat-and-mouse that has been played ever
since. Someone tries to break into a system by guessing or attacking
the login system, prompting the defenders to take extra measures to
prevent this.

Passwords make up a substantial part of our digital lives today, and as

much as people herald the death of the password, this is not likely to
happen any time soon. For the WordPress website you are running,
passwords are the default, and by-far the most common, means of
accessing your administrator dashboard.

What a password actually does is ‘authenticate’ you; it is a shared secret

that only you and the website know. When you enter your username,
it is a way of proving that you are you, as only you should know the
secret. Your password is stored in a secure form in the WordPress
database. When you login, WordPress compares what you entered
against what it has stored. If they match, you’re good; if not, you shall
go no further.

Let’s take a look at the attacks on the password of your website, and
what you can do protect against them.

The single action you can take which will have the greatest impact
on your websites security is to choose a good, strong password. No
security measure exists in isolation, so doing this and nothing else is
not good security. But getting into the habit of using strong, unique
passwords is the most impactful step you can take to protect yourself

Each year, Verizon release their well-respected Data Breach

Investigations Report, which analyses the recent years data breaches to
see what the trends were and how attacks are developing. Well worth a
read, a consistent finding of this free report is that attacks on passwords
is a large part of information security incidents, with up to eighty-one
percent of attacks involving the use of weak or stolen passwords.

Every year, security firms review the lists of hacked accounts and
password lists being sold on the internet to analyse the passwords
people are using, and the same patterns tend to show up repeatedly.
Below are the top thirty passwords in use in 2020. It is estimated that
one out of fifty people are using at least one of these to protect a
sensitive account, such as a website, social media account, or work
related account; it is not hard to see why hackers get such value from
these lists.
1. 123456 11. 1234567 21. 123

2. 123456789 12. qwerty 22. omgpop

3. picture1 13. abc123 23. 123321

4. password 14. Million2 24. 654321

5. 12345678 15. 000000 25. qwertyuiop

6. 111111 16. 1234 26. qwer123456

7. 123123 17. iloveyou 27. 123456a

8. 12345 18. aaron431 28. a123456

9. 1234567890 19. password1 29. 666666

10. senha 20. qqww1122 30. asdfghjkl

Top 30 most commonly used passwords of 2020

The rules for making a strong password have been with us for some
time now, and they are still very relevant:

• Make it long - consider at least 15 characters.

• Use both upper- and lower-case letters.
• Use numbers.
• Use special characters, such as ! ” £ $ % ^ & * ( ) _ + - = [ ] { } ;
’ : @ , . / < > ?.

Of all the rules, the one about length should be given the most
consideration. It is often said that a long password is a strong password.
The main reason is that a long password is more resistant to cracking
attempts, but it also allows you to build in the other required characters
in a way that makes sense and you can possibly remember. Also
known as a passphrase, a long password should consist of at least four
words, and can consist of song or poem lyrics, positive affirmations, or
sentences that mean something personal to you:

• WilliamShakespeare(1564-1616)
• I’dlike2teachtheWorld2Sing
• 2021-IamNOTasmoker!!
• Correct-Horse-Battery-staple

I would caution against using passphrases containing personal

information, such as your spouse or childrens names, dates of birth,
etc. Not all attackers are based on the other side of the world, and
while Maria11April might feel like a good password, to someone who
knows your kids name and date of birth it might be a logical password
to try.

Password Reuse

When Disney+ was launched in 2019, offering online streaming of

Disney’s huge catalogue of movies and TV shows, there was great
enthusiasm and take up from customers. But within a few days, people
began to complain that their accounts had been hacked, with some
having their passwords changed so they were locked out. Disney+
customer support were unable to respond to all of the queries that
came flooding in to them, and hacker forums and discussion boards
saw a surge in posts offering thousands of Disney+ accounts for sale.

While it is possible that Disney themselves had suffered a data breach,

the more likely explanation comes out in reports of the issue—many
of the passwords were the same ones as users were using for other
online services.

As much as we have heard about the need to avoid weak passwords,

password (or passphrase) reuse is a larger problem. Someone comes
up with a long, strong passphrase—or perhaps a bad one—then
proceeds to use it everywhere, for all of their logins.

When a website or service has their customer database stolen, this

data—containing usernames, email addresses, and passwords—it is
often offered up for sale to other attackers.

You can see details (not passwords though) of many of the

sites which have had their databases leaked online by going to
https://haveibeenpwned.com/. This site also allows you to see
if your email address has been part of a data leak in the past.

Attackers then take these details, and knowing human nature is to

be lazy and password reuse is so common, they target other online
services with the same login details. Known as credential stuffing, they
simply try to log into other online services to see if you were using
the same details there as well, in hopes that they will stumble upon
an account or service which they can profit from financially. Around
seventy percent of successful password-related attacks involve reused

The solution is to use a unique password for every website or service

you log into. This way, if one particular website suffers a data breach,
you have proactively stopped it affecting any of your other online
accounts. Known as containment, it is an important security principle
in limiting the extent of a problem once it occurs. Remember we can’t
be 100% in preventing a successful attack from occurring, but we can
control and limit the impact and damage that occurs.
Password Managers

So the advice for what makes a good password now becomes:

• Make it long.
• Make it complex.
• Make it unique for every service and website you log in to.

The best kind of password is one that you could never remember,
something like:

• \?s~7XuGU&2sQn#x
• 4QptwNeEZD@Pk1We&a
• #kjqfbu24IQ*kkg1CZd=(JD&U3m.v30”

But if we are meant to have long, convoluted passwords like these—

and a different one for every website we log into—how is a person
meant to manage all of this?

Password managers are a service that generate and store long, strong,
and unique passwords for you for each service you need. Passwords
are stored in a vault, which you access through a master password,
which is the only long, strong, and unique password you must
remember. With password managers, you get the security of using
extremely strong and unique passwords without having to remember

Online password managers store your passwords in the cloud, offering

you the ability to use them across different computers and mobile
devices. There are plugins for web browsers, like Chrome and Firefox,
which allow you to automatically log into your websites as soon as you
visit them. Your password vault is encrypted on your computer before
being sent up to the cloud for storage, so the password management
company cannot see into your vault. Examples of online password
managers include:
• 1Password (https://1password.com/)
• Dashlane (https://www.dashlane.com/)
• LastPass (https://www.lastpass.com/)

There are also offline password managers which do not send your
information up to the cloud. Keepass (https://keepass.info) is a very
well-regarded password manager which saves your passwords in an
encrypted file on your own computer, so you always have control over
where your vault is. There are some convenient features, such as
automatic website logins, which Keepass is unable to offer. And using
it between different computers is a little more challenging, as you would
have to move your encrypted vault between the computers, probably
by emailing it to yourself. Keepass also does not offer a version for
mobile devices.

One obvious concern about cloud-based password managers is

that they now have access to all of your passwords. To answer this,
these companies have provided documented details of the encryption
methods they use in securing your data before it goes across the
internet, so all they are receiving and storing is an unreadable block
of data. There have been independent audits of the network traffic
leaving your computer to verify this.

Keepass is an open source project, meaning the software code for it

has been made freely available for researchers to review and analyse.
This is not the case for the commercial companies, but researchers
have intensely scrutinised the browser plugins, which can be analysed,
and found the code to be securely encrypt your password vault before
uploading it to the cloud.

The greater concern with password managers is around the master

password, and either forgetting it or losing control of it, such as having
it stolen. The vault with your passwords is encrypted before being
sent up to the cloud, so the password manager company does not
see or store your master password, therefore they cannot reset it for
you if you forget it. Most of the password managers offer a variety of
alternative solutions for logging in, including password hints and login
codes which can be used one time to get back into your account.

It is a good idea to print off a set of one time login codes and store
them somewhere safe. Don’t have any other information on the page,
so if someone finds it there is nothing telling them what the codes are

The other concern involves losing control of your password, where

someone else sees or finds out what your password is. Imagine
you are in a situation where you are travelling and need to do some
work online. You find a public computer in a library, shopping centre,
or airport terminal and log into your online password manager. But
unknown to you, a key logger infected the computer from a previous
user and is running in the background, recording everything you type.
The hackers now have the login details to your password manager,
and all your online accounts.

While it is good advice never to trust a computer you don’t control,

whether it be a public terminal or even a friend’s computer, it can also
happen that your own computer at home gets a virus on it which does
the same.

The answer to this problem is to set up additional security protecting

the logon to your password manager, so if someone does get your
master password, it alone is not enough to log in to your account.

Two Factor Authentication

Two factor authentication (2FA) is like having two passwords to login to

your account. It is becoming increasingly popular for logging into online
accounts, and many big name services such as Google, Dropbox, and
Amazon are making it available to customers. In this section, I will
describe setting it up for your WordPress website, but the steps are
similar for setting it up for your password manager.
2FA involves using your phone to generate a code number, which
changes every thirty seconds, and which is also required to log into
your account. If someone has your master password but not your
phone, they can’t get in.

The ‘factors’ in the name describes the ways in which you can
authenticate, or identify, yourself. One way of identifying yourself is
through something you know. If you know the password to log on to
your website, then your website assumes the person logging on is you.
The second way is through something you have, such as your phone.
If you can prove that you have your phone in your possession by
providing the code number from it, then your website is happy to let
you in.

If you have ever drawn money from an ATM machine, then you are
already familiar with how two factor authentication works. In order to
get the money from your account, you have to authenticate yourself to
your bank. You do this through using your bank card. But having the
card itself isn’t enough, as a card can get stolen, so you also have to
know the PIN number to use with it. Thus you are using two factors,
or methods, of authenticating yourself in order to access your money.

It is an incredibly effective way of preventing malicious logins to

your website. Google face thousands of login attempts to their
users’ accounts every year, and have found that enabling two factor
authentication prevents 100% of automated bots, ninety-nine percent
of bulk phishing attacks, and ninety percent of targeted attacks.
To set up 2FA, you need two things: an app on your phone and a plugin
on your website. Using the app on your phone, you are going to scan
a code the website plugin will show you, which enables the app and
website to sync up with one another. Then, the next time you log into
your site with your password, you will be asked for a passcode. Open
the app on your phone and enter the code number it provides.
There are a number of WordPress plugins available for setting up two
factor authentication on your websites. iThemes Pro offers this along
with many other security features, or plugins such as 2FAS Light offers
this for free. I’m going to be using the iThemes Pro plugin here.

1. Download and install a 2FA app to your smartphone. There are many
apps available in the App Store (iPhone) or Play Store (Android),
but I would recommend the Authy app, as it allows you to back up
your accounts in case your phone gets lost or dies. Their website
(https://authy.com/) also has some great guides on explaining 2FA
and how to set it up for many different types of service.

2. On your WordPress menu, click Security to go into the iThemes

settings, and scroll down to click into the module for Two-Factor
Authentication. Set the following options:

• Authentication Methods – Select Methods Manually

• Select Available Methods – Mobile App

3. Go into the WordPress Users menu and click into each user account
for which you want to set up two factor authentication.

4. Scroll down to Two Factor Authentication Options and click View

QR Code.

5. Using the 2FA app on your phone, scan the QR code or enter the
code into the Authentication Code box and click Verify.

1. Click Enable to turn on two factor authentication for the user

2. Click to view the QR code
3. Scan the code with the 2FA app on your phone
4. Enter the code your phone provides and click Verify

Your phone and website are now synchronised in terms of the codes
which will be accepted. To test it, log out of your website and back in
again. After entering your username and password, you should see a
screen asking you for an Authentication Code. Enter the six-digit code
from your phone to log in.

Two factor authentication offers strong protection for your site’s login,
but if the setup feels confusing, feel free to go to https://dermotdowney.
com/index.php/call to ask for help. We can arrange a screen sharing
session where you are guided through the process and come away
comfortable with how it all works.
Password Expiry

A much-touted security feature which most of us are familiar with is

having to create new passwords on a regular schedule, such as every
ninety or 180 days. The central idea behind this practice is that if you
lose control of your password, then there is only a certain window in
which it can be exploited and used by the attacker before it is changed,
and thus invalidated.

There has been debate around this practice for some time, as attackers
do not steal and then sit on a password for ninety days or more unless
it was part of a huge database of stolen accounts; and then only
because they have been busy attacking all other accounts before they
got around to yours. If someone successfully steals your password,
and especially if they have been specifically targeting you, they would
look to use it as soon as possible. If they got your website password,
one of the first things they would do is log in and create a new user
for themselves so they have guaranteed persistent access to guard
against you changing your password.

In 2019, both Microsoft and the US National Institute of Standards

(NIST)—widely regarded as an authority figure on security and password
practices—recommended that password expiration be dropped as a
practice. They recognised that forcing people to frequently change
their passwords frustrates users, leading to poor password decisions,
such as Apple01, Apple02, Apple03. Instead, it is better to encourage
people to use password managers for long and unique passwords,
and make use of two factor authentication.

Hide the Login Page

A very useful feature to protect your site is to hide the login page URL.
By default, WordPress uses wp-admin as the page to login to the admin
dashboard. By changing this to something else, you dramatically cut
down on the number of login attempts being made to your site. An
example would be to change:
https://your-website-name.com/wp-admin ---> https://your-website-

Known as security through obscurity, you are not actually securing your
site, just hiding a feature. It is similar to hiding a tab on a spreadsheet
containing your passwords and sending it to your work colleagues, or
hiding the key to your front door under the mat. You are relying more
on secrecy than on true security practices, and once an attacker learns
about the secret, you are back to the original problem. But it is a useful
and effective tactic at cutting down on the numbers of automated bots
which are attempting to log in to your site, and so greatly reduces the
noise that will appear in your logs.

1. To enable this using iThemes, click Security on your WordPress


2. Along the top of the screen, click Advanced, and click into the tile
called Hide Backend.

3. Click the option to enable the ‘hide backend’ feature and enter the
new page name to be used for your login page.

4. You also have the option to enable redirection. If someone tries to

browse to the original wp-admin login page, WordPress will throw
up an error message. You can have them redirected to another
page instead, such as your home page.

Login attack frequency on an unadvertised, obscure website

Limit Login Attempts

Your website is being subjected to potentially hundreds of automated

login attacks every day. Most of these are quite repetitive in nature,
and are simply login attempts from automated bots trying variations
of usernames and passwords, hoping to get lucky and land upon an
account which uses a weak password. This is similar to a thief looking
to break into your house by repeatedly trying a big bunch of keys they
have, and hoping one fits your lock.

Having changed the login URL for your website, what happens if an
automated bot still manages to find it and launch their login attempts, or
if someone else is trying repeatedly to get into your account? iThemes
has a great feature that limits the number of trial-and-error attempts
they can make before blocking a user for a period of time.

On the Wordpress menu, go to Security and click on the Global

Settings tile. Scroll down, and set the following options:

• Write to files – Enabled

• Ban Repeat Offender – Enabled
• Ban Threshold – 3 Lockouts
• Ban Lookback Period – 7 days
• Lockout Period – 15 minutes

This will identify anyone who makes 3 wrong login password guesses
in a 7 day period, and block them from trying again for 15 minutes,
and massively slows down their efforts to break in. You can change
these settings to different values if you prefer, but you should notice a
significant drop in the login attempts being made on your website.

Refuse Compromised Passwords

At the same time that NIST was recommending an end to forced

password changes, they were also advising that platforms help users
make good password choices in the first place. Their advice is for
new passwords to be checked against lists of easily-hacked words,
passwords taken in previous security breaches, variations on the
website name, or word patterns that attackers could easily guess,
such as replacing the letter S with $.

If you are allowing new users to sign up to your site, iThemes offers
you the opportunity to force them to use passwords which have not
appeared in previous password breaches through partnering with Troy
Hunt’s Have I Been Pwned (https://haveibeenpwned.com/) service.
This will take the first few characters of the scrambled password and
check if it appears in Troy’s online database of 613 Million passwords
(at the time of writing, and growing!), which have been stolen from
previous attacks on websites and services. If it appears in the database,
your site will ask the new user to choose another one.

These are password lists which are publicly available on the internet
for other attackers to use against your website. Using just the most
common 1 million passwords, an attacker’s success rate is over thirty
six percent, and with the most common ten million passwords, they
have a fifty four percent chance of success. Forcing your users to use
a unique password means they will not be vulnerable to this password
reuse attack.

1. To enable this using iThemes, go into the security settings

page, and scroll down to get to the Password Requirements

2. Tick the box to enable Refuse Compromised Passwords, and

ensure all User Groups are selected so this requirement applies
to all of your users.

3. Save your settings.


XML-RPC is a method for interacting with your website through

platforms such as desktop publishing or mobile tools. It has been part
of WordPress since its earliest days, and has been superseded by
more reliable methods and is no longer needed. It still comes with
WordPress though, and can be used to launch continuous login attacks
on your site without the ability to limit the rate of these or change the

The recommended advice is, unless you know that you need it, you
should disable this.

1. To disable this using iThemes, scroll down and click on the

Wordpress Tweaks tile.

2. Scroll down and set the following options:

• XML-RPC – Disabled.
• Multiple Authentication Attempts per XML-RPC Request –
• REST API – Restricted Access.
By setting these, you close off another potential route for hackers to
attack your website.

Your login page is the front door of your site, and it makes sense
to secure this as much as you can, as it gets a lot of attention from
unwanted visitors. Using these steps, you will have gone a long way
toward preventing these visitors from getting in and causing havoc on
your site.
End of Chapter Checklist:

‰ Use a password manager for generating and storing long and

unique passwords

‰ Set up your password manager so it logs out after a short period,

such as fifteen minutes, so other users on the computer cannot
access your passwords

‰ Enable two factor authentication on your website

‰ Enable two factor authentication on your password manager

‰ Rename your site login page to something uncommon

‰ Block users after repeated failed login attempts

‰ Help users avoid passwords which are already being targeted by


‰ Block XML-RPC logins and restrict REST API access

Setting up a
Staging Site
Developing a WordPress website takes a lot of time, focus, money,
and energy. You have invested a lot into it, and it requires ongoing
maintenance and care to keep it up to date, patched, and looking its
best. But any time changes are made to your site, whether they be
software updates or design changes, you run the risk of something
going wrong and impacting your site. When this happens, it can be a
tense time while you work to get it back up again—especially knowing
visitors and customers are unable to connect, leading to a reputation
hit or lost sales.

Taking a backup of your site before doing any work is definitely good
advice, and we cover how to do this in the chapter on Backups. But if
you want to test out a new design change, plugin feature, or update the
site, it is a best practice to do so on a copy of your site, rather than on
the live, customer facing one.

Known as a staging site, this allows you to test out anything you need
to do without it negatively impacting your main production site.

You can install plugins, change designs, update, and patch as much
as you want with the assurance that none of this is affecting the site
your business relies on. Once you have completed your testing on
your staging site and are confident about the results, you can then go
back to your live site and replicate the steps there.

Many companies have copies of their live site running on a separate

server within their business. It is important that every aspect of the test
server matches that of the live server as much as possible, down to
the versions of the database and web application software being used.

As you are creating a second copy of your website, you need to be

conscious of how much storage space your hosting account provides,
as you may encounter problems or additional charges from your
hosting provider. cPanel hosting panels show your available and used
storage space in a display when you log in.

I am only using 6.47% of my available storage, plenty of room for a staging site!

Creating a Staging Site on your Hosting Account

Many hosting providers allow you the option to create a staging site
from within your hosting account. Log in to your control panel and see
if the option exists.

1. Create a new sub-domain in your hosting account, i.e. https://

2. Set up a username and password on the directory you created for
your sub-domain. This is to ensure only your testers can access it,
and visitors and search engines cannot accidentally find it on the

3. If your domain name registrar is not the same as your hosting

provider, you will need to log into your name registrar and set up
a new DNS ‘A’ record which will send traffic for staging.your-site-
name.com to your servers IP address. This may take a while for the
changes to take effect.

4. From your hosting web panel, install WordPress on your new sub-

5. Set up HTTPS to ensure your login passwords are protected.

6. Go back to your original site and install a plugin which will allow
you to migrate your site, such as Duplicator (https://wordpress.
org/plugins/duplicator/). You can also migrate your site using
UpdraftClone, as we will cover in the chapter on Backups

7. On your staging site, install the Duplicator or Updraft plugin also,

and import your site.

8. Your staging site should now be a copy of your main site, and ready
for you to start testing.

You are now ready to begin testing changes or upgrades to your site.

Create a Staging Site using a Plugin

Another option is to use a plugin to create a copy of your website

which you can safely use for testing. This staging site will sit in
a folder under your main site, so the web server and database
software will all be the same version. This is a less technical route
than creating a sub-domain, and you can still password protect it so
it will not be reachable by normal visitors from the internet.

WP Staging (https://wordpress.org/plugins/wp-staging/) will set up a

whole new sub-directory under your website domain and copy all your
website files over to it. It also copies and creates new database tables
with all of your existing information. Thus, any changes made within
the staging site will not impact upon your live site.

All of your data stays on your server, with nothing being sent to a
third party. WP Staging will also prevent search engines from indexing
the site and password protects it so visitors can’t accidentally stumble
upon it.

1. Install and activate the WP Staging plugin.

2. Click the WP Staging menu on the left and then Create New
Staging Site.
3. Enter a name for the new site and click Start Cloning.

Enter a name for your staging site and click Start Cloning

4. Once staging completes, click Open staging site and log in using
your username and password.

5. WP Staging displays an orange bar along the top of the page to

indicate that this is your staging site and not the live site. To get to
your admin dashboard, click the link at the top for Dashboard.

Links to your admin pages are displayed in the top menu

You can create as many staging sites as you want using WP Staging,
though be sure to watch how much storage space you have available.
Delete them once finished and recreate as needed.

Staging sites created using this plugin are great for testing design
changes or plugin updates, except for PHP upgrades, as the staging
site uses the same version of PHP as your live site.

WP Staging Pro allows you to push changes made on your staging

site back to your main site. This is useful if you make big changes in
staging as it avoids you having to manually go back and repeat the
changes on the main site.

In the chapter on Patching, we will discuss how some sites are reluctant
to upgrade due to a fear of breaking the site. Along with taking a backup,
using a staging site is your way of testing the effect of upgrading your
plugins and themes upon your site.

End of Chapter Checklist:

‰ Create a staging site for yourself using either a subdomain or a


Marty: Wait a minute, Doc. Are you telling me that you built a time
machine... out of a DeLorean?

Doc Brown: The way I see it, if you’re gonna build a time machine into
a car, why not do it with some style?
—Back to the Future, 1985

Modern animated box-office films are expensive to make and entail

hundreds of people working years to ensure the story entertains kids
and families around the world. Coming off the success of the hit movie
Toy Story, Pixar Animation Studios were keen to produce a follow up
movie that would continue the story of Buzz and Woody.

In 1998, two years into production of Toy Story 2, 150 people were
hard at work in the animation, lighting, and modelling departments of
Pixar. A team of systems administrators were tasked with maintaining
the computer systems on which the animators were creating the movie
characters, and one of their routine roles involved clearing out deleting
files which were no longer needed.

An administrator logged onto his terminal and typed the necessary

command to delete the files. Only without noticing, he mis-typed the
command, and the computer system set about deleting all of the movie
files. Out in the animation offices, animators started noticing files and
scenes disappearing. Panicked calls were made to the IT department,
who turned to their backup tapes to restore the lost files.

Normally, this wouldn’t be a problem. Things get deleted accidentally

all the time, and companies keep backups just for this type of event.
When Pixar looked at their tapes though, they noticed that they had
failed to backup most of the time, and after restoring what they could,
ninety percent of the movie had been lost.
Meetings were held with producers and IT, and it looked like the movie
really was lost. It was at one of these meetings when Galyn Susman,
a technical director on the movie, realised that she might have a copy.
She had recently been doing work from home during her maternity
leave, and had downloaded copies of the files to work on—making
them the only remaining copies of the movie in the world.

She jumped in her car and drove home to retrieve her computer,
wrapping it in pillows and blankets for the drive back. After a forty-five-
minute drive to the studio—at which time her little Volvo was effectively
worth about ninety-million dollars—they plugged in the computer,
downloaded everything, and set about restoring the file system on the
master computer.

The movie went on to take in over $500 million in receipts, won an

Oscar for Best Original Song, and is widely considered to be one of the
greatest animated movies ever made.

Taking reliable backups is one of the foundational elements of any

good security program. Most of the security steps we talk about are
preventative in nature, designed to prevent a successful attack from
taking place. With backups, you are assuming that an attack has been
successful (risk reduction, not risk elimination), and so need to recover
and restore your site as quickly as possible and get back online again.

Backups are essentially just copies of your site. For WordPress, this
involves copying both the files on your web server and the content of
the database.

Having reliable copies of your site is essential to being able to recover

from any disaster, whether it be a destructive attack on your site or
the host server, a failed update, accidental deletion of critical files, or
even an attempt to redesign a section of the site which ended up not
working out. You’re going back in time to reset your site to the way it
was before the crisis hit. In an emergency, it gives you options, space
to breath, and an ability to turn back time and recover quickly.
Commonly, website owners assume their hosting company is taking
backups, and if something happens all they need to do is get the host
to restore the site. This is a dangerous assumption to make for two

Firstly, some web hosts only offer regular backups as part of their higher-
end services. Hosts often limit their role to looking after the servers
on which the websites run, but not the actual websites themselves. If
they do provide this service, then that’s great, but you need to know
this in advance so you don’t get caught in a situation where you need
backups and neither you nor your host has any.

GoDaddy.com Terms of Service

HostGator Terms of Service

Secondly, even if backups are included as part of your hosting package,

you are still far better taking responsibility for these yourself and taking
your own backups. There is no harm in you both taking backups, but
when you take control of this, you are able to restore your own data
much faster or make test restores to prove that the backups are working
for when you need them. If you control your backups, you won’t need
to raise tickets or send emails to request them, which will take time.
You can just run your restore and carry on with what you were doing.

When you run a backup, most plugins will store the copy on the same
server as your website, called a ‘local’ copy. This is convenient for
a speedy recovery, but dangerous from a security perspective, as it
means an attack on your web server could mean the loss of both your
website and all of its backups.

For this reason, another copy of the backup must always also be saved
remotely to a trusted cloud-based location like Dropbox, Google Drive,
or Amazon S3. This gives you insurance against an attack on your web
server and means you always have copies of your site to fall back to.
As they often say, two is one, and one is none...

A backup of your website still contains all of the customer and business
data in your live site, and so needs to be protected adequately.
Companies have had their data stolen not through attacks on their
live site, but through breaching their backup solution and stealing data
from there. Consider encrypting the backup, and ensure there is a
sufficiently long, strong password being used on the remote storage

Given the importance of backups, what do you backup? In short,

everything. Take a full backup of your web site, including its files,
plugins, and the database. You may come across different types of
backup, including Differential and Incremental backups—where only
files which have changed recently are backed up—but these are
best used for server or very large website backups only. But during
a restore, you would have to restore multiple backups, which can get
confusing and takes additional, unnecessary time.

How often you take a backup is something else to consider. If your

website is not changing frequently, a weekly or even monthly backup
should be sufficient. Could you live with losing the last week or month’s
worth of data, and restoring your site back to how it was a week or a
month ago? For sites that are being updated or posted to on a frequent
basis, losing a week’s data might be too much, so a daily backup would
be more appropriate.

Each backup will use up space, particularly on your local web server,
so you would need to balance your backup frequency against the how
much storage space you have available to you with your host.

There are many good WordPress plugins with which you can take
backups of your website. We are going to cover one here: the very
popular UpdraftPlus. The free version offers regular backup scheduling
and copying the backups to a remote location, while the paid version
offers features such as backup encryption, copying to multiple remote
cloud locations, and automatically running backups before site updates
are installed.

Once installed and activated, you can get to your UpdraftPlus settings
via the Settings > UpdraftPlus Backups menu. The Backup/Migrate
tab allows you to run an immediate backup, which is useful to do
just before you begin making any changes to your site. All available
backups are also shown here, along with a Restore button to allow
you to quickly and easily restore your site back to that point in time.

Take a backup now or view, delete or restore previous backups

On this tab, there is also the option, under Existing Backups, to

Upload Backup Files. This would be useful in a scenario where you
had no available backups shown, but wanted to restore a backup
which was saved remotely, as would be the case if your site got wiped
by an attacker. UpdraftPlus breaks its backups into separate archive
files for the database, uploads folders contents, themes, and plugins.
You would need to upload each of these if restoring your site manually.

Over on the Settings tab, you can set the schedule for your automated
backups and the remote location where your backups should be copied

Though the option is there to have the backups sent by email, this
would not be a good solution due to the size of the files. I strongly
recommend using a cloud storage account, like Google Drive or
Dropbox, instead of emailing them to yourself.

Set your schedule, remote storage location and many other important settings
Set your files and database to be backed up on the same frequency,
and keep as many copies as you feel you will need. Take note that
these will use up space on your local server, so check how much space
your hosting provider has allowed so you don’t end up using it all up,
impacting your sites performance.

Further down the same page, in the Expert Settings section, there
are some further options—the most important of which is Automatic
Updates. Enable this so UpdraftPlus will be updated whenever an
update comes available. The Premium version also gives you the
option to encrypt your backups here.

Enable automatic updates to keep UpdraftPlus patched and up to date

Restoring Your Website from Backup

If you ever need to use your backups to restore your live site, simply
go to the UpdraftPlus Backups plugin options and choose the date you
want to restore back to from the Existing Backups. Click Restore,
select all components (plugins, themes, etc), and click to continue.

Roll back to the date you want by clicking Restore

Testing Your Backups

Having and taking backups is only part of the backup process. In reality,
no one actually cares about backups. It is the ability to restore your data
that matters, so it is critical that you test your backups to ensure they
are not getting corrupted during the process. This avoids the problem
of finding out that your backups were not working for some reason
right when you need them the most, in the middle of some disaster.

Doing test restores gives you confidence in your ability to get your
critical data back when—not if—the need arises.

Let’s take a look at two methods for testing your restores using
UpdraftPlus; one where you do a test restore back to a temporary test
site you create on your own server, and the other using UpdraftPlus’s
servers in the cloud.

Method 1 - Restore to staging site

The first method involves creating a new staging site and uploading
your backups to it for testing. We cover staging sites in more detail in
another chapter, but essentially it is a copy of your site which is totally
separate to your main, live site, so you can make changes and test
new things—all without impacting or hurting your main site.

As this creates a copy of your whole site, it will use up storage space
on your server. Be sure you have enough free space by checking your
hosting account. If you do not have the space, use the second restore
method we describe below.

This method requires the Migrator feature which comes as part of

UpdraftPlus Premium. If you are using the free version of UpdraftPlus,
Migrator can itself be purchased as an add-on
1. Download the backup files you are going to test from your cloud
storage location. UpdraftPlus saves the database, plugins, themes,
uploads folder, and other data in separate files, so you will need to
download each of these in order to do a full restore back to the date
you want to test.

1. Backup files saved to Dropbox. Look for the files with a similar date.
2. Updraft splits backups into separate files for Database, Plugins, Themes, the
WordPress Uploads folder and Other website files

2. Using the WP Staging plugin, create a new site called ‘restore-


3. Log into your new staging site by going to https://your-site-name.

com/restore-testing/wp-admin, go to Settings > UpdraftPlus
Backups, and delete any existing backups. These backups would
have been copied over from your main site when you were creating
the staging site. These are not the backups you want to test.

4. Upload your backup files to your staging site. Go to the Backup/

Restore tab > Existing Backups > Upload Backup Files.

5. Drag your backup files into the box that appears. You can also
press the Select Files button to find your files on your laptop and
click them to import them.

Click Upload Backup Files and drag your files into the box that appears

6. Once the upload completes, the backup will appear as an Existing


7. Go to the Migrate/Clone tab, scroll down to Migrate, and select

Restore an Existing Backup Set onto This Site.
Choose the date for the backups you are restoring, and click

Click to restore your live site onto the test site

8. Select all components and click to proceed with the restore process.
UpdraftPlus will show some warnings, as you are restoring your
site from https://your-site-name.com to https://your-site-name.com/
restore-testing/wp-admin, so it notices that the address is changing.
Click to continue.

When doing a backup restore test, restore all data to fully test your site

9. When it is complete, you should see the Restore Successful

message, or be asked to log back in to your staging site.

Once complete, click the blue button to return to your staging site settings page

10. Log back into your staging site at https://your-site-name.com/

restore-testing, and start testing to make sure your site acts and
performs the way you would expect it to. Be sure you are on the
staging site and not your live site when doing any testing.

Take note of the address bar to ensure it is the restored site you are testing and not
your main site. They will look the same!

11. Once you are finished with your testing, you should delete the staging
site which you created earlier. Log back in to your main site (https://
your-site-name.com/wp-admin), and go to WP Staging in the left-
hand menu. Click to delete your restore-testing site. This will remove
the staging site, its files, and database.

Delete the staging site to get back the space on your hosting account
Method 2 - Restore to UpdraftClone

If you have a large site, you might not have enough space on your
server or hosting account to use a staging site, which is a copy of your
whole site. You might also not want to do testing on the same server as
your live site in case anything goes wrong and the live site is affected.
UpdraftClone is a great alternative, as a copy is made of your site
using the same technology as what is used for the backups. So if your
site copies over to UpdraftClone successfully, you can be assured that
your backups are good also.

UpdraftClone creates a temporary server on their servers, onto

which your site is copied. UpdraftClone requires tokens which you
can purchase from https://updraftplus.com, and there is no expiry or
recurring fees with them—once you buy them, you keep them until

1. On your own website, In the WordPress menu, go to Settings >

UpdraftPlus Backups and click on the Migrate/Clone tab.

2. Under UpdraftClone, click the button to create a temporary clone

on their servers.

3. Enter your UpdraftPlus account details and connect to your account.

4. UpdraftClone automatically sets the next set of options based on

your current site settings. It is best to leave them as they are unless
you have a good reason to change them. Just click Create Clone.
5. It will take a few minutes for UpdraftClone to create a new server,
start it up, and copy over your site files. There are links for you to
visit the front page and dashboard of your cloned site, as well as a
link to your account where you see details of the server which has
just been set up for you.

Click the Front Page link to visit your cloned site

6. Once you have tested the clone and are satisfied your site was
copied across successfully, go to https://updraftplus.com/my-
account and delete the cloned site. While the clone is running,
tokens will be taken from your account each week, so do not leave
it running if you don’t need it any longer.

Delete your clone by going to Quick Actions > Delete

Restore Test Plan

Having a test plan for your restored site involves browsing around your
restored site just as a normal user/customer would, visiting the sorts of
articles and pages they would visit, and using the features of the site
to ensure everything is working correctly.

• Visit a number of pages, following links to other internal pages.

• Use search functions on your site to ensure you get working
results back.
• Make test purchases in your store. (Use 100%-off coupon codes
so you don’t end up charging yourself)
• Test password protected areas.
• Test download links.

It is much easier to plan in advance what elements of your site you

want to test and document these in a checklist, so on the day you
simply run down through the test plan and don’t have to think up what
needs to be tested.

Final Notes

Backups are a key part to the security of your website and give you piece
of mind, knowing that you can always roll back the clock if something
goes wrong. They are so important, in fact, that each year March 31st
is celebrated as World Backup Day (http://www.worldbackupday.com/
en/). Take the time to ensure you have backups set up for your site and
a plan to test them.

It is best to think in terms of when you will need a backup, rather than
if. There are many WordPress plugins available for taking backups,
and I would encourage you to thoroughly explore one that works for
you. So when the time comes, you are familiar with the restoration
process, and able to perform it quickly and confidently.
Backups and restore testing are fundamental parts of your overall
security plan for your website, but also your other IT assets like servers,
laptops, and home documents. If you want some help setting up your
backups, doing regular restore testing, or knowing what to test, please
go over to https://dermotdowney.com/index.php/call to book a call and
I’d be happy to help.

End of Chapter Checklist:

‰ Set up regular backups of your website

‰ Save the backups in multiple locations – locally on the server and

in cloud storage account.

‰ Set the backups to be taken on a weekly basis. If your content

changes frequently, go for daily.

‰ Test your restores on a regular schedule, such as every 6 months

‰ Write out and continually update a restore test plan for your website

In 2017, the shipping giant Maersk was an unfortunate casualty in

what is widely regarded as one of the first instances of cyberwar. The
Ukraine and Russia were engaged in a bitter war which had already
cost thousands of lives. Alongside traditional warfare, cyber-attacks
were being deployed by both sides to deadly effect. Skilled technical
experts from both countries were penetrating computer networks of
retail, transport, and power industries; destroying data and even entire
computer systems.

In June, Russia released a virus which was intended to cripple

Ukraine’s economy and businesses, but which quick spread to innocent
companies across the world. Maersk, which had an office in Odessa,
got caught up in the chaos of the infection and data across its global
network of computers was wiped and computers rendered unusable.
Massive tailbacks developed outside ports as trucks were unable to
enter, and cargo went ‘missing’ on the dockside as shipping handlers
no longer knew what was in each cargo container or where it was
being sent to.

Earlier in the year, the American NSA had lost control of a collection of
computer vulnerabilities they had been using to break into computers,
and these vulnerabilities were then published onto the internet. While
Microsoft had released a patch to ‘vaccinate’ and protect computers,
many companies are slow to update their computers, so when Russian
hackers used the NSA vulnerabilities to develop their virus, they knew
it would have a big impact.

Maersk had not only not installed the update, but a lot of their computers
were running on very old Windows platforms including Windows 2000,
which stopped receiving security updates back in 2010. Over 49,000
of their servers and laptops had their data wiped, including all of their
Windows computers. They had to order thousands of new laptops,
reinstall them all by hand, and get them issued back out to their staff
so they could continue working as best they could. It took months
for anything resembling normal operations to begin again, and the
eventual cost to them was over $350 million.

The Merck pharmaceutical company were also hit hard, as were

Mondolez—the makers of Cadbury and Oreo chocolates—Fedex, and
many other smaller or private companies. In Ukraine, most banks, the
postal service, and government ministries had their computers wiped
and completely taken out of service. The overall damages from this
attack are estimated to total around $10 Billion.

Patching your website is a critical part of maintaining your site’s health.

WordPress is a complex piece of software, and bugs in the code are
going to be found continuously. Along with the core WordPress site
itself, there are the plugins and themes managed by third party teams,
which introduce new code into the site.

Of the vulnerabilities fond in WordPress sites in 2020:

• 3.8% were in core WordPress code.

• 14.1% were in themes.
• 82.1% were present in plugins.

In December 2020, Contact 7—one of the most popular plugins on

WordPress—was found to have a vulnerability which allowed attackers
to upload malware to your website. In January 2021, over one million
sites were affected by a vulnerability in the popular Ninja Forms plugin,
which would have allowed site members to intercept all mail from
to and from the site. This is not to say that the one million sites are
actually breached, but that they were open to being exploited. Software
developers understand that bugs will be found in their code, and the
community of WordPress and plugin developers are very responsive
once they become aware of this in releasing updates to fix the security

A lot of press is given to so-called ‘zero day’ vulnerabilities, i.e.

vulnerabilities which have been discovered by the attacker themselves,
and for which there is no patch available yet. If there is no patch, then
there is no defence against the attack, but these are rare instances.
The overwhelming majority of attacks on plugins or themes target
vulnerabilities for which a patch has already been released.

Sometimes, a developer will discover flaws in their own code, or equally

as likely, a security researcher will be analysing the software, discover
them, and be responsible and notify the developer. The developer then
rewrites the code involved and sends that out to all users who have the
particular plugin installed. Although WordPress and plugin developers
release patches rapidly, many site owners suffer because they delay
or altogether ignore updates. A common tactic of organised attackers
is to monitor and track plugin updates, and then scan for websites
which have not yet installed it.

In the case of the malware attack on Maersk, Microsoft had released

an update for the vulnerability earlier that year in February, but it had
not been installed on their computers by the time the malware was
released on the world in June.

Along with password guessing logins, attacks leveraging out of date

software constitute the greatest threats to your site. It is imperative
that you have a plan for keeping your site updated and put time into
maintaining it. There are some online tools, such as https://wpsec.com,
which will scan your site for you to see if it is showing up as vulnerable.
This site uses the technology that attackers will use when scanning
sites for vulnerabilities, but even if your site shows up as safe, you
ultimately get the best picture of your sites health by logging into your
admin dashboard and seeing if there are any updates.

There are three aspects to your site that need regular updating:

1. WordPress core files.

2. Your plugins.
3. Your themes.
WordPress is an incredibly well-maintained piece of software and
has dedicated teams of developers reviewing its code for security
vulnerabilities. Any minor releases, such as security or maintenance
updates, are installed automatically since WordPress 3.7, so you
are constantly being protected. Major core releases are listed in
Dashboard > Updates.

Automatic updating of plugins and themes was introduced to

WordPress in version 5.5, and was a welcome step in terms of keeping
your site up to date. Prior to that, you had to log in to check if there
were any updates and manually install them, leading to many sites
running vulnerable software for a long time because owners were not
actively maintaining them. Alternatively, a plugin such as Easy Updates
Manager (https://wordpress.org/plugins/stops-core-theme-and-plugin-
updates/), could be used to auto update plugins.

To automatically update your plugins, go to the Plugins menu and you

will see a listing of the plugins on your site. Here, you can choose to
turn on Automatic Updates, which is a great way of keeping your site
protected against vulnerabilities.

Click Enable auto-updates to have all patches and updates automatically installed

For themes, go to Appearance and click into each theme. Here you
will see an option to Enable Auto-Updates. It is advisable to also turn
this on for all themes.
One of the concerns around automatic installation of updates is that
it might break features or functionality of your site. To fix a security
vulnerability, the developers must re-write code, and this can
sometimes change how things work within the software. Developers
test their code before pushing it out to websites, but sometimes issues
occur, though they are often spotted and fixed quickly.

So there is a risk, however small, of updates having unintended impact

on your website. The solution though is certainly not to disable all
updates. I have seen cases where this approach was taken, with the
attitude of, ‘The site is working, don’t change anything!’ It needs to be
recognised that there is a far greater risk to your site by not updating
plugins and themes, as avoiding updates simply leaves you exposed
to greater dangers of being attacked. What is needed is a three-step,
planned approach to patching.

The first step is to be sure your backups are being taken on a regular
schedule and restores have been tested. This will allow you to roll back
any changes or updates which cause problems, allowing your site to
continue to function as normal while you investigate any problems.

The second step is to have a strategy and schedule for how you patch
your websites. The approach you take may vary depending on the size
of your organisation.

• Small blogger, business, or brochure site, where content is not

changing very frequently: Turn on auto-updates for plugins &

• Small to medium ecommerce site: Turn on auto-updates for

most plugins and for themes; manually test and update the
more complicated plugins related to ecommerce.

• Agency or larger businesses: Test and manually update plugins

and themes within a set time frame after the update has been
It comes down again to the level of risk you are comfortable with. Large
or reputable plugin developers are more likely to have reliably tested
their updates before pushing them out, so the likelihood of it impacting
your site should be less.

Whichever strategy you choose, it is most important that you do choose

one, and have a plan for patching. I have worked with organisations
which were completely against patching because of a fear that ‘it might
break something’, but this perspective is dangerous. The internet is an
inherently hostile place, and your website is being scanned and probed
every day. The risks involved with avoiding updating and maintaining
your site are much higher than the risk of updates having an adverse
effect. Site updates cannot be avoided and the solution is to have a
planned approach towards regular patching.

The third step is to use a staging site for testing updates before applying
them to your live site. We discuss staging sites in more detail in another
chapter, but this allows you to test an update on a copy of your main
site and confidently demonstrate that it will not cause problems. If it
does break something, it gives you an opportunity to investigate ways
of fixing the problem, which you can also include as part of your plan
when updating the live site.

If, despite your efforts, you upgrade a plugin and still encounter a
problem on your live site, you can roll back the update to give yourself
time to investigate further. Plugins such as WP Rollback (https://
wordpress.org/plugins/wp-rollback/) allow you to go back to a previous
version of a plugin, or you can restore your site from the recent backup.
Nulled Plugins or Themes

While there are many free plugins and themes available for WordPress,
some also charge a fee for a licence to use them. Many free plugins
offer a Pro version with extra functionality for a one-time or recurring
monthly cost. Site owners may be interested in getting these additional,
feature-rich versions but without paying for them.

Nulled plugins or themes are pirated copies of premium plugins or

themes which have been modified to get around having to pay for
them. They are easily found online, but you do not know what the
person who modified them has included in the code. Backdoors and
malware are often bundled into nulled software, which can be used to
access your site, and the modified code can also lead to conflicts with
other plugins and impact performance on the site.

A virus found implanted in a nulled copy of the WP-Staging-Pro plugin. Many

embedded viruses will not be detected
You will often find also that the update feature of the theme or plugin
is disabled, or you may have gotten a product key that is known to be
stolen, and thus invalidated. Therefore, you will not receive security
and feature updates from the developer. As the details of what was
updated are public, hackers can then search for and find your site,
then take advantage of the security flaws that are not being fixed.

WordPress is unable to update a nulled copy of UpdraftPlus, increasing the risk of it

being attacked by a hacker

There is also the ethical side to the discussion. The reason great
software, such as WordPress itself and all of its additional features,
themes, and plugins exists at all is because developers around the
globe have put their time and energy into it. They wouldn’t or couldn’t
do this if they were not getting paid for their work, and it is right to
compensate someone if their efforts result in you having a better-
looking site that generates income for you.

All in all, the risks and costs to using pirated software on your site are
much higher than any benefit you gain. Pirated code can simply not be
trusted to be secure, and installing this malware to your site exposes
you to problems down the line which undermine any other steps you
take to secure your site.

If you would like help with keeping your site current and patched
against attacks, go over to https://dermotdowney.com/index.php/call
to book a call. We can go over how your site is currently maintained
and how to secure it against online threats.
End of Chapter Checklist:

‰ Turn on auto-updating for your plugins and themes

‰ For any plugins you are not comfortable with auto-updating, set up
a staging site for testing and check or update them on a regularly
scheduled basis

‰ Ensure your site is being backed up frequently, and you are testing
your restores

‰ Remove nulled plugins from your site

‘We Hunt System Admins’ – NSA internal discussion forum
– Bruce Schneier, cyber security expert

User interaction is a big part of running a Wordpress website. Having

started out originally as a blog, Wordpress allowed readers to post
comments on your postings and give their feedback. As time went
on, and plugins allowed WordPress to also be used for ecommerce,
eLearning, and more, the opportunities for people on the internet to
interact with the platform grew. Likewise, with many companies such
as professional blogs hiring teams of writers to produce content, there
are also many contributors logging onto company’s websites to spread
their message.

Managing both the internal and external users, and what they can do
on the website, is a powerful way of keeping your site secure. Your aim
is to allow the user to do exactly what they need to do—whether that
is publish content, buy products or enrol in a course—but do no more
than that. You also want to prevent information leaking which doesn’t
need to be exposed.

When you set up a new user account, one of the things you will have
to select is its Role. By default, WordPress comes with a series of very
well-defined roles for what users who log in can do:

• Subscriber – The most limited account type, Subscribers can

only manage their own user profile.

• Contributor – These users can read posts and comments, but

cannot edit them. They can write their own posts and send them
to an Editor for review and publishing.

• Author – An Author can publish their own posts and upload

media for posts.
• Editor – An Editor can manage Posts produced by other users,
manage and remove media uploaded to the site, and create
and remove Pages.

• Administrator – This is the most powerful user on the website,

having the ability to do all that the other users can do, as well
as administering the site itself, adding and configuring plugins,
changing themes, and affecting the security.

Other plugins may introduce new user roles, but the idea overall is that
users should only have the level of access that they need in order to do
their job on your website. If you have an author writing content for your
website, they do not need Administrator role. Known as the Principle
of Least Privilege, users should only have enough rights to do the job
they need to do, and no more. This reduces the temptation, and ability,
for them to do things on your site that they shouldn’t do and keeps you
in control of what people can and are doing.

Controlling who has a user account is big part of keeping your site
secure. In the chapter on Patching, we discuss various types of security
bugs and vulnerabilities which plugins may have, but one type is called
a Privilege Escalation vulnerability. With this, an attacker can exploit a
flaw in a plugin to give themselves higher privileges on your site than
what they are meant to have, or even what you have set for them.

In October 2020, a privilege escalation vulnerability was discovered

in the Ultimate Member plugin, a popular plugin that allows enhanced
user registration and account control features on WordPress sites.
This is installed on over 200,000 sites, and the vulnerability made it
possible for users to raise their privilege level to admin and take over
the site if they so wished. An attacker could scan the web for websites
with this plugin installed and register an account for themselves so
they can exploit the vulnerability.

The solution is to patch and upgrade the plugin which has the
vulnerability in it, but you can also take steps to limit the problem from
affecting your site by not allowing users to register for accounts if they
do not need to. Many sites need people to register and set up accounts.
But if this is something that is not needed for your site, it is best to
disable it. While the vulnerability in this case was in a membership
plugin, implying that user registration is needed on those sites, it could
just as easily appear in other plugins you may have installed.

If you do not need for people to register for your site, then this is a
feature that can be turned off. Go to Settings > General, and untick the
option for Membership. In security terms, if something is not needed,
then it should be turned off. With this, you have closed off a potential
avenue for harm and made your site easier to manage. 

If your site does require registered users, set a regular schedule for
reviewing them. Click into the Users menu and review the list of users
and the Roles assigned to each. If a user doesn’t need to have access
to your site anymore, either Delete them or edit their account and set
the Role to ‘No role for this site’. This will leave their account in place,
but ensure it cannot be used to do anything. You can also set a new
password, which will also prevent their account from being logged into.

If you have staff members or content contributors, this should form part
of your Joiners, Movers, and Leavers (JML) process. Disabling the
account of former employees is an important step in preventing harm
when people leave your organisation.
There is some debate as to whether hiding your username benefits
the security of your website. There are many who feel that preventing
as much information disclosure as possible from attackers is the
best course of action. There are others with the viewpoint that the
real security to your site login comes from having a sufficiently secure
password and two factor authentication.

I am on the side of limiting as much information leakage out to attackers

as possible. It makes their job easier when they can easily tell the
names of the accounts which they have to try break into, meaning they
only have to focus on guessing the passwords being used by those

It can be trivial to get a list of the users on a WordPress site. Known

as User Enumeration, by simply adding ?author=1 to the end of a site
address, i.e. https://example.com/?author=1, WordPress will bring
up the page for user number 1 on your site. It also shows you the
username in the address bar. Repeat with ?author=2, ?author=3, etc,
and you can enumerate your way through the users on a website.

One of the usernames most commonly used on WordPress sites

across the globe is ‘admin’ or ‘administrator’. As a result automated
scripts are constantly trying to attack sites using this account name.
From analysis of attacks on my own sites, 30% of the login attacks are
against ‘admin’ and 60% target usernames obtained from enumerating
the users on the site.

iThemes offers two settings to prevent this. Under WordPress

Tweaks, enable both Force Unique Nickname and Disable Extra
User Archives. There is also a great free plugin called Stop User
Enumeration (https://wordpress.org/plugins/stop-user-enumeration/)
which also prevents the usernames on your site from being exposed.

If you do have an account called ‘admin’, you need to replace it right

away also. Set up a new admin account and log in using that new
account. Then go into the Users menu, delete the account called
‘admin’ and reassign all content to the new user.

Once this is done, iThemes has a great feature in their security plugin
which will automatically block any attacker who tries to log in using the
‘admin’ username. On the WordPress menu, go to Security > Local
Brute Force Protection and enable the option for ‘Automatically ban
“admin” user’ and save your settings.

If your admin is also involved in authoring content for the website, it

is also worth considering giving them a separate account for these
activities and restricting use of the admin account for managing the
website itself. This way, the content creator is not logging unnecessarily
into the most powerful account, and if the password for their account
used for authoring/editing is ever stolen, you have limited the damage
the thief can do.

Whichever account you are using, it is also important that you log out
of them at the end of your session. Modern web browsers want to
make life simple and convenient for us, and will remember your login
details until you specifically log out of your accounts. Simply closing
your browser window or turning off your laptop will not log you out
of your WordPress account. If you are using a computer which other
people have access to, they can log into your account simply by going
back to your WordPress site and pick up right where you left off last

If an attacker does manage to successfully breach your websites

security, one of the first things they would normally do is create a
new user account for themselves with full admin privileges in order to
maintain access. There isn’t much point in them spending their time
exploiting an unpatched plugin and getting into the site, only for you
to update the plugin next week and then they cannot break in again.
They will try choosing a user name that looks innocent and will not
draw attention, like ‘developer’, ‘support’, or something that will be
consistent with other user accounts on your site.
What you need to focus on are the privileges which each account holds,
and ensure that you know exactly who has Admin roles for your site.
Use the filters above the list of user accounts to focus in on the Admin
accounts, and don’t be afraid to disable any you don’t immediately
recognise and wait to see who shouts out.

An attacker may also try to hide their Admin user account. There are
two things you need to check here. Firstly, in the WordPress Users
list, check that the number of Admin accounts you can see on screen
matches the number in brackets on the Administrator filter. There are
code hacks that can hide Admin accounts from the WordPress user
listing, but these may still appear in the count of Admin users shown
on the filter.

Compare the number of users shown against the number of users WordPress tells
you registered on your site, particularly the Admins

The second and most definitive way to check for rogue Admin accounts
is to go to the database itself and review the users shown there. In
the control panel for your web hosting account, scroll down the list of
services until you come to the Databases section. A very common tool
for administering databases is called phpMyAdmin, so click on this to
connect to your database.

Take care when working directly within your database. All

of the content, plugin settings, ecommerce data, and user
data is stored here, and any changes to this data can have
unpredictable consequences on your websites performance,
including breaking it. Take a backup of your database before
doing any work, and get familiar with how to restore it first.

Use phpMyAdmin to get into your database

• On the left hand side, you will see a list of the databases on your
hosting account. Click into the one used for your WordPress site; in
the example below it is called ‘dermotdo_wp127’.

• You should see a list of data tables appear on the main screen.
These are the tables where the actual data for your website are
stored. Each table will begin with a prefix of letters and/or numbers.
In the example below, the prefixes are ‘wpjb_’.

• Click into the table called {prefix}_users and ensure the list of
users matches what you are seeing in WordPress. If not, take a
backup of your database and then delete any unusual entries.

1. Click into the dermotdo_wp127 database

2. Click into the wpjb_users table. This contains data on the users registered on your
3. Compare the list of users shown with that you expect to have. Take a backup and
delete any that do not appear in the Users menu of your WordPress website
End of Chapter Checklist:

‰ Turn off membership to your site if it is not needed

‰ Use identifiable usernames when setting up new users on your site

‰ Use a plugin which will stop user enumeration scanning

‰ Set a schedule for reviewing the users on your site, such as monthly

‰ Investigate or reset the password to any account you are not

familiar with or have suspicions about

‰ Delete unneeded user accounts periodically

HTTPS Secure
In 2013, Edward Snowden—a contractor working for the US National
Security Agency (NSA)—released a trove of evidence documenting
the mass collection and surveillance of global communications being
conducted by the US Government. This included emails, website
browsing habits, instant messaging and text messaging. This was
possible through alliances and agreements the spy agency made with
large internet and telecommunications companies, as well as through
tapping into communications channels and siphoning off the data in

The scale of the surveillance shocked the world, and it prompted

lengthy and impassioned discussions into eavesdropping on private
communications and the moral and ethical considerations of such a
program. There were also angry debates over breaches of individuals’
rights to privacy and indiscriminate spying on innocent people.

While these debates were raging, there was also an acknowledgment

that the lack of security inherent in internet communications made all
of this possible. When the internet was first designed in US universities
back in the 1960s, security was not a serious consideration. The early
developers rightly focused on getting the system to work, and it was
only once they established a working system, that they recognised the
need for security and made it fit an existing system.

Part of what made the NSA’s surveillance feasible was the means
by which data moves from one location to another. When you visit
a website, your computer sends a request to the web server for the
webpage you want to view. Your computer rarely knows the exact
server the webpage is on, or where in the world it is. So its request gets
sent, or routed, between different networking devices, called routers,
as it moves across the internet, getting closer to the web server with
each hop. Routers are always looking for the fastest route to send the
internet traffic, and depending on how busy neighbouring routers are at
the time, this may not always be the most direct route geographically.

Any of these points on the journey is an opportunity for someone to set

up a listening point to tap into and capture the data travelling through
it. And given that most of the information travelling across the internet
is in the clear—in other words, not encrypted—it is relatively easy for
an organisation with the technical means to read the traffic moving
through their listening point.

Diagrams showing the routes network traffic took to reach a web server in a
German data centre, from homes in Denmark and Spain
This not a new problem, nor is the NSA the first organisation to do this.
Traffic interception has long been a recognised dilemma. In the late
1990’s the internet company Netscape released the first versions of
an encryption standard for secure and private communication across
the internet. Originally called SSL (Secure Socket Layers—a name
still in common use), the standards went through several revisions and
upgrades. These are known today as TLS (Transport Layer Security).

When you connect to a website, your browser uses a protocol known

as HTTP (Hypertext Transfer Protocol). This is the protocol which
your browser and the web server use to send data to one another,
so they are both talking the same language. HTTP does not encrypt
any information by itself, and with data bouncing between multiple
points as it makes its way around the globe, there are opportunities
for any sufficiently motivated and resourced person or organisation to
intercept, read and even modify the data. An attack where someone
intercepts the traffic between you and a website is called a Man-in-the-
Middle (MITM) attack.

Interestingly, the most common point of capturing data is the first point
you connect to. This could be your Internet Service Provider capturing
your data, or a public Wi-Fi point in a coffee shop or library that you use
to check your emails. Attackers sometimes set up a fake wifi hotspot
in a public place, so people will connect to it, and thus the attacker can
capture and read their emails and internet browsing activity.

Diagram of undersea cables including those carrying internet traffic. Courtesy of


As HTTP transmits data in the clear—without encrypting it—it is not

a suitable way to transmit sensitive data like passwords and log in
details. Imagine if you connected to a hackers fake Wi-Fi hotspot to
log into your bank, and they captured your log in credentials, or if they
captured your credit card details as your went shopping online.

The solution is to use encryption so that if someone does intercept

your data, what they capture is unreadable. Transport Layer Security
(TLS) is the protocol used to secure internet communications. When
HTTP traffic is secured using TLS, it is referred to as HTTPS—with the
S meaning Secure. You know when a website you are visiting is using
HTTPS as the lock icon appears in the address bar.

Lock icon indicating traffic to this website is secure

It is important to understand that TLS doesn’t directly secure your
actual website. Instead it secures the data being transmitted between
the website and the user, which often contains sensitive information.
TLS secures your data in three ways:

1. It encrypts the data being exchanged between the website and the

2. It ensures no one can modify or change the data being sent by

either the website or the visitor.

3. It proves that the website is who it says it is, meaning websites

cannot be spoofed (A spoofed website is a site from an unknown
source disguised as one from a trusted source).
Let’s look at these in further detail.


When a user connects to a secured HTTPS website, the traffic sent

to the web server from the user’s computer, and replied to from the
server, are encrypted using strong and effective encryption protocols.
A message such as ‘Going Shopping Today!’ would look like:

Only the end points of the connection, the server and the computer,
are able to decrypt the traffic; meaning anyone tapping into the session
is unable to read anything that is being sent.

When users connect to your website, they have a reasonable

expectation of privacy. This encryption protects their traffic from being
seen by others. It also protects any sensitive data that is typed into the
website, such as login passwords, from being acquired and reused by
third parties.


If an attacker can get between you and the traffic going to your browser,
they can modify the data stream, which will never be for your benefit. At
its most basic, an attacker could use scripts to simply modify content
on your webpage, giving visitors different content and results to what
you actually have on the page. There was a time when Internet Service
Providers were injecting scripts into users’ traffic so ads would pop up
while they were browsing normal webpages.

More nefarious attacks on HTTP traffic would include injecting code into
the webpage which runs a crypto coin miner in the visitor’s browser.
This would cause the CPU of your visitors computers to start running
extremely high, as the code attempts to mine digital currencies using
their computer while they are browsing your site. As far as your visitor
can tell, it is your site making their computer run hot, giving you a bad

Another attack, known as the Great Chinese Cannon, involved the

Chinese government using visitors of the popular Chinese search
engine Baidu to attack other sites. When users would visit Baidu, the
second largest search engine in the world, code was injected into their
traffic which caused their computers to start contacting target websites
in massive numbers. The websites were then overwhelmed by trying
to respond to all of this ‘fake’ traffic, and were unable to respond to
legitimate users.

Called a Distributed Denial of Service (DDoS) attack, this has the

effect of taking the target website offline, and was used during the
Hong Kong protests of 2019 and 2020 to attack websites being used
to coordinate protestors.

Integrity is also important for website owners who accept file uploads
or input or comments from users of their website. They can have
confidence that the file or form contents the visitor filled out are correct
and as the visitor intended, and have not been tampered along the
way. It would be entirely possible for an attacker to swap a file that a
visitor uploaded for one containing malware and infect the website, but
with HTTPS, this is not possible.

Troy Hunt, the well renowned security researcher, has a great blog
posting and video showing just what can be done by tampering with a
HTTP connection, and talks in more depth about these types of attack.
His video is available at https://www.troyhunt.com/heres-why-your-

When you type gmail.com into the address bar of your browser, you
expect to be brought to Google’s email service. Your browser reaches
out to the internet to see what server Gmail is on, then connects you to
that server so you can read your emails. It is possible for an attacker to
redirect your browser to a fake server so they can capture your Gmail
account password as you try to log in. This would be a serious threat
to the security of your information, and a threat to trust in the internet,
and so HTTPS has built in protections against this.

HTTPS relies on digital certificates for a site to prove that it is who it

says it is, and only the correct website can hold the certificate. After
all, there is no point in having a secure connection if your secret
passwords are going securely to a fake, spoofed site. When your web
browser goes to gmail.com, it first inspects the certificate and confirms
it is valid before connecting to the site. If the certificate is not valid, your
browser will show you a warning message alerting you that there is a
problem with the website, giving you a chance to stop and close the
page without entering your password.

It is important that you pay attention to warning messages if they appear.

If something looks amiss, do not enter any confidential information
like login details. If you can, contact the website owner or do some
research online to see if others have noticed the same problem.

This web browser has noticed that this site could be attempting to fool you or intercept
your data

Extra Benefits of HTTPS

So, HTTPS uses TLS encryption to secure the traffic between the web
server and users’ computers, but it also does much more than this.
Before the Snowden revelations, HTTPS was seen as only something
that banks, website login pages, or the paranoid needed. Since the
revelations, there has been a massive uptake in the use of HTTPS,
so much so that over eighty percent of sites on the internet are now
delivered over encrypted connections—and this is set to increase
further still.

Encryption has been embraced in the online world, and provides

additional benefits to website users and visitors:

1. Regulatory Compliance – If you are offering products or services

for sale over the internet, having a secure connection is an absolute
must. For processing of credit card details, the Payment Card
Industry (PCI) have strict requirements that payment details be
kept secure when being transmitted over the internet. Likewise, if
you are handling any sort of personal information, further regulatory
requirements may be in place. An example of this is health-related
information, where the use of encryption will be required by HIPAA
if transmitting data across the internet.

2. Web Browser Warnings – Google is especially keen to support the

implementation of a secure internet experience for users across
the world. In 2018, Google lead the way by having their Chrome
browser—which is used by about seventy percent of people for
browsing the web—flag sites which are not supporting encryption
as being ‘Not Secure’. This was a successful attempt to use the
pressure of visitor perception to encourage website owners to
move to HTTPS. These efforts, along with growing awareness of
the important of encryption, has lead to a massive increase in the
numbers of sites using HTTPS. Today, all major browsers clearly
indicate when you are visiting a website which is not secure.
Web browser showing
warning message to website
visitor that HTTP address is
not secure.

No warning message
displayed when website is
using HTTPS. Padlock icon
is a more reassuring icon for
visitors to see.

3. SEO Ranking – Google have adapted their search page results to

use HTTPS as a ranking signal and promote secure websites ahead
of insecure ones. They are ranking the more trustworthy HTTPS
sites higher than insecure ones, and thus search results are more
likely to bring visitors if your site is using a secured connection

4. Performance Boost – The HTTP protocol, which controls how

webpage data is packaged and transmitted to users, went through
a major revision back in 2015. Improvements were made to
improving the speed, latency, and compression of data. Known
as HTTP/2, this new revision makes a big difference in the load
times for websites using the new protocol, with pages loading up
to eighty-four percent faster than before. This difference is best
demonstrated using the site https://www.httpvshttps.com/ which
displays 360 images on a page to compare how quickly they load.
HTTP/2 needs to be supported by both the web server and the
user’s web browser, and though it is not a requirement, all of the
web browser developers have stated that they will only support it
from the visitor’s end if the website is also being delivered over


Not too long ago, it was a costly affair to get a HTTPS certificate.
Certificate Authorities had a booming marketplace selling these, with
the basic certificates costing anywhere from fifty dollars per year up
to over $1,000 per year for certificates which involved an extended
validation process.

Around the time of the Snowden revelations, some engineers got

together to set up a Certificate Authority which would provide free
HTTPS certificates, called Let’s Encrypt. In the wake of the release
of the NSA documents, interest in security was at a peak, and soon
websites were able to provide secure connections for free to their
visitors. In the years since Let’s Encrypt began issuing free certificates
for website domains, demand has soared and over a billion websites
have used it by 2020.

Its success has seen it become the largest issuer of free SSL/TLS
certificates in the world, and lead to integrations into cPanel control
panels and WordPress plugins to make upgrading to a secure
connection easy for websites to do. A few options are listed below, but
you may need to get some technical help for the configuration as the
options and features of each method can vary somewhat.

1. Some webhosts offer Lets Encrypt certificates as part of their

hosting package. If this option is available on your hosting account,
click the link for Lets Encrypt SSL and follow the instructions on the
page that follows.

This host offers free secure connections via the cPanel hosting account
2. There are also some plugins available which help configure this
for you. I was able to successfully set up a secure connection very
easily using Auto Install Free SSL (https://wordpress.org/plugins/
auto-install-free-ssl/), which also provides video guides on how to
walk through the process.

The Auto Install Free-SSL WordPress plugin was quite easy to set up and get an
immediate HTTPS certificate
3. Another great option is to move your server behind Cloudflare.
Cloudflare is a content delivery network consisting of hundreds of
data centres around the world. They store a copy of your website
on their servers, known as caching, so visitors that browse to your
website retrieve it from Cloudflare’s servers. This reduces the
load on your servers, protects against attack traffic such as DDoS
attacks, and provides your site with an automatic SSL certificate.
To do this, create a Cloudflare account, select the free plan, and
change your DNS nameservers to the ones Cloudflare provides.

Cloudflare makes encryption easy and provides great security benefits for your

Testing your Sites HTTPS

Once you have set up HTTPS on your site, it is important to know that
it has been done correctly. In security, it is often the implementation of
encrypted protocols into systems and websites where problems arise.
A poorly-implemented security solution, in which the attacker can just
get around the solution, is often just as bad as having no security at all.

You can test your website by using the SSL Labs service (https://www.
ssllabs.com/) to test your site’s certificate and configuration. This will
run a series of tests to check against common and known attacks, and
gives you a rating of how good your HTTPS connection is set up. It
also gives you a detailed breakdown of what it has found. So if you are
getting a less than desirable result, it pinpoints the reasons why and
what needs to be done to improve it. If anything needs addressing, you
will need to get technical help to review and fix the issues.
In Closing

Having a secure HTTPS connection to your website is important to

protect your data while it is in transit between the website and your
visitor. This can include passwords, credit card details, and other
sensitive information which you don’t want to be intercepted as it
moves between the user’s computer and your webhosting server.
Eavesdropping, tampering with traffic, and spoofing of your site are all
prevented by the use of HTTPS.

With the global push towards secure connections, it will be reassuring

for your visitors not to see the ‘Not Secure’ warning when visiting your
site. Providing a comfortable and fast experience all helps provide a
positive visitor perception of your site and the services you are offering
them. This aids them in interacting with you, whether that simply be
reading the content on your site or actively purchasing from you.

If this is something you would like further help with, feel free to go over
to https://dermotdowney.com/index.php/call to book a call where we
can discuss what is needed next for your site.

End of Chapter Checklist:

‰ Set up HTTPS on your website

Web Application
The idea of controlling access is one that we are familiar with from
many aspects of our life. A few decades ago, getting onto an airplane
used to be simple, and airlines were keen to encourage air travel as a
way of getting around. Airports were designed much like train stations,
in that you went in with your bags, purchased your ticket, walked out
onto the tarmac, and boarded a plane.

Starting in the early 1960’s, aircraft hijackings began to grow, but

airlines were reluctant to inconvenience passengers by subjecting
them to security screening. They also feared that making travellers
feel like criminals would scare people and put them off flying, causing
them to drive to their destination or go by bus instead, where possible.
There was also the economic argument—hijacking ransoms at the
time only cost twenty- or thirty-thousand dollars, whereas installing
x-ray screening and trained personnel would cost the industry millions.

Air travel was becoming a popular means of travel, especially for

domestic travel within the US, but the number of hijackings increased
so much that 1968 to 1972 is seen as the ‘golden age of hijacking’,
especially in the US where it was happening at a rate of up to one a
week. Passengers used to joke about getting a free trip to Cuba and
bringing back cigars and rum.

Airlines had a policy of total compliance with hijackers demands, but

were also making small steps towards improving security, so long as it
didn’t cost too much. In 1970, the first walk-through X-ray detectors were
installed at New Orleans International Airport, but the industry was still
reluctant to implement security measures which would have significant
cost. Their policy of total compliance continued until November 1972,
when two hijackers threatened to crash a plane into the US Oak Ridge
Nuclear Laboratory in Tennessee. People then realised the potential
risks involved, and in 1973 the US Federal Aviation Administration—
which is responsible for regulating all aspects of aviation—made it
mandatory that all passengers must go through metal detectors and
have their bags searched.

A server or website connected to the internet is subjected to countless

scans and attacks on a daily basis. A firewall is software which acts
like a metal detector, inspecting traffic coming in and rejecting or
allowing it through based on a set of rules. The most common type
of firewall is a network firewall, which inspects traffic’s networking
address or the type of traffic. For example, only web traffic should be
allowed to into a web server.

When someone visits your web site, their web browser makes a request
to your server for a particular page. Your server reads and interprets
the www address (the URL) sent to it—which the visitor had either
typed or from the link they clicked—and replies with the page they
requested. An attacker can craft a malformed website address which
will instruct your web server to not only reply with the requested page,
but also take some other action—such as display the contents of the
database, export the list of registered users and passwords, or upload
malicious code which can be used against other visitors. In the chapter
on User Management, we will discuss how you can list the users on a
website by modifying a WordPress website URL.

A Web Application Firewall (WAF) is a firewall which inspects all traffic

coming into your website (the ‘web application’) and verifies what it
requests. All traffic and requests going to your site have to go through
the WAF, and be interpreted, understood, and accepted before they
are passed to the web server for a reply. As a WAF has to read and
interpret each URL being requested from your site, and evaluate this
against its set of rules, they can be a more processor intensive, so high
traffic websites will need to consider this in their server performance.

One of the great benefits of a WAF is that the firewall rules can be
updated, which allows for new attacks to be blocked. Often called
‘virtual patching’, if a vulnerability is discovered and a website needs
time to test the patch before it can be updated, adding a new rule to the
WAF will block malicious attempts to exploit that vulnerability.

A WAF can be placed in a number of places:

• Cloud based WAFs filter traffic before it gets to your site.

• Server based WAFs filter traffic on your server, but before PHP
and your database have to load up, thus freeing up server

• PHP based firewalls filter traffic via a plugin on your site,

meaning the website must load up.

Cloud-Based WAF

Commercial cloud-based WAFs inspect and filter all traffic going

to your site and filter out malicious traffic before it hits your server.
This is convenient, and also means your server isn’t burdened with
having to do the analysis on each page request. To use a cloud based
solution, you register your website with the cloud provider and update
your domain registration settings so visitors are sent to the cloud WAF
instead of directly to your site.

A cloud-based solution is great for filtering out brute force attacks, as

well as filtering out traffic when your site is under a Distributed Denial
of Service (DDoS) attack, where your site is flooded with fake traffic
from infected computers, and unable to respond to real visitors.

Some of the best-known providers offering affordable plans are:

• Cloudflare (https://www.cloudflare.com/)
• Sucuri (https://sucuri.net/)
Server-Based WAF

A server-based WAF does all of the filtering on your own server,

but does so before the components of your web site are loaded up,
thus freeing up your server from using those resources for malicious
traffic. This results in a reduced load on your server and improved

A server-based WAF is also very effective against the most common

threats to your website, including attacks on your database, code
injection, scripting attacks, and information leakage. These are often
free, open source firewalls which can be configured on your server or
in the .htaccess file of your website.

These WAFs sometimes require a bit of detailed configuration and set

up on the server to get them going, but will be very effective against
the vast majority of the attacks you are going to face. They are more of
a set-it-and-forget-it style option, as many of these WAFs do not have
an option to easily auto-update.

Some of the most popular server based WAFs include:

• ModSecurity (https://github.com/SpiderLabs/ModSecurity)
• 7G (https://perishablepress.com/7g-firewall/)

WordPress Based WAF

The great benefit of plugin based WAFs is their ease of configuration

and often their ability to update the rules to prevent against changing
or new attacks. The teams behind these firewalls are specifically
focusing on threats which are targeted at WordPress and its themes
and plugins.

Wordfence is one of the most popular security plugins out there, and
update their rules to defend against new threats. BBQ is the plugin
version of the 7G firewall mentioned above which will block against the
most common attacks your site will face.

These plugins are often updated with new rules, and offer premium
versions with improved features. If you have not used a WAF previously,
I would recommend installing one of these to start protecting your site.

• Wordfence (https://wordpress.org/plugins/wordfence/)
• BBQ (https://wordpress.org/plugins/block-bad-queries/)

Do you want help with blocking bad requests to your site? Go over to
https://dermotdowney.com/index.php/call to book a call and we can go
over what will work best for your site.

End of Chapter Checklist:

‰ Install a WAF plugin, such as Wordfence

‰ Get your technical developers to set up a server based WAF

‰ Consider the benefits of paying for a cloud based WAF solution


Joe runs a news website focused on Scottish local affairs and was
actively developing his site to offer more services to residents of the
Scottish Highlands region. He was aware that the more traffic you
generate, the more attacks you will attract, so he set up two factor
authentication to prevent attackers from accessing his site through the
login page. But during the set up, his session timed out and he was
logged out of his site. When he went to log back in, he found himself
being redirected back to the user login page without ever getting to his
website dashboard.

Unsure of how to get around this, Joe turned to WordPress blogs,

but couldn’t find the answer to his problem. Eventually, he posted a
question in an online WordPress security forum and got the answer he
needed. He was able to disable the plugin, get back into his site, and
set it up correctly again.

WordPress plugins give you a lot of control over the features and
behaviour of your website, and setting them up correctly sometimes
involves a bit of trial and error. Configuring a feature, seeing how
it works, and then undoing or reconfiguring that feature is part of
development of your site.

With many plugins, the worst misconfiguration problem you will probably
face will be some aspect of your website that doesn’t work properly,
and which can be resolved by logging back in and undoing what was
done. For the security plugins we discuss in this book, setting them
up incorrectly could mean locking yourself out of your site and not
being able to get back in. Knowing what to do in such a scenario gives
you the confidence to experiment and test the various security options
available, knowing that you still retain ultimate control over the site.

If you have a site that is currently live and active, it is wise to have a
second site for testing any new features or plugins. We discuss this in
more detail in the chapter on setting up a staging site, but it is useful to
have a second site for testing so you only make confident, rehearsed
changes to your live site.

Ordinarily, to turn off all features of a plugin, you would deactivate it

from the Plugins section of the WordPress dashboard. If you find that
you are unable to log back in to your dashboard, or even access your
website, all is not lost; there is an alternative way to deactivate your

Please note that disabling a security plugin should only be done as

a temporary measure in order to fix a problem you are experiencing,
and it should be re-enabled once the cause of the problem has been
fixed. With almost 90,000 attacks per minute around the globe, and
WordPress being a popular target for attackers, it is these brief
moments when you drop your defences that attackers are looking
for. It has been said before that there is nothing so permanent as a
temporary solution, so take care that you don’t inadvertently leave the
security features disabled for longer than intended.

Plugins are stored in a specific folder on your web server, and renaming
this folder has the effect of disabling the plugin. By accessing the files
and folders behind your website, you can thus disable any plugin and
reacquire access to your site.

1. Log in to your hosting account control panel, and click the link to
your File Manger.

In cPanel, click the File Manager icon to access your files

2. On the left-hand of the screen is the folder structure of your site.
Web files are commonly in a folder called public_html or htdocs.
Click the drop down folders to navigate your way to your plugins
directory—in the screenshot below this is in public_html/wp-

3. Right click on the folder for the plugin you want to deactivate, select
Rename and add something after the name like ‘.DEACTIVATED’.
Changing the name in any way or adding any text will have the
same effect. You can also disable all plugins at once by renaming
the plugins folder itself.

The folder for the iThemes plugin is called better-wp-security – the old name for this

4. Now that you can log back into your website, you can go back to
the plugin menu, reactivate it, and continue making changes to its
configuration. Note that reactivating it will not remove the text you
just added; it just activates the plugin again. It is a good idea, once
you have set it up correctly, to revert it back to its original name.
5. Again use the File Manager to go back to your plugin directory,
right click, and rename the folder. Once again, this will disable the
plugin. So go back to your WordPress dashboard, go to the Plugin
menu, and reactivate it.

Seeing the power of the file manager should underpin the importance
of protecting the login details for your hosting account. All the security
plugins in the world will be of little use if an attacker can target your
hosting account, disable all security features, and then attack your
now undefended website.

As mentioned in the chapter on Protecting The Login, a long, strong

and unique password should be used here and stored in a password
manager. If your host offers two factor authentication, consider taking
advantage of this as well.

End of Chapter Checklist:

‰ Login to your hosting account to get familiar with the settings you
can configure

‰ Go into your file manager and find the folders for your plugins, in
case you ever need to disable them

Our homes are often good examples of defence in depth. Often built of
pretty solid materials to begin with, you also take steps to secure it by
keeping your windows and doors closed and locked, and only letting in
people who have your permission to come in. If all of this fails though,
and someone still manages to get in, a burglar alarm is watching’ for
a breaking window, or movement inside the house, and alerts you so
you can respond.

Your security is never going to be 100% effective; there is always the

possibility that an attacker with enough time, resources and motivation
will find a way to gain entry to your site. You can though make yourself
a very hard target, and massively reduce the risk to your site of attack.

Hardening your website is the process of firstly deterring an attacker

from hitting you. You make yourself an undesirable target by keeping
your software updated, hiding your login page, blocking user
enumeration, installing firewalls, etc. Use every tactic so it is not easy
for them, and they turn their attention to softer targets.

Secondly, if they really do want to attack you, you delay them in their
attack. Make it difficult and time consuming for them by using really
strong passwords on your user accounts and don’t reuse passwords.
Lastly, if they do succeed, you need a way of detecting them, so you
can respond quickly and deal with the problem.

Ongoing monitoring of your site allows you to detect any threats–

malware which has gotten onto your site for instance–and respond
quickly to it. In the chapter on Server Side Security we discussed
the role of your web host in your security. If they have not set up the
hosting environment correctly, malware can easily spread from website
to website, regardless of how strong your passwords are or how well
your plugins are patched.
There are many plugins available which provide malware scanning.
WordFence (https://wordpress.org/plugins/wordfence/) has built a
strong reputation for reliably searching for malware and malicious
content on your website. They run a full scan every 72 hours checking
for modified files, backdoors, vulnerable or abandoned plugins and
suspicious links or content in your posts.

Uptime Monitoring

There is an old joke that the only way to truly secure a computer is to
unplug it, but that is not true. The role of security is for the website to
exist and conduct its business without being impacted by malicious
threats. A core objective of any security model is to keep an asset, your
website in this case, up and available to visitors; security is there to
support the business objective.

Depending on your web host, they may guarantee a certain level of

uptime, that is to say they are guaranteeing how much time your site
will be available and operational for. An uptime guarantee of 99.9% for
example allows for a downtime of 43 minutes per month, or just over
eight and a half hours per year.

Your website could be brought offline due to other factors not related
to your host though so it is good to monitor this yourself also. A bad
patch upgrade or even denial of service attack, where you are flooded
with malicious traffic, could also bring your site off the air, and getting
an early notification about this will allow you to respond quickly and
minimise the amount of traffic and visitors you lose. Sites such as
UptimeRobot (https://uptimerobot.com/) will connect to your site on
a regular basis, usually about every five minutes, to ensure it is still
running, and notify you if they find it down.
Google Blacklisting

Google and other search engines are very proactive in protecting

internet users. If they detect malware during their scanning, they
will warn users who then try to visit your site. The red warning page
presented to visitors who click a link to your site is stark and alerting,
and definitely something you want to have addressed, as the clear
intention is to warn off and protect users from getting infected by
malware which has gotten onto your site.

Register for Google’s Webmaster Tools, and as well as getting access

to very useful SEO tools, you will see an alert if Google suspects your
website contains malware of malicious links. They will often also send
an alert to your email address. This allows you to intervene and address
the problem quickly and then submit your site for a re-evaluation.

End of Chapter Checklist:

‰ Use WordFence to scan your website for malware on a regular


‰ Register your website with uptimerobot.com for uptime monitoring

‰ Set up Google Webmaster tools to get early alerting if Google

detects malware

The black box flight recorder plays a critical part in maintaining aircraft
safety. These two innocuous little boxes, actually coloured bright
orange or red, sit quietly in the tail of an aircraft recording all of the
data and cockpit conversations that take place during a flight. They
don’t play an active role in aircraft safety—they don’t control any flight
surfaces, engine controls, or provide information to the pilots. Ironically,
they are device no one ever hopes to need, but they have had some of
the greatest influences on the evolution of aircraft safety.

Their true significance becomes apparent after a major event has

happened, enabling investigators to go back over the flight and gather
details of what lead up to the event and learn what can be done to
avoid such an occurrence in the future.

Server and website logs are the black boxes for your website; watching,
recording, and building a picture of actions taking place should it ever
be needed. When your website is online, it deals with a constant level
of attacks along with serving up content to legitimate visitors. Your logs
give you an insight into what is happening behind the scenes, allowing
you to improve performance, improve security, or go back in time to
investigate the root cause of an incident.

Syed runs an online blog, and after hiring a developer to make some
updates to his site, noticed that his affiliate income started to drop.
Going back over the activity logs, he saw that after doing the requested
work on this site, the developer also went into a selection of his posts
and changed the affiliate links to the developers own links. These are
the subtle ways in which, without having a black box to go back over,
you would be left struggling to understand and investigate why such
things have changed on your site.
If you are running your own server using dedicated hosting or a VPS,
you will have access to the logs on the actual server itself. Shared
hosting accounts most likely will not have direct access to these server
logs. These are very detailed, capture a lot of information, and will
need technical expertise to read and understand them. But what you
gain from them is an understanding of what is happening on your site,
allowing you to tweak its setup for improved performance or identify
possible security risks before they become a problem. You get a
forensic level of detail once you know what you are looking for and
where to look.

We will not be going into detail on how to review server logs here, but
some of the main security items you should be looking at include:

• Web server access and error logs – These show you details
such as who has been accessing your site, including search
engine crawlers, and what pages they have gone to. You can
also see login attempts which have been blocked.

• System logs – These will display a range of system information,

including network attacks on your server.

• Firewall logs – These record attacks which have been blocked

by your server, allowing you to identify persistent or common

Accessing and reading these logs can require some technical ability,
though there are some great tools available for visualising the web
server logs.

cPanel hosting accounts often come with the Awstats package for reviewing your
web server logs
Activity Logs

Activity log plugins are WordPress plugins which record any changes
or activity on your website. This includes user logins, plugin installation
and updates, and any activity performed by users on your site. These
give you insight into the workings of your website in an easy-to-read
format. The best plugins also give you the option of exporting the
activity logs to a spreadsheet, making it easier to filter, sort, and review
the activity.

But logs are not just for reviewing after an incident. The best tactic
for logs is to review them on a periodic basis, thus giving yourself a
picture of what a normal level of activity looks like. This will help identify
if something out of the ordinary is going on, and give you an early
indication of suspicious activity. The NSA themselves have stated at
security conferences that the thing they fear most is a systems admin
who reviews their logs frequently.

To help yourself in reviewing your logs, avoid generic usernames for

anyone who logs on to your site. Use identifiable usernames rather
than ones like ‘webmaster’ or ‘developer’—even for freelance content
creators or technical support. Being able to audit your logs and clearly
identify who is doing what is a key aspect to maintaining your security
and having visibility over what is happening on your website.

There are a number of activity log plugins available from the WordPress
store, many for free. Two which I like are Activity Log (https://wordpress.
org/plugins/aryo-activity-log/) and Simple History (https://wordpress.
org/plugins/simple-history/). These give you a good level of detail about
activity on your website and allow you to export it for further analysis.

If you would like help with regular reviewing of your logs, go over
to https://dermotdowney.com/index.php/call to book a call. We can
discuss how best to do this
End of Chapter Checklist:

‰ Test some plugins, allow them to capture data for a few days, and
then review which one you like the best.

‰ Create a plan for regular (weekly/monthly) reviews of your logs

‰ See what regular activity on your site looks like, so you can start to
identify unusual activity

‘Si vis pacem, para bellum’ is an old Latin proverb which translates to,
‘If you want peace, prepare for war’. It holds true for todays digital age
and for a website which is put up on the public internet.

Protecting yourself from online attack, and having your website exist
and grow on the internet, involves taking a multi-faceted approach to
your security. We mentioned early on that security is a mindset, rather
than a feature of your website that is simply turned on. It is true that
the majority of the attacks you will encounter are repetitive automated
bots, but there are also skilled, motivated and capable humans at work
out there. As well as having preventative measures in place on your
site, we have talked about how there is always the risk of an attack
being successful, and so detective and recovery measures are equally

A fundamental security approach is to prepare for the worst and ensure

that you can recover if the whole site was lost today. Ensuring your
backups are being taken–and tested–allows you to roll back, keep the
site running and

We looked at how your site needs ongoing maintenance and patching

and how this can be done safely through testing on a copy of your
site. There is also a lot that can be done in the set up of your server,
hosting account and WordPress site itself to lock it down and prevent
someone from exploiting an error in their configuration.

The users of your site, both contributors and visitors, also play a big
part in your security model. We discussed steps you can take to help
them choose secure passwords, limit what they can do, protect their
connections to your site, and educate them about the possibility of
phishing attacks.
The next step is for you to assess the level of security on your websites.
Are there any gaps in your security that need to be filled? Which sites
are the most important to focus on first, or which carry the most risk in
terms of the impact to you or your business if they get hacked an hour
from now? Have an informed discussion with your team or website
developer about how secure your sites are, and how this can be
improved and maintained.

If you need more help with any aspect of your website security I would be
happy to help. You can drop me an email at dermot@dermotdowney.com
or to book a free, no obligation session to discuss your needs feel free to
go to https://dermotdowney.com/index.php/call.

Best of luck and stay safe

About the

Dermot Downey has been studying and working in computer security

for over 15 years and has multiple certifications related to data
networking and security. He has helped build and maintain secure
networks for pharmaceutical and financial clients, and owns a number
of WordPress websites which attract their fair share of attack traffic.
He lives in Dublin with his wife and family, and can be found online at

Вам также может понравиться