How to secure your WordPress website?

WordPress sites are often hacked by hackers who take advantage of vulnerabilities. Indeed there are about 70,000+ attacks every minute on WordPress sites. Suppose that attacks. become successful, then hackers can steal users' data, inject malware, send spam email and a lot more. Being hacked is not just sad news for a website owner, it is a disaster! It doesn’t matter if your website is small or big, hackers can easily hack your website.

WordPress sites are often hacked by hackers who take advantage of vulnerabilities. Indeed there are about 70,000+ attacks every minute on WordPress sites. Suppose that attacks. become successful, then hackers can steal users' data, inject malware, send spam email and a lot more. Being hacked is not just sad news for a website owner, it is a disaster! It doesn’t matter if your website is small or big, hackers can easily hack your website.

WordPress sites are often hacked by hackers who take advantage of vulnerabilities. Indeed there are about 70,000+ attacks every minute on WordPress sites. Suppose that attacks. become successful, then hackers can steal users' data, inject malware, send spam email and a lot more. Being hacked is not just sad news for a website owner, it is a disaster! It doesn’t matter if your website is small or big, hackers can easily hack your website.

Slider

A. WordPress Vulnerabilities

Insecure Web Hosting

Some of the hosting providers have unnecessary ports open by default which are vulnerable to attacks and can give an invitation to attackers. Also, most of the hosting providers have outdated versions of the software. You need to consider these things before choosing the secure web host.

Weak login credentials

Common username and passwords give an open invitation for brute force attack.

Pirated themes and plugins

Using pirated or an outdated plugin or theme can make your site vulnerable.

Old WordPress versions

Each new version of WordPress fixes bugs and security vulnerabilities. If you’re not updating WordPress, then you are intentionally leaving your site vulnerable.

Non-default WordPress table prefix

It is recommended that you use a prefix that is a little more complicated. This will make it harder for hackers to guess your database table names.

Non-default WordPress login page URL

This will help you keep your login page unknown to the attackers and will help you protect your site from brute force attacks.

Windows 7/8.1/10

A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.
  • A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.
  • To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or to convince a user to open a specific file on a network share.
  • The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory.

Affected Products:- Windows RT 8.1,Windows Server, version 1903 (Server Core installation),Windows Server 2016,Windows Server, version 1803 (Server Core Installation),Windows Server 2012,Windows 8,Windows 7,Windows 10,Windows Server 2008,Windows Server 2019

A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non-Extended Master Secret (EMS) sessions, aka 'Microsoft Windows Transport Layer Security Spoofing Vulnerability'.

  • A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions.
  • An attacker who successfully exploited this vulnerability may gain access to unauthorized information.
  • To exploit the vulnerability, an attacker would have to conduct a man-in-the-middle attack.
  • The update addresses the vulnerability by correcting how TLS client and server establish and resume sessions with non-EMS peers.

Affected Products:- Windows RT 8.1,Windows Server, version 1903 (Server Core installation),Windows Server 2016,Windows Server, version 1803 (Server Core Installation),Windows Server 2012,Windows 8,Windows 7,Windows 10,Windows Server 2008,Windows Server 2019

An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges, aka 'Microsoft Windows Update Client Elevation of Privilege Vulnerability'

  • An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges.
  • An attacker who successfully exploited this vulnerability could run processes in an elevated context.
  • An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system.
  • An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
  • The security update addresses the vulnerability by enabling Windows Setup to properly handle user privileges.

Affected Products:- Windows 10,Windows Server 2016,Windows Server, version 1803 (Server Core Installation),Windows Server, version 1903 (Server Core installation),Windows Server 2019

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.

  • A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory.
  • An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.
  • An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.
  • The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.

Affected Products:- Windows RT 8.1,Windows Server, version 1903 (Server Core installation),Windows Server 2016,Windows Server, version 1803 (Server Core Installation),Windows Server 2012,Windows 8,Windows 7,Windows 10,Windows Server 2008,Windows Server 2019

B. Container vulnerabilities

Docker Vulnerabilities

This vulnerability allows containers using subPath volume mounts to access files or directories outside of the volume, including the host’s file system. If exploited, it could give an attacker access to a pod and full control over the node host by gaining access to the Docker socket.

Severe Privilege Escalation Vulnerability in Kubernetes

This vulnerability allows an unauthenticated user to perform privilege escalation and gain full admin privileges on a cluster. After a remote user exploits this vulnerability and gains admin privileges, he can take ownership of a cluster. He could perform malicious actions such as injecting malicious code into containers to exfiltrate data, mine for cryptocurrencies, or access secrets.

High Severity RunC Vulnerability

This vulnerability allows an attacker to potentially compromise the container host. The vulnerability allows a malicious container to overwrite the host runc binary and gain root-level code execution capability on the host.

C. PHP vulnerabilities

  1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.
  2. allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data
  3. ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class

To avoid these vulnerabilities you must update PHP to the latest 7.4 Version

D. WordPress Vulnerabilities

  • WordPress <= 5.3 - Improper Access Controls in REST API
  • WordPress <= 5.3 - Stored XSS via Block Editor Content
  • WordPress <= 5.3 - Stored XSS via Crafted Links
  • WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
  • WordPress <= 5.2.3 - Admin Referer Validation
  • WordPress <= 5.2.3 - JSON Request Cache Poisoning
  • WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation

To avoid these vulnerabilities you should update Wordpress to the latest 5.4 version.


Use HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the confidentiality and integrity of data between the user's computer and the site. We motivate you to follow HTTPS to secure the connections of your users to your website, regardless of the content on the site. If you or your users want anything private then we highly recommended using HTTPS


Web Application Firewall

During the last decade, the way companies use the Internet has changed dramatically. Many advanced web applications are developed for storing huge amounts of data. But unfortunately, that data can be exposed.

There are various ways to prevent such cyber-attacks, one of the best way is a web application firewall (WAF). Web Application Firewall protects your website from several website attacks such as SQL Injection(SQLI), Cross-Site Scripting(XSS), Remote File Inclusion and many more cyber attacks. It also protects your website from critical attacks such as Dos and DDoS attacks.

SQL Injection:- SQL injection is a web security vulnerability that allows an attacker to interfere with the database queries.

XSS (Cross-site scripting):- Cross-Site Scripting attack is a malicious code injection. The malicious script can be saved on the webserver and executed every time when the user calls the appropriate functionality.