Introduction

WordPress remains the backbone of millions of websites, offering flexibility and scalability through its extensive library of plugins and themes. However, this same openness also makes it a frequent target for cyber threats. Attackers are constantly scanning for outdated software, unpatched vulnerabilities, and misconfigurations that can be exploited to gain unauthorized access.

The reality is clear: many WordPress sites remain vulnerable long after security flaws are disclosed, simply because updates are delayed or neglected. In this environment, relying solely on developer-issued patches isn’t enough—proactive security measures are essential.

This is where Patchstack’s virtual patches (vPatches) come in. By neutralizing known exploits with precision-crafted firewall rules, vPatches protect websites in real time, preventing attackers from taking advantage of unpatched vulnerabilities. Instead of waiting for an official fix, website owners can stay ahead of threats and ensure uninterrupted security.

Recent exploited vulnerabilities and how our vPatches blocked them

Last month alone, we designed and deployed more than 500 new virtual patches to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.

In addition to continually adding more vPatches to cover new vulnerabilities, Patchstack is also expanding its protection beyond WordPress, now securing standalone PHP pages where WordPress isn’t loaded, through auto_prepend_file (opt-in, currently in beta). This means that even if a vulnerability exists outside of the WordPress environment—such as in custom PHP scripts or legacy applications, our virtual patches can still detect and block exploitation attempts, ensuring comprehensive security across your entire website.

Here are now some of the most interesting vulnerabilities exploited this quarter:

Automatic Plugin - AI plugin

Unauthenticated Arbitrary SQL Execution Vulnerability

40K

CVSS 9.9

WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.92.0 – Unauthenticated Arbitrary SQL Execution vulnerability (CVE-2024-27956)

• This Critical vulnerability affecting a popular plugin with 40K+ installations could allow unauthenticated attackers to execute arbitrary SQL queries on the database, by taking advantage of a vulnerable authentication mechanism in the CSV export feature (inc/csv.php) via the “auth” POST parameter
• Patchstack immediately released a vPatch blocking any malicious requests containing possible authentication bypass along with the SQL query parameter

More than 6.500 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Startklar Elementor Addons plugin

Unauthenticated Arbitrary File Upload Vulnerability

5K

CVSS 10.0

WordPress Startklar Elementor Addons plugin <= 1.7.13 – Unauthenticated Arbitrary File Upload vulnerability (CVE-2024-4345)

This Critical vulnerability affecting the WordPress Startklar Elementor Addons plugin (currently closed for security reasons), allowed unauthenticated attackers to upload arbitrary files to the webserver, ultimately leading to the website’s takeover.

• In vulnerable versions, the plugin’s “startklar_drop_zone_upload_process“ action did not properly validate uploaded file types, as such enabling anyone to upload malicious files, potentially making remote code execution possible.
• Patchstack’s clients were automatically protected from this vulnerability with a virtual patch blocking any request to the vulnerable action when it also includes files with file types that may contain executable code.

Several thousands of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Bricks theme

Unauthenticated Remote Code Execution Vulnerability

30K

CVSS 10.0

WordPress Bricks theme <= 1.9.6 – Unauthenticated Remote Code Execution (RCE) vulnerability (CVE- 2024-25600)

This plugin with an estimate of 30K+ active users suffered from a security flaw that allowed unauthenticated users to execute arbitrary PHP code, leading to the website’s takeover.

• The vulnerability resided in the “prepare_query_vars_from_settings” function, called via the “bricks/v1/render_element” REST route. No capability check was in place, and the plugin’s nonce check was easily bypassed since the said nonce would be available to anyone accessing the frontend.
• Patchstack's vPatch was deployed on our affected clients’ websites, protecting them from any exploitation attempts by blocking requests for the vulnerable route when “useQueryEditor” was used while the user doesn’t have sufficient permissions.

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

GiveWP plugin

PHP Object Injection Vulnerability

100K

CVSS 10.0

WordPress GiveWP plugin <= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution vulnerability (CVE-2024-8353)

• This Critical vulnerability affecting a popular donation plugin with 100k+ installations suffered (again) from a flaw that allowed unauthenticated attackers to perform PHP Object Injection attacks because of an improper deserialization of multiple parameters during the donation process, including those prefixed by “give_”  or “card_” . This could ultimately lead to the website’s takeover.
• Patchstack immediately released a vPatch blocking any malicious requests containing known PHP object patterns in the vulnerable parameter.

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Key takeaways and conclusion

A strong WordPress security strategy goes beyond routine updates—it requires real-time threat mitigation to stay ahead of attackers. While official patches are necessary, they often arrive after threats have already been exploited.

By combining Patchstack’s proactive security with smart practices like regular updates, monitoring, and minimizing unnecessary plugins, you can build a strong, resilient defense against cyber threats.

Stay informed with our latest updates to keep your WordPress site protected against evolving cyber threats.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

• If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
• If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The post New Year, New Threats: Q1 2025's Most Exploited WordPress Vulnerabilities appeared first on Patchstack.

Introduction

WordPress has grown into the world’s most popular content management system (CMS), empowering individuals and businesses to create websites with ease. Its open-source nature has led to the development of a vibrant ecosystem of over 60,000 plugins and thousands of themes, enabling users to customize their sites for nearly any purpose - from blogs and e-commerce stores to corporate portals and educational platforms.

However, this widespread adoption also comes with responsibilities. WordPress's core code and open-source plugins are frequently updated to address bugs, enhance features, and fortify security. Despite this, most of WordPress sites run outdated versions, leaving them vulnerable to known exploits. The platform’s security largely depends on a layered approach, combining regular updates, strong credentials, and additional measures like firewalls and malware scanning.

Patchstack improves website’s security by delivering an immediate, tailored protection against vulnerabilities called virtual patches (vPatches). Acting as customized firewall rules, these virtual patches shield WordPress sites from exploits targeting plugins, themes, or core, ensuring uninterrupted functionality and empowering website owners to maintain robust defenses without delay.

Unlike traditional methods that depend on waiting for developer-issued updates, Patchstack’s vPatches close the security gap instantly, mitigating threats as soon as vulnerabilities are identified.

Recent exploited vulnerabilities and how our vPatches blocked them

Last month alone, we designed and deployed more than 300 new virtual patches to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.

While we’re continually adding more vPatches to cover new vulnerabilities, we also continuously monitor the malicious requests we block to protect our customers and have noticed an increase of over 20% in this number compared to the previous couple of months.

Here are now some of the most interesting vulnerabilities exploited this quarter:

Really Simple Security plugin

Account Takeover Vulnerability

4M

CVSS 9.8

WordPress Really Simple Security Plugin 9.0.0-9.1.1.1 - Account Takeover vulnerability (CVE-2024-10924)

• This Critical vulnerability affecting all versions (Free, Pro and Pro Multisites) of a popular plugin with 4M+ installations could allow unauthenticated attackers to log in as any user (including administrators) with 2FA authentication enabled, by taking advantage of a mishandled REST response return on the “skip_onboarding” function.
• Patchstack immediately released a vPatch blocking any malicious requests to the “/two_fa/skip_onboarding” endpoint

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Spam protection by CleanTalk plugin

Authorization Bypass Vulnerability

200K

CVSS 8.1

WordPress Spam protection, Anti-Spam, FireWall by CleanTalk plugin <= 6.44 - Authorization Bypass vulnerability (CVE-2024-10781)

This Critical vulnerability affecting the WordPress Spam protection plugin (200k+ installs), allowed unauthenticated attackers to install and activate arbitrary plugins, ultimately leading to the website’s takeover.

• In vulnerable versions, the plugin’s access key verification could be bypassed when the API key was not configured in the plugin. The MD5 or SHA256 hash of an empty string would then be used as the reference value during the verification, as such enabling anyone to use the said hashes to pass the verification.
• Patchstack’s clients were automatically protected from this vulnerability with a virtual patch blocking any request containing hashes of empty values (respectively “d41d8cd98f00b204e9800998ecf8427e” and “e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855”) in the “spbc_remote_call_token” parameter.

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

GiveWP plugin

PHP Object Injection Vulnerability

100K

CVSS 10.0

WordPress GiveWP plugin <= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution vulnerability (CVE-2024-9634)

• This Critical vulnerability affecting a popular donation plugin with 100k+ installations suffered from a flaw that allowed unauthenticated attackers to perform PHP Object Injection attacks because of an improperly deserialized  “give_company_name” parameter during the donation process. This could ultimately lead to the website’s takeover.
• Patchstack immediately released a vPatch blocking any malicious requests containing known PHP object patterns in the vulnerable parameter.

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Elementor Pro plugin

Arbitrary Options Change Vulnerability

4M

CVSS 8.8

WordPress Elementor Pro plugin <= 3.11.6 - Authenticated Arbitrary Options Change vulnerability (CVE-2023-3124)

This plugin with an estimate of 4M+ active users suffered from a security flaw that allowed any user with a role as low as Subscriber to change arbitrary options including enabling user registration and, for example, setting new account’s default role to administrator, leading to the website’s takeover.

• The vulnerability resided in the “update_page_option” function, called via the “pro_woocommerce_update_page_option” action. No capability check was in place, and the plugin’s nonce check was easily bypassed since the said nonce was leaked to anyone visiting the admin dashboard.
• Patchstack's vPatch was deployed on our affected clients’ websites, protecting them from any exploitation attempts by blocking requests for the vulnerable action when the user doesn’t have sufficient permissions.

More than 2.500 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment. Although the vulnerability was discovered and patched last year, the plugin's popularity has led to it still being exploited today.

SEOPress plugin

Authentication Bypass Vulnerability

300K

CVSS 8.3

WordPress SEOPress plugin < 7.9 - Authentication Bypass Leading To PHP Object Injection vulnerability (CVE-2024-5488)

• This plugin with 300K+ installations included a vulnerable authentication check, accessible by unauthenticated users, which could be bypassed by providing any existing user’s username, enabling attackers to update certain posts metadata that could ultimately be escalated to conduct PHP Object Injection attacks which could have a critical impact such as being able to execute arbitrary code remotely (RCE).
• Patchstack immediately mitigated this vulnerability by issuing a vPatch that blocked any request calling the “seopress/v1/posts” action parameter along with vulnerable sub-actions when the user doesn’t have sufficient permissions.

Key takeaways and conclusion

Protecting your WordPress site from cyber threats demands a comprehensive, proactive security strategy. While keeping the WordPress core, plugins, and themes up to date is essential for addressing known vulnerabilities, the time gap between identifying a flaw and releasing official fixes can leave your site exposed.

Virtual patching solutions, like those offered by Patchstack, fill this critical security gap by instantly mitigating risks as vulnerabilities are discovered, safeguarding your site during the interim.

Pairing virtual patches with consistent security practices - such as timely updates, removing unused components, and actively monitoring for emerging threats - creates a robust defense against potential attacks, maintaining both functionality and peace of mind.

Be sure to follow our updates for the latest vulnerabilities and solutions to keep your site secure moving forward.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

• If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
• If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The post Virtual Patches vs. Hackers: Q4 2024’s Most Exploited WordPress Threats appeared first on Patchstack.

Introduction

In today's digital landscape, WordPress powers over 40% of websites worldwide, making it a prime target for cybercriminals. With its vast ecosystem of plugins, themes, and customizations, WordPress offers incredible flexibility but also presents unique security challenges.

A single vulnerability—whether in the core system, a popular plugin, or a widely used theme—can expose your site to significant risks, including data breaches, defacement, and loss of customer trust.

This is where virtual patches (vPatches) comes into play: a vPatch is a customized firewall rule acting as a virtual shield, quickly addressing security flaws before they can be exploited by attackers. Unlike traditional security measures that rely on waiting for official updates, Patchstack's vPatches provide immediate protection, effectively closing the gap between the discovery of a vulnerability and the availability of a permanent fix.

Recent exploited vulnerabilities and how our vPatches blocked them

Last month alone, we designed and deployed more than 200 new virtual patches to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.

While we're continually adding more vPatches to cover new vulnerabilities, it's interesting to note that the most critical ones are still being exploited, even though they were made public several months ago.

Here are some of the most interesting ones:

Litespeed Cache plugin

Privilege Escalation Vulnerability

6M

CVSS 9.8

LiteSpeed Cache plugin <= 6.3.0.1 - Privilege Escalation (CVE-2024-28000)

• This Critical vulnerability affecting a popular plugin with 6M+ installations could allow unauthenticated attackers to take over the website by taking advantage of a weak hash verification taken from browser cookies when calling WordPress’s “users” REST API.
• Patchstack immediately released a vPatch blocking any requests to the “wp/v2/users” endpoint containing any “litespeed_hash” cookie.

More than 12.000 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Litespeed Cache plugin

Unauthenticated Stored XSS Vulnerability

6M

CVSS 8.3

LiteSpeed Cache plugin <= 5.7 - Unauthenticated Site Wide Stored XSS (CVE-2023-40000)

Another High vulnerability from the LiteSpeed cache plugin, discovered earlier but still being exploited as of today.

• In vulnerable versions, the plugin’s "update_cdn_status" and "_process_cdn_status" functions were prone to unauthenticated stored XSS by saving raw values from certain requests. This could allow unauthenticated attackers to have arbitrary javascript code executed in an administrator’s browser context, ultimately leading to the website’s potential takeover.
• Patchstack’s clients were automatically protected from this vulnerability with a virtual patch blocking any request to the “litespeed/v1/cdn_status” endpoint containing non-standard characters in the “_msg” and “nameservers” parameters.

This vulnerability is still widely exploited, with over 150,000 attempts blocked in the last 6 months.

Backup and Staging plugin

Authentication Bypass Vulnerability

20K

CVSS 9.8

Backup and Staging by WP Time Capsule plugin <= 1.22.20 - Authentication Bypass and Privilege Escalation (CVE-2024-38770)

• This plugin with over 20K+ installations suffered from a Critical flaw that allowed an unauthenticated user to log in as an administrator if the plugin’s connection to the WpTimecapsule website has been configured. A loose “!=” comparison check (instead of “!==”) was used to verify the authorized API key, therefore it could be possible to bypass it by using type juggling.
• Patchstack’s vPatch was deployed on our affected clients’ websites before an official patch was available, protecting them from any exploitation attempts by blocking any request containing the vulnerable “AUTO_UPDATE_CHECK” type along with an authorization parameter.

More than 9.500 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Rehub theme

Unauthenticated Local File Inclusion Vulnerability

35K

CVSS 9.0

Rehub theme <= 19.6.1 - Unauthenticated Local File Inclusion (CVE-2024-31231)

• This theme with 35K+ installations included a vulnerable "ajax_action_re_filterpost" function, accessible by unauthenticated users, which was not properly limiting and sanitizing a user-provided variable, allowing attackers to perform a path traversal attack and include arbitrary local .php files, which could, in certain cases, have a critical impact such as being able to execute arbitrary code remotely (RCE).
• Patchstack immediately mitigated this vulnerability by issuing a vPatch that blocked any request calling the vulnerable “re_filterpost” action parameter and containing known local file inclusion patterns in the “template” parameter.

Key takeaways and conclusion

Proactive defense is essential for protecting your WordPress site from emerging threats. Relying solely on official patches can leave a window of vulnerability, but our vPatches provide immediate security as soon as a threat is detected, keeping our clients' sites safe while waiting for official fixes.

By keeping your WordPress core, themes, and plugins up to date and using real-time protection solutions like Patchstack, you can drastically reduce the risk of compromise.

Be sure to follow our updates for the latest vulnerabilities and solutions to keep your site secure moving forward.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

• If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
• If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The post Stay Secure: How Patchstack’s vPatches protect your WordPress site against the latest vulnerabilities appeared first on Patchstack.

At Patchstack, we’ve seen a 150% growth in vulnerabilities reported in 2021 compared to 2020 which is a significant increase. That's a staggering number, and it shows how vulnerable your site can be if you don't take the necessary precautions.

One of the simplest and most effective ways to protect your WordPress site from hackers is to change the default login URL to a custom secure URL. This will make it harder for even the most determined attackers to find your login page and launch brute-force attacks.

By the end of this article, you will have the technical know-how to change the default WordPress login URL to a custom secure URL. We will also provide an alternate solution that allows you to restrict access to your login page without technical expertise in just a few minutes.

Read on to find out more!

Why you should change the default WordPress login URL?

If you have been running your WordPress site for a while, there is a good chance that, whether you know it or not, your site has been regularly bombarded by brute-force attacks.

If you are using a strong password and following other industry best practices on your website, then most of the automated attacks will be foiled.

However, even if the attacker is unable to successfully log in, it can still overwhelm your server with login requests and consume precious resources. Automated attacks can last for hours at an end – and during that time, your visitors might experience slow and sluggish performance from your website.

In large part, these attacks are mostly possible because the default login URL on all WordPress websites is the same (usually yourdomain.com/wp-admin). If you change this URL to something that only you know, then it will be extremely difficult for the attacker to guess the correct URL for your login page.

If you are using a custom login URL, then rather than spending resources trying to search for the correct URL, most automated robots will just skip your site and move on to their next target.

Let’s see how to change the default login slug the old-fashioned way, and then see how Patchstack compares with this solution.

Manually changing the WordPress login URL (via SSH/FTP)

If you want to change your WordPress login URL manually, then you will need to edit the PHP files of your website, as this action can’t be done through the WordPress dashboard. Depending upon your hosting provider and configuration, this step will vary.

If your hosting provider provides a dashboard to view and edit your website(such as cPanel), then you can use that. Otherwise, if you have SSH access to your website, then you can use it to log in to your server and edit the files.

Once you get access to your server, locate your WordPress installation. In the WordPress folder, look for a file named wp-login.php – this is the file used to log in to your dashboard.

Rename this file to anything random and note it down. When renaming the file, make sure that it does not contain any spaces, and that the name ends with .php.

In the above screenshot, we can see a PHP file named wp-login.php; we have renamed it to wp-login-2.php for demonstration purposes. After renaming the file, open it in a text editor, and then use the built-in find and replace functionality to replace all instances of wp-login with the name that you noted down earlier.

In the above example, we have replaced wp-login to wp-login-2 for simplicity. Ideally, you should pick a random alphanumeric string that is difficult to guess. 

Finally, save the text file and close the text editor. You don’t need to restart your server –  your website will automatically stop serving requests on the old URL and start using the new URL.

How to secure WordPress login URL via Patchstack

If you are using Patchstack, you can secure your WordPress login page with a single click directly from the WordPress dashboard.

Once you have successfully installed Patchstack on your site, go to Patchstack settings and open the “Login Protection” page.

At the top of this page, you will find an option to “Block access to wp-login.php”. Click the checkbox next to this, and note down the randomly generated string in the text box below.

You will need to visit this URL to log in to your WordPress dashboard in the future.

If you want to create a URL that is easy to memorize, then you can edit the string in the text box.

Once you have performed the above steps, you can scroll down to the bottom of the page and click ‘Save’.

That’s it! Patchstack will now block any requests that attempt to access your login page directly. Only the users who visit the given URL can access the login page.

Note: This only works if you are using the default WordPress login URL to log in to the dashboard for administrative purposes. If you are using a custom URL, or run a site that requires regular users to log in, then this feature is not suitable for you.

Final thoughts

Changing the default WordPress login URL to a custom secure URL is a good way to deter a large number of automated attacks that try to guess your username and password. However, this is not a foolproof solution, and it does not guarantee that your site will be safe from black hat hackers. A dedicated attacker who is specifically targeting your website will still be able to find your custom login URL by inspecting your site's code, files, or database.

Therefore, you should not rely on this method alone, but use it as part of a comprehensive security strategy.

You should also implement other measures to protect your WordPress site from brute force attacks, such as blocking malicious IP addresses, limiting login attempts, using strong passwords, and updating your plugins and themes regularly. If you want to learn more about how to do this, we recommend you read the following articles:

• How To Protect WordPress Against Brute Force Attacks
• How To Block IPs, Countries, and Regions from Accessing Your WordPress Website 
• How To Limit Login Attempts on WordPress (+ Should You?) - Patchstack 

Patchstack scans your site for vulnerabilities, alerts you of any issues, and automatically applies virtual patches before they can be exploited. You can try Patchstack for free and see how it can improve your site's security and performance.

The post How To Change The Default WordPress Login URL? appeared first on Patchstack.

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the regular functioning of a website, online service, or network by overwhelming it with a flood of traffic from multiple sources.

DDoS attacks are executed by a network of compromised devices, often referred to as a botnet, which simultaneously sends a massive volume of traffic to a target website or server. 

Let’s begin by answering the question, “What is a DDoS attack?”, and then explore various strategies for protecting your website against DDoS attacks.

Understanding DDoS Attack

DDoS attacks operate by overwhelming a target server, network, or website. This often crashes the target devices or makes them unusable. Attackers create or gain control of a network of compromised computers and devices known as a botnet. These devices are often infected with malware that allows the attacker to remotely control them.

The attacker commands the botnet to send a massive volume of data packets to the target simultaneously. These packets overwhelm the target, saturating its resources and causing congestion.

The target server or network's resources, such as bandwidth, processing power, or memory, are quickly consumed by the incoming flood of traffic. Legitimate user requests are unable to get through because the system is overloaded.

As a result of the resource depletion, the target may experience service disruption, leading to downtime or severely degraded performance.

When a website is under a DDoS attack, it can suffer:

1. Downtime: During an attack, websites become unreachable for legitimate users, resulting in downtime. Even if a website doesn't go offline entirely, a DDoS attack can cause it to become extremely slow or unresponsive, frustrating visitors.
2. Financial Loss: Extended downtime or impaired performance can lead to financial losses, especially for e-commerce websites and online businesses that rely on continuous availability.
3. Operational Costs: Mitigating and recovering from DDoS attacks can be costly in terms of investing in security measures and incident response.

Types of DDoS Attacks

DDoS attacks come in various forms, each with its methods and targets. The three primary types of DDoS attacks are

1. Volumetric Attacks: These attacks aim to overwhelm a target's network infrastructure by sending an enormous volume of data packets. Common protocols used in volumetric attacks include UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol). The goal is to exhaust the target's available bandwidth, making it inaccessible to users.
   
   
2. Application Layer Attacks: Application layer attacks, also known as Layer 7 attacks, focus on exploiting vulnerabilities in the application or web server itself. Attackers send a high volume of seemingly legitimate requests that require significant server processing. This type of attack is challenging to mitigate as it mimics genuine user traffic.
   
   
3. Protocol Attacks: Protocol attacks, or state-exhaustion attacks, exploit weaknesses in network protocols and connections. These attacks aim to consume resources at the transport and network layers of the target. Examples include SYN/ACK floods, which exhaust the server's ability to establish new connections.

Two Approaches for DDoS Attack Prevention

Increasing Capacity

There are different techniques and tricks that you can use to boost your server capacity and handle traffic spikes.

Scaling Resources

When it comes to safeguarding your website against DDoS attacks, the simplest strategy is to increase your server's capacity to handle sudden spikes in traffic. 

Dynamically adjusting your server's computing power, memory, and network resources based on demand would allow you to better handle traffic spikes.

Cloud platforms such as Amazon Web Services (AWS), Google Cloud, and Microsoft Azure are well-suited for resource scaling. These platforms provide cloud-based servers that can be easily adjusted to match your traffic patterns.

When your website experiences a surge in traffic, your server infrastructure can automatically expand to accommodate the increased load. When the traffic subsides, the resources can scale down.

Although this is a simple strategy, this is not very effective. Attackers use clever techniques such as NTP amplification, HTTP/2 Rapid Reset, etc. to launch extraordinarily large attacks - this means one server of the attacker can overwhelm dozens of your servers. This causes hosting costs to rise exponentially and makes this approach impractical.

Using Content Delivery Networks (CDNs)

For DDoS attack prevention, you can consider integrating Content Delivery Networks (CDNs) in your network. CDNs play a vital role in enhancing your website's performance and resilience because they act as intermediaries between your website's server and end users.

By using CDNs, you can simulate having multiple servers distributed across various geographic locations. When a user requests content from your website, the CDN delivers it from the server closest to the user, which reduces latency and accelerates content delivery.

CDNs excel at providing users with content faster by reducing the distance data needs to travel. In the event of a DDoS attack, the CDN can help absorb and mitigate the attack's impact by distributing traffic across its network. This not only reduces the strain on your origin server but also provides a protective buffer against the attack.

Using a CDN to serve cached copies of your website is much cheaper than scaling up your servers – but it is still not effective. Using a CDN might deter small-scale attacks, but it will not prevent sophisticated attacks.

Decreasing Traffic

When it comes to protecting your website from DDoS attacks, the simplest solution is to block all malicious traffic. Let’s examine different ways of doing that.

Rate Limiting and Blocking

If you are getting a large amount of traffic from a single user, consider implementing rate limiting - setting thresholds on the number of requests that can be made within a specific time frame. This approach helps prevent overwhelming your server with excessive traffic.

Furthermore, many DDoS attacks attempt to breach your login system. Implementing rate limiting and blocking for repeated failed login attempts can help safeguard your login page.

On WordPress, this can be achieved through Patchstack or by using custom scripts that monitor login attempts and block IP addresses after a predefined number of failures.

Geo-Blocking

Geo-blocking is the process of restricting access to your website from specific geographic locations. If you are getting a large amount of traffic from a certain region, you can consider blocking traffic from specific countries or regions.

If you’re using WordPress, you can do this easily using Patchstack, a security platform that allows you to block traffic from countries or regions with only a few clicks.

While geo-blocking can be somewhat effective in mitigating DDoS attacks, it's important to recognize that legitimate users from blocked regions may encounter access issues.

Specialized DDoS Protection Services

When it comes to safeguarding your website from the threat of DDoS attacks, relying solely on the above solutions may not be enough.

There are specialized DDoS protection services offered by many cloud providers. Let’s take a look at some of the more popular offerings:

#1 - AWS Shield

This is a proprietary solution from Amazon Web Services, designed to protect your cloud-based services.

AWS Shield offers two plans - Shield Standard provides automatic protection against common and more straightforward DDoS attacks. But if you want the highest level of security, you can use Shield Advanced for enhanced detection and mitigation capabilities.

#2 - Cloudflare WAF

Cloudflare, known for its worldwide content delivery network, also offers a solution to protect against DDoS attacks – Cloudflare WAF.

This is a managed firewall service that offers protection against a spectrum of threats, including DDoS attacks. If you’re using Cloudflare WAF, you can take advantage of Cloudflare’s extensive global network along with real-time threat detection, and instant mitigation functionality.

#3 - Azure DDoS Protection

Azure DDoS Protection is an offering by Microsoft for blocking denial of service attacks. If you’re using Azure to host your infrastructure in the cloud, then this is a great choice as it will be able to operate seamlessly with all of your Azure services and applications.

It has various protection tiers which allows you to tighten security as per your requirements. The best part is that this is the same technology that Microsoft uses itself to safeguard its critical infrastructure in the cloud. This dogfooding approach by Microsoft incites confidence in its capability to effective DDoS attack prevention.

#4 - Akamai DDoS Protection

Akamai, a leading content delivery provider, also offers DDoS protection. Akamai provides a range of services, including Web Application Protector, Bot Manager, and Kona Site Defender.

The App & API Protector service is a combination of web application firewall, bot mitigation, API security, and Layer 7 DDoS protection. Akamai claims it can quickly identify vulnerabilities and mitigate threats.

Furthermore, you can use Prolexic, an advanced offering that can perform DDoS detection and provide protection. It can be used both in cloud networks or on your on-prem servers. This provides you with 20 Tbps of dedicated DDoS defense and 100% platform availability SLA – which is hard to beat.

#5 - Google Armor

Google Armor focuses on protecting your applications and services running on Google Cloud. It offers granular control over traffic filtering and advanced threat detection capabilities, ensuring that your digital assets remain shielded from DDoS attacks.

The Adaptive Protection feature helps you protect your Google Cloud applications, websites, and services against L7 distributed denial-of-service (DDoS) attacks such as HTTP floods and other high-frequency layer 7 (application-level) malicious activity. 

It uses machine learning to detect anomalous activity, generate a signature describing the potential attack, and then create a custom Google Cloud Armor WAF rule to block the signature. You can enable or disable rules as per your requirement, making it a flexible but advanced solution for demanding websites.

#6 - Imperva

Imperva is another respected player in the field of DDoS protection. Imperva offers solutions that cover various aspects of cybersecurity, including DDoS mitigation, application security, and data protection. 

It offers always-on or on-demand protection for your entire network infrastructure to protect against DDoS attacks. You can also choose to enable the DNS protection functionality to protect your APIs and web applications from attacks that target domain nameservers.

Conclusion

In a world in which cyber attacks are a common occurrence, implementing DDoS attack prevention measures is not merely a choice – it's a prerequisite. When it comes to DDoS protection, the simple solution is to increase your server capacity by using CDNs and implementing rate limiting to thwart attacks.

However, for bigger websites that suffer attacks regularly, the specialized services listed in this article provide an extra layer of security, often tailored to the unique demands of different environments. If you are interested in learning more about DDoS attacks, we recommend reading the excellent DDoS threat report from Cloudflare.

Don't wait for the next threat to strike.

Sign up for Patchstack today and fortify your WordPress website against vulnerabilities and cyberattacks. Sign Up for Patchstack and join the thousands of satisfied users who have taken control of their website security, and sleep a little better at night!

The post How to Protect WordPress Against DDoS Attacks appeared first on Patchstack.

HTTP and HTTPS are two protocols that are used to transfer data between a web browser and a web server. 

The main difference between HTTP and HTTPS is that HTTPS uses encryption to secure the data that is sent and received, while HTTP does not. By using HTTPS, even if someone intercepts the data, they will be unable to read or modify it.

HTTPS also protects the website from cyber attacks such as man-in-the-middle, phishing, spoofing, etc. These are attacks in which someone tries to impersonate the website or the user, or redirects them to a fake or malicious website, in order to trick them into revealing sensitive information or installing malware.

The main goal of this article is to show you different methods to redirect your WordPress website from HTTP to HTTPS so that you can enjoy the benefits of HTTPS and make your website more secure, whilst offering greater reassurance to your visitors.

Different ways to redirect WordPress from HTTP to HTTPs

There are many ways to redirect your WordPress website from HTTP to HTTPS, depending on your server setup, your WordPress settings, and your preferences.

In this section, you’ll discover some of the most common and effective methods to do that, using the WordPress dashboard, the wp-config.php file, the NGINX settings, and the Apache settings.

Before you proceed with any of these methods, you need to have an SSL certificate installed on your WordPress website. You can obtain an SSL certificate from various sources, such as your hosting provider, a certificate authority, or a free service such as Let's Encrypt. If you need help with installing an SSL certificate on your WordPress website, you can read our article on How to Install an SSL Certificate on WordPress.

Method 1: Editing WordPress URL in the dashboard

Log in to your WordPress dashboard, then go to Settings -> General. On the General Settings page, you will see several options to configure your WordPress website, such as Site Title, Tagline, Email Address, etc.

Here you need to change your WordPress Address (URL) and Site Address (URL). These are the URLs that WordPress uses to identify and access your website.

To change these URLs from HTTP to HTTPS, you need to replace the http:// part with https:// in both fields.

For example, if your WordPress Address (URL) is http://example.com, you need to change it to https://example.com.

After you have changed the URLs, you will need to scroll down to the bottom of the page and click on Save Changes. This will update your WordPress settings, and immediately begin redirecting your website from HTTP to HTTPS.

Method 2: Setting constant in the wp-config.php file

The wp-config.php file is one of the most important files in your WordPress website. It contains the configuration settings for your WordPress installation, such as database connection details, security keys, debug mode, etc.

You can use this file to customize and optimize your WordPress website according to your needs.

You can find the wp-config.php file in the WordPress root directory. You can access this folder using either a file manager or an FTP client. To edit the wp-config.php file, it will need to be opened with a text editor or a code editor. 

The FORCE_SSL_ADMIN constant in WordPress forces all login and admin pages to use HTTPS. This is a quick and easy method to prevent hackers from stealing or tampering with your username, password, and other sensitive information. 

To redirect your WordPress website from HTTP to HTTPS, add the following lines of code to the wp-config.php file, before the line that says /* That’s all, stop editing! Happy publishing. */:

define(‘WP_HOME’, ‘https://example.com’);
define(‘WP_SITEURL’, ‘https://example.com’);
define( 'FORCE_SSL_ADMIN', true );

Make sure you replace example.com with your actual domain name!

After you have added the code, save the file and then upload it back to the WordPress root directory, if you edited it offline. This will update the WordPress settings and begin redirecting your website from HTTP to HTTPS.

Method 3: Editing NGINX settings

If you are using NGINX to serve your website, you can use it to redirect insecure HTTP requests by creating a specific configuration. To access the NGINX configuration file, it’s necessary to have SSH access to your server, where you have installed NGINX and WordPress.

The NGINX configuration file is usually located in /etc/nginx/nginx.conf, but it may vary depending on your server setup. 

To redirect your WordPress website from HTTP to HTTPS, add the following lines of code to the NGINX configuration file, inside the server block that listens on port 80:

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://example.com$request_uri;
}

Make sure to replace example.com with your actual domain name. The above code tells NGINX to listen on port 80, which is the default port for HTTP, and to match the server name with your domain name and its www variant. It then tells NGINX to return a 301 redirect to the HTTPS version of your website, using the same request URI. (A 301 redirect is a permanent redirect that tells the browser to use the new URL from now on.)

After you have added the lines of code, save the file and reload the NGINX service. You can use a command such as sudo nginx -s reload to reload NGINX without stopping it. This will apply the changes and start redirecting your website from HTTP to HTTPS.

Method 4: Editing Apache settings

If you’re using Apache for serving your WordPress website, you’ll have to edit the Apache configuration file that is usually located in /etc/apache2/, although it may vary depending on your server setup. 

There are multiple ways to redirect your WordPress website on Apache. If you want to redirect a single URL, you can use the RedirectPermanent Directive – add the following lines of code to the Apache configuration file:

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  RedirectPermanent / https://example.com/
</VirtualHost>

Again, make sure you replace example.com with your actual domain name!

Alternatively, you can also use the following lines of code to redirect your WordPress website from HTTP to HTTPS, using the mod_rewrite module:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The code above enables the rewrite engine and checks if the HTTPS is off. If it is, it rewrites the request to the HTTPS version of your website, using the same request URI, and sends a 301 redirect to the browser.

After you have added the lines of code, save the file and restart the Apache service. This will apply the changes and redirect your website from HTTP to HTTPS.

When your redirect WordPress from HTTP to HTTPs is almost finished...

Once you’ve updated your website configuration, it’s a good idea to update all of your URLs wherever you are using them. For instance, you should make sure to use the HTTPS URL when you use a CDN, create a sitemap, or submit your site for indexing to a search engine. This will ensure that your website is consistent and secure across all platforms and services.

You might think this is unnecessary as all of the insecure requests will be automatically upgraded to HTTPS. However this will require your visitors to make two HTTP requests instead of one, and this can be frustrating – especially on slower connections.

Redirecting your WordPress website from HTTP to HTTPS is a great step to improve your website security, but it is not enough. You also need to manage vulnerabilities and stay ahead of the bad guys who may try to hack your website.

One of the best ways to do that is to use Patchstack, a cloud-based security platform that protects your WordPress website from hackers, malware, and other threats.

Patchstack monitors your WordPress website 24/7, scans it for vulnerabilities, and automatically patches them before they can be exploited.

Patchstack also provides you with a dashboard, reports, and alerts to keep you informed and in control of your website security.

If you want to learn more about how to secure your WordPress website with Patchstack, we recommend you read How to Secure WordPress Site with Patchstack or just sign up for a FREE FOREVER plan of Patchstack.

The post How To Redirect WordPress from HTTP to HTTPs appeared first on Patchstack.

We have carefully assigned the Patchstack Priority scores to all historic vulnerabilities, and the scores are now added to every new vulnerability. (Some of you may have already noticed “Priority” levels on the Patchstack Database vulnerability entries.)

Today, we roll Patchstack Priority out to all our users!

Vulnerability prioritization for Patchstack users

Patchstack users can now prioritize and filter vulnerabilities directly on their main dashboard.

By default, vulnerabilities will be sorted based on their Patchstack Priority score and date (newest first).

If you have planned maintenance windows for your websites, you can jump into the Patchstack App to see what needs your attention first. You’ll see which vulnerabilities could be resolved with a security update and which vulnerabilities are mitigated by the Patchstack vPatches.

As we continue working on the Patchstack Priority, the users will soon also get a “security tasklist,” recommending when to update specific software and helping you optimize your security maintenance.

Our Developer and Business users will be able to adjust their notifications. For example, if you'd only like to receive notifications for high-priority threats, toggle it in the Settings, and alert fatigue will be no more!

Different levels of Patchstack Priority

With the rapidly increasing amount of security vulnerabilities being fixed in the WordPress plugin ecosystem, it’s more important than ever to know where to put the attention first. Unfortunately, setting a focus is difficult when everything seems equally severe.

Patchstack Priority sets vulnerabilities into three categories, so users direct their attention to where it’s needed first and reduce noise from vulnerabilities which are not an imminent threat.

Patchstack Priority simply sets all vulnerabilities to High, Medium and Low:

High Priority:

• Expected to become actively exploited
• Known to be actively exploited already
• Receives a vPatching rule from Patchstack
• Recommended time to patch/update (RTTP): 0 days.

Medium Priority:

• Could be exploited in more targeted attacks
• Is not yet publicly known to be exploited
• Receives a vPatching rule from Patchstack
• Recommended time to patch/update (RTTP): 7 days.

Low Priority:

• Not expected to become exploited
• Not known to be exploited
• Does not require a vPatching rule from Patchstack
• Recommended time to patch/update (RTTP): 30 days.

The priorities are updated as we get more data, ensuring you always know what needs your attention first.

Data behind the Patchstack Priority

Patchstack Priority is a dynamic scoring system, which takes into account different variables to predict whether a vulnerability will:

1. Become actively mass-exploited, or
2. Potentially be exploited in more targeted attacks, or
3. Be unlikely to become exploited.

We analyze each vulnerability and the software where we found the vulnerability. Then, we compare them with similar vulnerabilities in the past that we have attack data for.

We also monitor each vulnerability in real time in case we need to increase the priority.

Some of the variables we analyze when assigning Patchstack Priority to security vulnerabilities include the following:

• Analyzing the vulnerability prerequisites (i.e. What privileges are required for the vulnerability to be exploitable?)
• Analyzing the vulnerability type (i.e. Some vulnerabilities like RCE are more prone to exploitation than others, such as CSRF.)
• Analyzing the software itself (i.e. how big of a target it is, where it’s commonly used, how many active installs it has, etc.)
• Analyzing the standard CVSS scores
• Monitoring active exploitation attempts

What’s next?

In addition to introducing Patchstack Priority so you know what to tackle first, our team has also made more changes to the Patchstack App:

• An easier way to control the Protection modules and search and review the protection logs
• See active modules on the Apps Overview page
• Partner Mode in the plugin
• New rule creation page for our new firewall engine (and templates)

And more!

Stay tuned for more updates as our team works to help you take charge of your WordPress security.

Try Patchstack Priority in your dashboard, and let us know if you have any feedback!

The post Patchstack Is Introducing Patchstack Priority appeared first on Patchstack.

In short, this means that more people will know whether they have hidden security risks on their websites.

This is also exciting news because the partnership highlights a big mindset shift happening in the WordPress ecosystem, with more companies thinking about security proactively rather than reactively.

Plugin vulnerabilities (which accounted for 93% of all WordPress vulnerabilities last year) are a very common security risk - but they're also easily preventable, especially now that we have a lot more awareness and information on them.

If you've been following our work you may have noticed we talk about growing our database of vulnerabilities pretty much exponentially every year. And while that growth may sound alarming it's a good thing because security researchers working that much harder to combat the issue.

We said in our big WordPress security roundup whitepaper back in March, that the WordPress ecosystem leaders (like Cloudways) must be showing a positive example by dealing with vulnerabilities in a proactive, responsible & mature manner.

How does the Cloudways integration work?

The Cloudways vulnerability scanner can see which WordPress core, plugin, and theme versions are installed on your website. It periodically checks these versions against the Patchstack Database to see if any are affected by a security issue. If a vulnerability is found, the user will be notified and led to check the affected versions.

The vulnerability scanner will also show recommended actions for vulnerable components (generally this means updating the plugin, or removing it if no updates are available). You can also get more details about the specific issue:

Please keep in mind that the integration does not include Patchstack's vPatching protection layer - it only shows you information about vulnerabilities, and you'll ultimately have to take necessary steps to mitigate them yourself.

What is included, however, is our 48-hour early warning for vulnerabilities found by Patchstack Alliance, which should give you enough time to figure out the best course of action. This early warning is critical as we know from our data that in some cases, vulnerabilities may be exploited within hours of them becoming public.

About Cloudways

Cloudways is a leading managed cloud hosting and software as a service (SaaS) provider for small to medium-sized businesses (SMBs). Cloudways is part of DigitalOcean, which helps developers, startups and small and medium-sized businesses rapidly build, deploy, and scale applications to accelerate innovation and increase productivity and agility.

The post Patchstack Partners With Cloudways appeared first on Patchstack.

In this article, we will learn how to filter out unwanted visitors from your website based on their IP addresses or locations. There are several reasons to do this, including: 

1. Improving website performance
2. Complying with legal regulations
3. Targeting specific audiences
4. Preventing spam and fraud

However, it is important to note before we dive in that this should not be considered a security measure and should instead be seen as a performance optimization or a business decision. You shouldn’t rely on blocking IPs and countries as a substitute for proper security practices.

In short, while it may be a temporary last resort if you can see a huge spike that is spiraling out of control from a specific IP address or even country to mitigate something that is already underway, it is not enough to consider your site reasonably protected (since it is relatively easy to work around these types of measures once the bad actors determine the pattern you are using to block them). 

So, in this article, we’ll cover how to block IP addresses and countries in WordPress using several different methods and tools, such as plugins, .htaccess, cPanel, or Cloudflare. We will also detail the pros and cons of each method and tool, and offer some tips and best practices on how to block IPs and countries without affecting your user experience or SEO.

Let's get started! 

Why Block IPs

When publishing a website, you’ll want to maximize the engagement of visitors with the content, and an increase in traffic to your site would certainly help. Therefore, blocking IPs, countries, or regions might seem counterintuitive at first – but it can be beneficial for your website. Here are some of the reasons:

• Blocking IPs can help you protect your website from specific threats or attacks that originate from certain IP addresses, such as brute force, DDoS, or phishing. For example, if you notice that a large number of failed login attempts are coming from a single IP address, you can block that IP address to prevent further attempts and secure your website.
  
• Blocking countries or regions can help you reduce the bandwidth costs or server load of your website by filtering out unwanted visitors based on their location. For example, if you have a website that is only relevant for a specific country or region, you can block the rest of the world to save resources and improve performance for those users in targetted locations.
  
• Blocking countries or regions can also help you comply with legal regulations, avoid censorship or sanctions, target specific markets or audiences, or prevent spam or fraud. For example, if you have a website that sells products or services that are not allowed or available in certain countries or regions, you can block those countries or regions to avoid legal issues or customer complaints.

Challenges with Blocking IPs

Blocking IPs, countries, or regions is not a security measure, but rather a performance optimization or a business decision.

One of the drawbacks and limitations of blocking IPs is that it can result in false positives, meaning that you might block legitimate visitors or bots by mistake. For example, if you block China’s country code (CN), you might also block visitors from Hong Kong (HK) or Taiwan (TW).

You need to rely on accurate and updated information to identify the IP addresses and their locations. This can be difficult and costly if you use third-party services or databases that may have errors or discrepancies.

You need to consider the impact of blocking IPs, countries, or regions on your SEO (search engine optimization) and user experience. This can affect your ranking and traffic if you block search engines or potential customers from accessing your website.

This can happen if you block an IP range that includes other users or services that you want to allow on your website, such as search engines, social media platforms, or email providers.

Another limitation of blocking IPs is that this approach can be easily bypassed by hackers or malicious actors who use dynamic IPs, VPNs, proxies, or TOR.

These techniques allow them to change their IP addresses frequently, or hide their true IP addresses behind another IP address. This makes it difficult and impractical to block them based on their IPs alone.

This is why blocking IPs, countries, or regions cannot be thought of as a security measure, but only as either a performance optimization or a business decision.

You should not rely on blocking IPs, countries, or regions as a substitute for proper security practices, such as updating your WordPress core, plugins, and themes, using strong passwords and two-factor authentication, installing a security plugin or firewall, and backing up your website regularly.

How To Block IPs From Accessing Your WordPress Site

In this section, we’ll provide a step-by-step guide on how to block IPs from accessing a WordPress website using several different methods and tools. We will also compare and contrast the pros and cons of each method and tool.

Using .htaccess (Advanced)

One of the methods you can use to block countries or regions from accessing your WordPress website is using the .htaccess file, which is a configuration file that controls the behavior of the Apache web server. You can edit the .htaccess file in the root directory of your WordPress website using a text editor or a FTP client.

To block countries or regions using .htaccess, you need to use Apache directives, such as Deny or Require, to specify which IP addresses are allowed or denied access to your website. You also need to use the IP addresses or masks of the visitors that you want to block or allow.

Here are some examples of how to block IPs using .htaccess rules based on their IP addresses or masks:

• To block a single IP address, use the following syntax:
  Deny from <IP address>
  For example, to block 192.168.1.1, use:
  Deny from 192.168.1.1
• To block multiple IP addresses, use the following syntax:
  Deny from <IP address 1> <IP address 2> ...
  For example, to block 192.168.1.1 and 192.168.1.2, use:
  Deny from 192.168.1.1 192.168.1.2
• To block an IP range, use the following syntax:
  Deny from <IP address>/<CIDR notation>
  The CIDR notation is a number that represents how many bits of the IP address are fixed and how many are variable. For example, /24 means that the first 24 bits of the IP address are fixed, and the last 8 bits are variable.
  For example, to block all IPs from 192.168.1.0 to 192.168.1.255, use:
  Deny from 192.168.1.0/24
• To block an IP mask, use the following syntax:
  Deny from <IP mask>
  The IP mask is a wildcard character (*) that represents any number from 0 to 255.
  For example, to block all IPs from 192.168, use:
  Deny from 192.168.*.*

Using Cloudflare

Another method to block countries or regions from accessing your WordPress website is by using Cloudflare. Cloudflare provides a firewall that can improve your website speed, security, and performance.

To use Cloudflare to block countries or regions, you need to sign up for a Cloudflare account and add your website as a site.

You also need to change your domain name servers (DNS) to point to Cloudflare’s servers. This will allow Cloudflare to serve your website content from its global network of servers and apply its firewall rules to your website traffic.

Here are instructions on how to do this:

1. In the Cloudflare dashboard, click on the Firewall tab and then click on the Firewall Rules subtab. In the Firewall Rules page, click on the “Create a Firewall Rule” button.
2. On the Create a Firewall Rule page, enter a name for your rule and then choose the condition and action for your rule. You can use the following fields to block countries or regions:
   • Country: This field allows you to block or allow visitors based on their country of origin. You can enter the ISO code or name of the country that you want to block or allow. For example, to block China, you can enter either “CN” or “China”.
   • IP Reputation: This field allows you to block or allow visitors based on their IP reputation score. The IP reputation score is a number between 0 and 100 that indicates how likely an IP address is to be malicious or abusive. The lower the score, the higher the risk. For example, to block visitors with a high-risk score, you can enter less than 10.
   • Action: This field allows you to choose what action to take when the condition is met. You can choose from several actions, such as Block, Challenge, Allow, Bypass, or Log. For example, to block visitors who match the condition, you can choose Block.
3. Click on the “Deploy” button to save and activate your rule, after which you will see a confirmation message that your rule has been deployed. To view or edit your firewall rules, go back to the Firewall Rules page. You will see a list of your firewall rules, along with their names, conditions, actions, statuses, and hit counts. You can then click on the Edit icon next to any rule to modify it.

However, this method might not be feasible if you are already using another CDN or if you don’t want to serve your website using Cloudflare. Using another CDN might cause conflicts or compatibility issues with Cloudflare’s features and settings. Therefore, you should carefully weigh the pros and cons of using Cloudflare before deciding to use it to block IPs, countries, or regions from accessing your WordPress website.

Final Thoughts

We hope you’ve found this tutorial helpful and are now armed with everything from the benefits of blocking IPs and countries – along with a few different methods to implement these measures, depending on what you’re comfortable with and your preferred setup. 

If you have any questions for us, feel free to reach out to our team using the chat widget accessible in the bottom right-hand corner of any page of our website. We’re here to help. 🤝

While you’re here – seeing as there is a good chance you’re interested in the security of your WordPress website – for more on WordPress security, read our complete guide to WordPress security here. In summary: 

No website will ever be 100% secure. For starters, there are ~ 60,000 plugins available on the WordPress plugin repository – a few of which actively audit their codebase for potential security issues. And this is why we built Patchstack. 

Automated web application protection for site owners, developers, and agencies. 

Most people in WordPress either: 

• Passively worry about their site (and whether they’re taking precautions)
• Don’t worry and take little precautions (and are the most at risk)
• Spend more time than they should manually secure their sites (often enterprise companies that do code reviews all manually)

Fortunately – thanks to Patchstack, you don’t have to be, with: 

• Notifications for new security vulnerabilities
• Automated protection with vPatches and security hardening
• Remotely managed software and updates with automation
• And much, much more

The post How To Block IPs, Countries, and Regions For WordPress appeared first on Patchstack.

Using that example, this article will dive into the risk of pre-made bundled themes. Such themes may hide serious security vulnerabilities within them that won't be obvious to the casual user.

Many people who want to build a website, but are not developers or designers look into pre-made themes, which are being sold in different marketplaces. Such themes are often very specifically designed for a single purpose, such as a design for a bakery, festival, news site, etc. They require only the basic setup and copy changes to get a live page going.

Unfortunately, these pre-made themes often come with a hidden risk. Given that the customers of such pre-made themes are less technical than the average WordPress user, it’s safe to assume the majority of them are not aware of any risk at all.

We'll dive into the case study in a bit, but first, some context.

Background: the problematic practice of bundling plugins with themes

This problem has existed in the WordPress ecosystem since the concept of premium themes was born. Back in the day, WordPress themes were a big business - you didn't have drag-and-drop page builders (like Elementor) that make it easy to put together a well-designed website.

Back then, you either had to dive into HTML/CSS and build your own theme, or you purchased a theme from someone who knew how to build one. Buying a pre-made theme was considered the cheapest option to get a site running.

Exactly like you would install plugins today to add forms or incorporate a fancy slider - the developers back then also used different plugins to complete the design and functionality of the theme they were selling.

The Great Revolution Slider Hack of 2014

Most of the themes come with additional functionality that completes the design. A good example of a design functionality is slider plugins (e.g. Revolution Slider) - but you also need other functionality such as forms, SEO performance modifications, and so on.

Many premium themes relied (and still do) on a plugin called Revolution Slider (A.K.A. RevSlider) which gives a lot of cool functionality to help design the main hero slider element for your website.

In 2014, hackers found a LFI (local file inclusion) vulnerability in the Revolution Slider plugin, which allowed any un-authenticated user to download the site's wp-config.php file, which was then used to exploit a second vulnerability in the Revolution Slider plugin to upload a backdoor to gain full control over the website.

This resulted in a mass-exploitation campaign, where hackers automated attacks against every website they found online (regardless if they used Revolution Slider or not) to gain backdoor access to as many websites possible.

Even though it was impossible to get a clear picture of how many websites had the Revolution Slider plugin installed, the security community quickly realized the scale of the issue by looking at the premium themes being sold where Revolution Slider was being preinstalled.

Hundreds of thousands of websites were hacked, and Envato eventually made a statement confirming over 1,000 premium themes had Revolution Slider bundled in. Since the incident, Envato has also improved its guidelines which now prohibit theme developers from bundling plugins.

Case study: How to get hacked out of the box

This entire article was inspired by a personal experience that happened in early September 2023. A friend who was about to set up a WordPress site had chosen a theme that was purpose-built for an event she was hosting.

I was asked to help set up the WordPress site and install the premium theme that had already been purchased. The theme itself looked very promising and was even marked as “recently updated” in ThemeForest.

After installing the theme .zip file I was presented with an error, asking me to install the required plugins. Like so:

The theme installation process sent me to an “Install Required Plugins” page, where you need to install the plugins that are required for the theme to work. It asked me to install 8 plugins in total - 4 from the official WordPress.org plugin repository, and the other 4 were pre-packaged.

After all of the required plugins were activated, I connected the website to Patchstack to check the brand new site for security issues

Lo and behold, here’s what Patchstack reported back:

Out of the box, the website came with 5 different security vulnerabilities - 3 of which were high-priority issues and one of them is even known to be actively mass-exploited.

As seen in the screenshot above, the most critical vulnerability that is marked as actively mass-exploited did have a fixed version available. So I checked if I could update the plugins:

Interestingly, there was only one update available. But for the starters, I installed that to check if that fixed any of the vulnerabilities - it did some.

As for the other plugins, it looked like everything was up-to-date.

Yet, we were still left with 3 other vulnerabilities, including the mass-exploited one.

And this here is a perfect example of one of the biggest security risks in WordPress - a false sense of security from seemingly up-to-date plugins, that in reality may contain unpatched issues.

If you're looking at your admin panel it would appear that your site is nicely up-to-date. Instead, a site in this state would probably be hacked within a week.

On my friend's site, there was nothing I could do with the Cross Site Scripting vulnerability in the Cost Calculator Plugin. Of course, Patchstack had automatically applied a vPatch on it so it couldn’t be exploited, but there was no other way to solve the issue as the plugin had never released a fix for it. In fact, the plugin had even been removed from the WordPress.org plugin repository since January 2023.

The only option we had here was to delete the plugin and hope that the theme would keep working (even with Patchstack's protection, it's just a bad security practice to leave vulnerable plugins running on your site!)

Now, to the most serious security issue, which was the Elementor Pro broken access control vulnerability - the one known to be actively mass-exploited. This vulnerability itself was actually fixed by the Elementor team quite a while ago (as was the other remaining vulnerability).

However, the theme was using a very old version of Elementor Pro, and since it didn't come with the actual licence there was no possibility to download a newer, safer version!

The only option was to either delete the Elementor Pro plugin or spend additional money and purchase the Elementor Pro license.

The theme developer did offer a free license to Elementor Pro, but he also stated that “Elementor PRO it is not mandatory for use the theme that you have purchased and you are free to not request it”. So probably most of the customers who have purchased this theme never bothered with the license. Especially because to get it, the theme designer asked for your WordPress admin panel username and password - which you should never share with someone else!

In the end, I purchased the Elementor Pro license for the friend, and we were able to get rid all of the vulnerabilities on the site - but I doubt this is the case with the majority of the customers (over 2,500 of them) who also bought the same theme.

How to prevent cases like this one?

Before you purchase premium themes, ask the designer which plugins are required for it to work. Also make sure you get the required licenses for all of the required plugins, so you will receive all the important updates. And of course, make sure to keep the plugins updated!

Also, set up vulnerability monitoring in Patchstack and receive real-time alerts when a new vulnerability is found in any of the plugins/themes that you have installed.

You can also turn on protection modules, so the website receives a vPatch for the vulnerability, giving you time to update or choose what to do next, without leaving the website exposed to the hackers.

I also want to thank the Envato team who reached out to the specific theme developer and this theme is currently removed from the ThemeForest marketplace. The representative from Envato also told us that the pre-packaging the plugins with themes on such way is against the guidelines, and required plugins should only be downloaded from the official WordPress.org plugin directory.

The lack of visibility into premium plugins

Premium plugins and themes often don’t follow the common WordPress best practices. The updating process is often as not straightforward as it is with plugins you install directly from the official WordPress.org plugin repository, and their source code is not open to the public.

Because of this, premium plugins miss out on a big benefit of open-source - namely that anyone can read the code, propose improvements and point out any issues or problems that should be fixed. This is one of the reasons open-source code is usually more secure, as more people have looked into it and potential vulnerabilities get fixed.

This is not the case with premium plugins. Even though most premium plugins are also GPL or have dual-license, the source code is not made public. This means that it’s much harder to keep an eye on updates for the plugin, and there is no benefit from community-driven security oversight.

Based on our experience as the leading vulnerability processor in the WordPress ecosystem, even today the security vulnerabilities are much more severe in the premium plugins compared to the ones that are on the official WordPress.org plugins repository.

Stay safe!

The post Case Study: When Your Premium WordPress Theme Is More Than You Bargained For appeared first on Patchstack.

But, although they are the target of attempted attacks every single day – most are unsuccessful (so no need to panic), and you can put additional security measures in place on your own sites to lock them down even further.

And that’s what you’re here for today: limiting login attempts on your WordPress website because one of the most common attempts includes trying to brute force a site’s login. 

And while it goes without saying that having strong passwords reduces the chances of getting hacked, it doesn’t prevent random users (and bots) from trying to log in to your website by trying thousands of leaked passwords and username combinations. 

So, in this article, we’ll cover why you should limit login attempts on your WordPress websites and walk through the different methods available. 

WordPress Default Login Settings

In a standard WordPress installation, the default login attempt settings are relatively permissive. These settings are designed to be user-friendly but are highly likely to pose security risks if left unmodified. 

Here are some of the settings standard WordPress doesn't have, that are nonetheless important to enhance the security of your website:

1. Unlimited Login Attempts: By default, WordPress allows users to make an unlimited number of login attempts. This means that if an attacker attempts to guess usernames and passwords repeatedly, there are no built-in safeguards to block their access.
2. No Delay Between Login Attempts: WordPress doesn’t introduce any delays or rate limiting between login attempts. This absence of delay facilitates brute force and dictionary attacks, where attackers can rapidly test multiple username and password combinations.
3. No Lockout or IP Blocking: In a standard installation, WordPress doesn’t automatically lock out users or block IP addresses after a certain number of failed login attempts. This means that an attacker can keep trying different combinations indefinitely without any automatic countermeasures, restrictions, or penalties.

Understanding the Need for Login Attempt Limits

Limiting login attempts is crucial for WordPress security for several important reasons:

1. Protection Against Brute Force Attacks: Brute force attacks are among the most common methods used by malicious actors to gain unauthorized access to WordPress websites. In a brute force attack, hackers use automated tools to repeatedly guess usernames and passwords until they find the correct combination. By limiting login attempts, you make it significantly more difficult for attackers to guess the correct login credentials through trial and error.
2. Preventing Credential Stuffing: Credential stuffing is a type of attack where cybercriminals use username and password combinations obtained from data breaches on other websites to gain access to WordPress sites. By limiting login attempts, you reduce the likelihood of attackers successfully using these stolen credentials to compromise your site.
3. Mitigating Distributed Denial of Service (DDoS) Attacks: Some DDoS attacks target the login page of a WordPress site by overwhelming it with a massive number of login attempts. By implementing login attempt limits, you can minimize the impact of such attacks and ensure that your site remains accessible to legitimate users.
4. Protection Against User Enumeration: WordPress typically provides error messages that differ based on whether a username or password is incorrect during a login attempt. Hackers can use this information to determine valid usernames and then focus their attacks on cracking the associated passwords. By limiting login attempts, you reduce the effectiveness of this technique.

Customizing login attempt limits and enhancing security is crucial to address these risks. By implementing appropriate plugins or custom configurations, you can:

• Set limits on the number of failed login attempts before lockout.
• Define lockout durations to discourage further attacks.
• Implement rate limiting to prevent rapid login attempts from the same IP address.
• Enforce strong password policies.
• Add two-factor authentication for an extra layer of security.

Customization of these settings not only helps protect your WordPress site from common login-related attacks, but also improves the overall security posture of your website, making it significantly more resilient to unauthorized access attempts.

Methods to Safeguard/Limit Login Attempts

There are different ways that can be used to limit the number of login attempts on WordPress, such as:

#1 - Using a WordPress Plugin

You can enhance the security of your WordPress site by using specialized plugins such as Limit Login Attempts, Limit Login Attempts Reloaded, or iThemes. 

Plugins are a powerful tool for enhancing the security of your WordPress website by mitigating login-related threats without needing to modify site settings.

Many plugins offer a range of features, including IP blocking, performance optimization, and intelligent IP management. However, it’s also important to note that installing any additional plugins inadvertently increases the attack surface.

However, in the past, we have found vulnerabilities in some of the plugins mentioned above (Limit Login Attempts Reloaded and Limit Login Attempts).

Although these vulnerabilities are few and far between, and these alone obviously don't go as far as to suggest that they do not have a good reputation or commitment to security. Ultimately, security plugins that run solely on your WordPress site directly can help with certain things and are super easy to set up, so it is easy to see why they are often a first choice. 

Patchstack (hey, that’s us 👋) is powered by the WordPress ecosystem’s most active community of ethical hackers, and is trusted by the leading WordPress experts such as Pagely, Cloudways, GridPane, Plesk, and many others, making it the safest and smartest choice for keeping your WordPress site safe.

Log in to your WordPress dashboard and install the plugin of your choice. 

Once activated, you will be able to set the maximum number of allowed login attempts, lockout duration, and other basic settings.

Depending on the plugin that you choose, you might also be able to enable "Lockout/IP Throttling". Doing this establishes longer lockout intervals each time a hacker or bot unsuccessfully attempts to log in.

It is also advisable to activate "Synchronized Lockouts" in order to share lockout data between multiple domains if you operate more than one WordPress site.

#2 - Use CAPTCHA

You can use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) or a challenge-response test in WordPress to limit login attempts and enhance security. Although some sophisticated modern AI robots can reliably solve these tests, these require significant resources, and implementing a CAPTCHA on your site will still deter a large number of automated attacks.

When using this approach, you will need to decide which CAPTCHA service you want to use. Popular options include Google reCAPTCHA and hCaptcha. Both are widely supported and effective at distinguishing between human users and automated bots, although hCaptcha is the more secure option out of the two, and the better choice in our opinion. Another alternative is Cloudflare Turnstile, which is different because it doesn't make users solve puzzles to prove they're human.

#3 - Use a firewall

Using a firewall in your webapp is another way to limit login attempts. For example Patchstack's default firewall will automatically block suspicious repeated login attempts.

#4 - Monitor Logs

You can also use Fail2Ban to monitor Apache2 logs and block websites that make too many login attempts. Fail2Ban is a powerful tool that scans log files for patterns and takes action against IP addresses that exhibit suspicious behavior. Here's how you can set it up for WordPress login protection:

1. Install Fail2Ban: This package is not installed by default on most systems. You can install it using the package manager relevant to your server's operating system (e.g., apt-get for Debian/Ubuntu, yum for CentOS/Red Hat).
2. Create a Custom Fail2Ban Filter: We need to create a custom filter configuration for Fail2Ban to recognize failed login attempts in your Apache2 logs. Make a new configuration file (e.g., wordpress-login.conf) in the /etc/fail2ban/filter.d/ directory. Define the filter rules to match failed login attempts in your Apache2 logs.

# /etc/fail2ban/filter.d/wordpress-login.conf
[Definition]
failregex = ^<HOST> .* "(GET|POST) /wp-login.php.*" 401

This configuration is tailored for the common WordPress login URL (/wp-login.php) and assumes that a failed login attempt results in an HTTP 401 status code. 

3. Create a Fail2Ban Jail: Next, we will create a Fail2Ban jail configuration to specify how Fail2Ban should handle IP addresses that pass the filter rules. Create or modify the /etc/fail2ban/jail.local file:

[wordpress-login]
enabled = true
filter = wordpress-login
port = http,https
logpath = /var/log/apache2/access.log
maxretry = 3
findtime = 600
bantime = 3600

Here is a brief explanation of each line of the above configuration:

• enabled: Set to true to enable this jail.
• filter: References the filter configuration you created earlier.
• port: Specifies the ports Fail2Ban should monitor for suspicious activity.
• logpath: Specifies the path to the Apache2 access log where login attempts are logged.
• maxretry: Defines the number of failed login attempts allowed before an IP address is banned.
• findtime: Sets the time frame (in seconds) within which the maximum number of retries (maxretry) must occur to trigger a ban.
• bantime: Specifies the duration (in seconds) for which an IP address will be banned.

Restart Fail2Ban: After configuring the jail, restart the Fail2Ban service to apply the changes. Fail2Ban will now monitor your Apache2 logs for failed login attempts on the WordPress login page.

#5 - Use wp_login_failed WordPress Hook

The wp_login_failed hook in WordPress is an action hook that triggers when a user's login attempt fails. It allows developers to execute custom code in response to failed login attempts, enabling actions such as logging failed login details or implementing security measures such as IP blocking after a certain number of failures.

Here’s a simple code snippet that demonstrates how to use this hook. We define the block_failed_logins function, which takes two parameters – the username and a WP_Error object containing the error details:

// Define a custom function to block users
function block_failed_logins($username, $error) {
    // Check if the error message contains a specific keyword or pattern
    if (strpos($error->get_error_message(), 'Your custom error message or pattern here') !== false) {
        // Get the user's IP address
        $user_ip = $_SERVER['REMOTE_ADDR'];
        // Block the user by IP address using .htaccess, firewall rules, or your preferred method
        // For demonstration purposes, we'll display a message and exit here
        die('Access denied. Your IP address (' . $user_ip . ') has been blocked due to repeated failed login attempts.');
    }
}
// Hook the custom function to the wp_login_failed action
add_action('wp_login_failed', 'block_failed_logins', 10, 2);

Inside the function, you can check the error message (or any other relevant data) to determine when you want to block users. Modify the condition within the “if” statement to match your specific criteria. For example, you can check for a particular error message or pattern that indicates multiple failed login attempts.

If the condition is met, you can retrieve the user's IP address using $_SERVER['REMOTE_ADDR']. Replace the placeholder with your preferred method of blocking the user, such as adding IP addresses to a blocklist in your server's firewall, using .htaccess rules, or any other method you prefer.

For demonstration purposes, we've included a “die” statement to display a message and then exit when a user is blocked. In a production environment, you would typically perform the actual blocking action here.

#6 - Limiting Login Attempts: Best Practices

After implementing the above solutions, work towards implementing the following practices to enhance your user experience:

1. Whitelisting for IP Protection: Take precautions by whitelisting trusted IP addresses, including your own, to avoid inadvertent lockouts. This ensures that authorized users won't be locked out due to excessive login attempts.
2. Tailored Error Messages: When users encounter lockout situations, it's crucial to provide clear and helpful error messages. Customize these messages to offer precise instructions on how they can regain access to their accounts. Clear guidance enhances the user experience and reduces frustration during login difficulties.

Testing the Login Attempt Limits

1. Prepare a Test Environment: Before testing, create a separate test environment that mirrors your live WordPress site. This can be a staging site or a local development environment. Make sure you have access to the WordPress admin dashboard of this test site.
2. Install and configure the login attempt limiting solution on the WordPress staging site created in the previous step. 
3. Attempt to log in to your test site using both valid and invalid credentials to ensure that you can access the admin dashboard without any issues. Ensure that the plugin correctly enforces the login attempt limits you've set.

Note: When attempting to log in using invalid credentials, make sure to use a secondary internet connection so that your primary IP address doesn’t get blocked. For example, if you are working with a WiFi connection on your laptop, use your mobile carrier’s internet connection to log in to WordPress.

4. Purposefully exceed the maximum allowed login attempts to trigger a lockout. This will help you confirm that the plugin correctly enforces lockout durations.
5. Review the pertinent logs and notifications to see if they are accurately recording failed login attempts, lockout events, and any notifications sent to administrators.

Additional Security Measures

Complementary security measures play a vital role in enhancing login security for your WordPress website. Here are some key measures to consider:

#1 - Two-Factor Authentication (2FA)

Encourage users, especially administrators and other privileged users, to enable 2FA for their accounts. Implement reliable 2FA methods such as time-based one-time passwords (TOTP) or hardware tokens for added security.

#2 - Regular Software Updates

Keep your WordPress core, themes, and plugins up to date. 

Updates often include security patches that address known vulnerabilities. 

Consider using automated update tools such as Patchstack, which also vPatches vulnerable plugins with remote updates directly applied to your sites for you. 

#3 - User Account Management

Assign appropriate user roles to minimize the number of users with administrative privileges. Keep in mind the "principle of least privilege", and only give users the access they need to do a job (and no more). Regularly review and remove accounts that are no longer necessary, reducing the potential attack surface.

#4 - Educate Users

Promoting robust website security goes beyond technical measures; it also involves educating your website users, with a special focus on administrators, to adopt best practices for online security. By imparting knowledge and awareness, you empower them to play an active role in safeguarding your site's integrity.

Educate your users, particularly administrators who have privileged access, about the dangers of phishing attempts. Train them to identify phishing emails, deceptive websites, and social engineering tactics used by cybercriminals. Provide real-world examples and encourage a cautious approach when encountering suspicious emails or links.

Final Thoughts

Limiting login attempts isn’t just an option – it's a recommended precaution to protect your WordPress websites. Considering the simplicity of doing so with Patchstack (or even alternative solutions for this as a starting point), it really is considered a best practice for all sites, especially ones that expect to (or already do) get a good amount of traffic. 

This is a seemingly small yet important step that’s also often the first that many take to secure their WordPress websites. No website will ever be 100% secure. For starters, there are ~ 60,000 plugins available on the WordPress plugin repository – few of which actively audit their codebase for potential security issues. And this is why we built Patchstack. 

Automated web application protection for site owners, developers, and agencies. 

Most people in WordPress either: 

1. Passively worry about their site (and whether they’re taking precautions)
2. Don’t worry and take little precautions (and are the most at risk)
3. Spend more time than they should manually securing their sites (often enterprise companies that do code reviews all manually)

Fortunately – thanks to Patchstack, you don’t have to be with: 

• Notifications for new security vulnerabilities 
• Automated protection with vPatches and security hardening
• Remotely managed software and updates with automations

And much, much more. 

For more on WordPress security, read our complete guide to WordPress security here.

We hope you’ve found this tutorial helpful – if you have absolutely any questions for us, feel free to reach out to our team using the chat widget accessible in the bottom right-hand corner of any page of our website. We’re here to help. 🤝

The post How To Limit Login Attempts on WordPress (+ Should You?) appeared first on Patchstack.

Why protect the admin login URL

You might ask, why it's needed to protect my login URL if my account is already protected with password? There are many reasons for that - we have brought out 5 for you!

1. Protection against brute force attacks

By default, the WordPress login page is accessible straight through the "/wp-admin" or "/wp-login.php" URLs. Attackers are well aware of these default URLs, making it easier for them to launch brute-force attacks by repeatedly attempting to guess your username and password combinations. Protecting the default login URL adds an additional layer of security, as it makes it much harder for attackers to find the correct URL and target your site.

2. Mitigation of automated hacking attempts

Many hacking attempts on WordPress websites are automated, utilizing bots that scan the internet for vulnerable targets. These bots often look for standard login URLs, exploiting known vulnerabilities or weak credentials. By protecting the login URL, you effectively reduce the risk of your website being targeted by these automated hacking attempts, as the bots won't easily locate the login page.

3. Enhanced protection of administrator accounts

The administrator account in WordPress holds the highest level of access and control over your website. Therefore, it is crucial to safeguard it from unauthorized access. Changing the login URL adds an extra layer of defense against malicious actors attempting to gain access to your administrator account. It also reduces the likelihood of targeted attacks against specific accounts by making it more challenging for hackers to locate the login page associated with the administrator account.

4. Improved website performance

Another benefit of changing the login URL is improved website performance. When hackers or bots repeatedly attempt to access the default login URLs, they generate unnecessary traffic and place an additional load on your server resources. This increased traffic can slow down your website and potentially disrupt its normal operation. By protecting the login URL, you can mitigate this issue, reducing the strain on your server and improving the overall performance of your WordPress site.

5. Prevention of unauthorized user enumeration

Default login URLs in WordPress can enable unauthorized users to easily enumerate valid usernames associated with a website. By simply accessing the default login page, they can attempt to log in with various usernames and identify valid ones by the system's response. Protecting the login URL effectively eliminates this vulnerability, making it harder for potential attackers to gather information about valid usernames on your site.

How most plugins protect the login URL

There's a common issue with plugins that claim to protect the login URL by allowing you to change it easily. The problem is that these modified URLs can still get leaked quite easily.

In WordPress, the login URL is displayed in multiple places, making it vulnerable to exposure. It's no surprise that the hacking scripts still find a way to the log in page.

How Patchstack protects the WordPress login URL

Patchstack is an amazing tool that can help you safeguard your default login URL by blocking all traffic to the /wp-admin URL. But if you want to access your site from a specific IP, you can simply whitelist it by visiting the secret login URL that you provided on the Login Protection page.

In addition to login protection, Patchstack protects your websites 24/7 from all the attacks targeted at WordPress specifically. We use a technology called vPatching in addition to custom hardening rules to protect your WordPress applications.

Getting started with Patchstack is a breeze!
Create a user and add login protection by following this:

1. First, create an account on the Patchstack App and sign up for the Developer plan. Once you've done that, add your domain to the Patchstack App. Afterward, all you need to do is download and install the connector plugin onto your WordPress application, and you're good to go!
2. Download and install the Patchstack plugin onto your WordPress application
3. Connect it with Patchstack App by inserting your API key to the plugin
4. Go to Patchstack App, open up your domain and go to Hardening > Login Protection
5. Toggle the "Block access to wp-login.php"
6. Enter your new URL to the according input and Save
7. Now when you visit /wp-admin, you get blocked, but when you visit the URL you gave, you gain access to wp-admin again.

If you're curious about how our Login Protection feature works, we have a handy article that you can check out. Just follow this link: Login Protection with Patchstack.

Protecting your login directory is essential for WordPress security

The security of your WordPress website should be a top priority. Blocking traffic to the default login URL is a simple yet effective method to enhance the security posture of your site. By implementing this security measure, you can protect your website from brute force attacks, automated hacking attempts, unauthorized access to administrator accounts, and the unnecessary strain on server resources. Ultimately, taking proactive steps to secure your WordPress login page contributes to a more robust and reliable website, providing peace of mind for both website owners and visitors.

Don't hesitate to reach out if you have any questions or need further assistance.
Just type a message to our live chat. We're here to help!

The post How to Secure WordPress Login URL appeared first on Patchstack.

Have you ever noticed that your website's speed and performance are affected by other websites linking to your images?

Have you ever worried that your images are being used in ways that you don't approve of?

If you answered ‘yes’ to any of these questions, then you may be a victim of image hotlinking.

Image hotlinking is a practice in which someone uses your images on their website by directly linking to the image URL on your server.

Fortunately, there are some ways to prevent image hotlinking in WordPress and protect your images from unauthorized use. By the end of this article, you will learn how to prevent image hotlinking in WordPress and improve your website's security, performance, and SEO. 

Let's get started!

What is Hotlinking?

When you publish something on the internet, it can be accessed by anyone; this includes the elements of your webpage such as images, videos or audio clips. If you do not have watermarks on your images, then some websites may embed these elements on their site without passing the credit to you.

In simpler terms, it means displaying images, videos, gifs, and other media files on a website by directly linking to the content on the originating server. Hotlinking is also known as inline linking or remote linking.

For example, let’s say you run a WordPress blog with photos of your recent holiday adventures. Someone else likes the photos that you have taken and decides to use them on their own website.

They will do this by directly using the source URL of the image from your website, without downloading and re-uploading the images on their own website. This creates a link that is referred to as “Hotlinking”. 

Now whenever the other website receives traffic on the post with an image hotlinked from your website, it will start costing you server bandwidth, because the images will be served through your hosting.

While it may seem harmless at first, hotlinking can have several adverse effects on your website’s performance and costs. When another website hotlinks to your images, it steals your bandwidth, making your website slower for visitors and increasing your hosting costs (if paying per gigabyte).

Moreover, hotlinking can lead to copyright issues and negatively impact your search engine optimization (SEO) ranking.

If you suspect that less reputable sites are hotlinking to your content, then you should consider disabling the ability to hotlink to your website entirely.

Why You Should Prevent Others from Hotlinking to Your Site

There are four main reasons why you should be concerned when someone hotlinks to your website.

#1 - Increased Bandwidth Usage

One of the main reasons to prevent hotlinking in WordPress is to avoid overuse and misuse of your server bandwidth. Bandwidth is the amount of data that your server can transfer to and from your website visitors. Every time someone visits your website or views your images, your server consumes some bandwidth.

If someone hotlinks your images, they are essentially stealing your bandwidth. Every time their website loads, your server has to send the image data to their visitors. This can increase your bandwidth consumption significantly, especially if the hotlinked images are large or popular.

If you exceed your bandwidth limit, you may face consequences from your hosting provider. The exact consequences will vary depending upon your contract, but you can expect the following:

• Extra charges for bandwidth overages.
• Suspension or termination of your hosting account.
• Degradation of your hosting service quality.

#2 - Degraded Performance

Another reason to prevent hotlinking in WordPress is to improve your website performance. Performance is the measure of how fast and responsive your website is. It affects various aspects of your website, such as user experience, conversion rate, and SEO ranking.

If someone hotlinks your images, they are not only consuming your bandwidth, but also increasing your server load. Server load is the amount of work that your server has to do to process requests and deliver responses. The more requests your server receives, the more load it has to handle.

If your server receives too many requests for hotlinked images, it may slow down or crash. This can affect the performance of your website and make it less accessible and reliable for your visitors.

#3 - Copyright

A third reason to prevent hotlinking in WordPress is to protect your intellectual property rights. When you create something, such as images, videos, music, etc., you have control over how your creations are used and distributed by others.

If someone hotlinks your images, they are using them without your permission or credit. This can violate your intellectual property rights and cause legal issues. For example:

• You may have bought or licensed your images from marketplaces or creators and have limited rights to use them on your website. If someone else hotlinks them on their website, they may breach the terms of the license and expose you to liability.
• You may have created or edited your images yourself and have exclusive rights to use them on your website. If someone else hotlinks them on their website, they may infringe on your copyright and damage your reputation.

#4 - SEO

A fourth reason to prevent hotlinking in WordPress is to optimize your SEO rankings. It is the process of improving the visibility of your website in search engines, such as Google or Bing. It helps you attract more organic traffic and potential customers to your website.

If someone hotlinks your images, they may affect your SEO in several ways. For example:

• They may reduce the visibility of your images in Google Images or other image search engines. If Google values their website more than yours, it may display their website instead of yours when someone searches for the images.
• They may create duplication issues for both websites. If Google finds the same images on multiple websites, it may consider them as duplicate content and penalize both websites for low quality or relevance.

How to Prevent Hotlinking in WordPress

There are three methods to prevent hotlinking in WordPress websites. Let’s take a look at each one.

Method 1: Configuring Apache (.htaccess) or Nginx 

Editing .htaccess on Apache

The .htaccess file is a configuration file that allows you to control various aspects of your web server, such as redirects, security, and caching. You can use it to disable image hotlinking by adding some code that will block requests for your images from other domains if your WordPress website’s hosting uses an Apache server.

To do this, you will need to access your .htaccess file using an FTP client or a file manager in your hosting control panel. Then add the following lines of code in your .htaccess file, which is usually found in the public_html folder.

Before you make the edits, it is advisable to make a backup of the file.

/* Prevent image hotlinking in WordPress */
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?facebook.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?other-websites-if-any.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

Here’s what the rule does:

• The first line checks if the HTTP Referer header is not empty.
• The next few lines check if the HTTP Referer header does not match the allowed domains. In this case, the domains that are allowed to hotlink your images are yourwebsite.com, google.com, facebook.com, twitter.com, and other-websites-if-any.com. The [NC] flag makes the condition case-insensitive.
• The last line specifies the types of files that should be blocked from hotlinking. In this case, it’s .jpg, .jpeg, .png, and .gif files. The -[F] flag returns a 403 Forbidden response to the client if the conditions are met.

So, any requests for hotlinked images from domains other than the ones specified will be blocked with a 403 Forbidden error. If you want to display a custom image instead of a blank or broken image when someone tries to hotlink your images, you can modify the code as follows:

# Disable image hotlinking and display custom image
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://example.com/hotlink-image.jpg [NC,R,L]

This code will redirect the request to a custom image that you have uploaded to your server. You will need to replace http://example.com/hotlink-image.jpg with the URL of your custom image. You can use any image that you want, such as a logo, a watermark, or a message that says “Stop stealing my images”.

Writing Custom Nginx Config Rules for Blocking Hotlinking

If you are using an Nginx-based server, then you will need to add the following rules in the config file to block hotlinking.

location ~ .(gif|png|jpeg|jpg|svg)$ {
     valid_referers none blocked ~.google. ~.bing. ~.yandex. ~.yahoo. mydomain.com *.mydomain.com;
     if ($invalid_referer) {
        return 403;
    }
}

Here’s how the above code works:

• The location block matches any requests for files with extensions gif, png, jpg, or jpeg.
• The valid_referers directive specifies the domains allowed to refer to the files. In this case, ‘none’ and ‘block’ are used to prevent any referrers from the same domain or blocked referrers. mydomain.com and *.mydomain.com allows requests from the domain and its subdomains; you can replace mydomain with your own website URL.
• The if statement checks if the referer is invalid. If the request comes from an invalid referer, the server responds with a 403 Forbidden status code.

This rule prevents other websites from displaying your images directly by hotlinking them. It is a good way to protect your image resources and prevent other websites from using your website’s bandwidth, which can affect your website’s speed and performance.

If you want to display a custom image instead, you can use the following code snippet.

location ~* \.(jpg|jpeg|png|gif|bmp|ico)$ {
valid_referers none blocked example.com www.example.com;
if ($invalid_referer) {
rewrite ^ /path/to/generic/image.jpg last;
  }
}

In this example, the rules apply to all images with the specified extensions. The if block checks whether the referer header is invalid, and if so, it rewrites the request to the generic image. You need to create the image and place it in the /images directory of your web server. 

Method 2: Using Cloudflare to Block Site Scraping

Many WordPress website creators use Cloudflare as a CDN (Content Delivery Network) service to enhance their site’s speed, performance, and security. Cloudflare also has a feature that can help you prevent image hotlinking in WordPress.

One little-known feature of Cloudflare is to use it to disallow hotlinking on your website. Once you have configured Cloudflare on your WordPress website, you can disable hotlinking under the option called “Scrape Shield”.

By default, enabling this rule will block all hotlinks from all search engines and websites other than your own. You can customize the rules by following the guidelines in Cloudflare documentation.

Method 3: Add Watermarks

Another way to protect your images from hotlinking is to watermark them with your logo. A watermark is a visible (or invisible) mark that identifies the owner or creator of an image. By adding a watermark to your images, you can make it harder for people to use your content without your permission.

By watermarking your images with your logo, you can de-incentivize image hotlinking and protect your intellectual property rights. This has the additional benefit of increasing your brand awareness and recognition by displaying your logo on your images.

You can watermark your photos for free by using tools such as Watermarkly, Make Watermark, or Visual Watermark. Alternatively, the WordPress plugin Image Watermark allows you to automatically watermark any images uploaded to WordPress, and bulk watermark any images that have already been uploaded.

Final Thoughts: Prevent Hotlinking in WordPress

Hotlinking affects many websites that include images and videos. In this tutorial, we have shown you how to prevent hotlinking using four different methods. These methods are simple and effective ways to stop other websites from stealing your images and videos.

However, you should also make sure that you allow search engines and social media sites to use your images and videos. If you block them, you may hurt your SEO ranking and social media presence.

Patchstack is a cloud-based security platform that helps you protect your WordPress sites from hackers and malware. Patchstack scans your sites for vulnerabilities, monitors your site activity, and alerts you of any suspicious behavior. 

If you want to keep your WordPress sites safe and secure, you should sign up for Patchstack today. Patchstack offers a free plan that notifies you 48 hours before a vulnerability is disclosed, giving you ample time to secure your website against attacks. 

Start using Patchstack today for free and see the difference for yourself.

The post How To Prevent Image Hotlinking in WordPress appeared first on Patchstack.

Let's dive in and make your WordPress website more secure and install an SSL certificate on WordPress!

The topic of WordPress security is vast, and there are many security features available to harden your WordPress website. One of them is installing an SSL certificate on WordPress websites. SSL certificates enable your website to use the HTTPs protocol that encrypts and protects any data exchanged between website visitors and servers. 

What is an SSL certificate?

Before we get started with the installation process, let's understand what an SSL certificate is.

An SSL (Secure Socket Layer) certificate is a digital certificate that enables the use of HTTPs (Hypertext Transfer Protocol Secure). The SSL certificate serves as a digital "passport" that authenticates the identity of the website and encrypts the data exchanged between the website and its visitors.

The primary purpose of an SSL certificate is to protect sensitive information shared on websites, such as login credentials, credit card details, personal information, and other confidential data. Without SSL encryption, this information could be intercepted and accessed by malicious third parties.

An SSL certificate provides several key benefits:

Data Encryption: SSL certificates use encryption algorithms to scramble data, making it unreadable to anyone without the decryption key. This ensures that sensitive information remains secure during transmission.

Authentication: SSL certificates verify the authenticity of the website, assuring visitors that they are communicating with the legitimate owner of the site. This helps prevent phishing attacks and instills trust in users.

Trust and Credibility: Websites with SSL certificates display visual trust indicators, such as a padlock icon in the browser's address bar or a green address bar, depending on the type of certificate. These indicators signal to users that the website has taken measures to secure their data and enhance the website's credibility.

SEO Benefits: Search engines prioritize secure websites in their rankings. Having an SSL certificate can positively impact your website's visibility and search engine optimization efforts.

Types of SSL certificates

There are various types of SSL certificates available, both paid and free. We'll discuss their differences and help you choose the right SSL certificate on WordPress.

Domain-validated (DV) SSL certificates

Domain-validated SSL certificates are the most basic type of SSL certificates and are suitable for small websites, personal blogs, or startups.

To obtain a DV certificate, the certificate authority (CA) verifies the domain ownership by emailing the domain owner or checking a specific DNS record. DV certificates are typically issued quickly and are a cost-effective option for establishing basic encryption on a website.

Organization-validated (OV) SSL certificates

Organization-validated SSL certificates provide a higher validation level than DV certificates.

In addition to verifying domain ownership, the CA performs a manual verification process to confirm the organization's identity. This involves validating the organization's legal existence, physical address, and telephone number. OV certificates display the verified organization's details in the certificate information, providing visitors with other trust and assurance.

Extended Validation (EV) SSL certificates

Extended Validation SSL certificates offer the highest level of validation and are often used by e-commerce websites, financial institutions, and other organizations prioritizing security and customer trust.

The validation process for EV certificates is more rigorous and involves verifying the legal and physical existence of the organization, along with conducting thorough background checks. Websites with EV certificates display the organization's name and address when clicking the padlock.

Wildcard SSL certificates

Wildcard SSL certificates secure a domain and its subdomains with a single certificate. For example, a wildcard certificate issued for "*.example.com" would cover "www.example.com," "blog.example.com," and any other subdomain under "example.com."

This eliminates the need to manage multiple certificates for each subdomain, making it a convenient choice for websites with numerous subdomains.

Multi-Domain SSL certificates

Multi-domain SSL certificates, or Subject Alternative Name (SAN) certificates, can secure multiple domains and subdomains within a single certificate. They are ideal for businesses with multiple websites or hosting providers managing multiple client domains.

With a SAN certificate, you can secure different domain names, such as example.com, example.net, and example.org, using a single certificate.

Free SSL certificates

Let's Encrypt is a well-known provider of free SSL certificates, and their initiative has significantly contributed to the widespread adoption of SSL across the internet and is readily available through many hosting providers and server control panels.

Cloudflare provides free SSL certificates, too, and is a popular choice among web developers because of its CDN, WAF, and other features.

When selecting an SSL certificate type, you must assess your website's specific requirements, budget, and level of trust and assurance you want to provide to your visitors. Each certificate type offers different validation levels, trust indicators, and features.

How to install an SSL certificate on WordPress

The installation process varies depending on where you host your website. Many hosting providers have built-in features to install SSL on WordPress websites easily. All you need to do is activate the SSL certificate and install it on the domain you want it to be. In most cases hosting providers will add the HTTP to HTTPS redirect rules, but if they do not, you can do so manually; we will discuss redirect rules later.

Method 1: Installing SSL certificates through Cloudflare

Step 1: Create a Cloudflare account.

Head over to Cloudflare’s website and sign up for a free account. Then add the website on which you wish to install SSL.

After adding your website, you will need to select a plan. SSL is included in all paid plans as well as free plans. For this tutorial, we will go with the free plan.

Step 2: Change the nameservers

After adding your domain, Cloudflare will ask you to change the Nameservers on your hosting server to Cloudflare Nameservers. This will redirect traffic to Cloudflare servers and route them to your hosting servers.

You can change the Nameservers in your web hosting account by finding and editing the DNS records file.

To learn more about changing the nameservers on your hosting server, we recommend you refer to the hosting provider's official documentation.

Step 3: Installing the SSL

Next, navigate to SSL/TLS settings. Here you will be presented with a few encryption options. We recommend using “Full” as it will encrypt information between your visitor’s browser and Cloudflare server and between Cloudflare Server and your hosting server.

That is it. Your website should now be accessible through HTTPs protocol.

Method 2: Use the hosting provider to install an SSL certificate

You can purchase an SSL certificate from a trusted certificate authority (CA), often offered by your hosting provider. Alternatively, you can use free SSL certificate options like Let's Encrypt.

Some hosting providers also offer built-in SSL features or partnerships with CAs, making the installation process more seamless.

The process of installing the SSL certificate can vary depending on your hosting provider. However, the general steps involve the following:

Step 1 Access your hosting account or control panel

Log in to your hosting account, and locate the SSL or security settings section. This may be labeled as SSL/TLS, Security, or similar.

Step 2 Upload the SSL certificate:

Look for an option to upload the SSL certificate files. You'll typically need to provide the certificate file (usually with a .crt extension) and the private key file (often with a .key extension). These files are usually provided by the CA or generated during the SSL certificate issuance process.

Step 3 Complete the installation

Follow the prompts or instructions provided by your hosting provider to complete the SSL certificate installation. This may involve specifying the domain name, confirming the certificate files, and configuring additional settings.

If you have any issues while installing the SSL certificate through the hosting provider's built-in features, you can always ask their support to assist or read the hosting company's official documentation.

Setting up HTTP to HTTPS redirects

Note: Before you begin, ensure you have a recent WordPress website backup. So that you can easily restore your website if anything goes wrong.

After installing the SSL certificate, setting up HTTP to HTTPS redirects is crucial. This ensures that all visitors are automatically redirected to the secure version of your website. The process varies depending on the server type.

Editing the .htaccess file (Apache Servers):

Access your website's files using an FTP client or the file manager provided by your hosting control panel.

Locate the .htaccess file in your website's root directory (public_html). If you can't find it, make sure hidden files are visible.

Open the .htaccess file using a text editor.

Add the following lines of code to the file, ensuring to replace "yourdomain.com" with your actual domain name

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://yourdomain.com/$1 [L,R=301]

Save the changes and upload the modified .htaccess file back to your server.

Settings for Nginx servers

If your website is hosted on a Nginx server, you will need to modify the server configuration file.

Locate the server block for your domain in the Nginx configuration file. This file is usually in the /etc/nginx/sites-available/ directory.

Add the following lines of code within the server block, replacing "yourdomain.com" with your actual domain name.

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://yourdomain.com$request_uri;
}

Save the changes and restart the Nginx server for the new configuration to take effect.

SSL Settings for LiteSpeed servers

If your website is hosted on a LiteSpeed server, you can enable HTTP to HTTPS redirects through the LiteSpeed WebAdmin interface or by modifying the server's configuration file. We recommend that you read the official documentation to know more details.

Access the LiteSpeed WebAdmin interface provided by your hosting provider and navigate to the virtual host settings for your domain.

Look for the "General" tab or section and find the "Rewrite" option.

Enable the rewrite rules and specify the redirection from HTTP to HTTPS.

Save the changes and restart the LiteSpeed server for the configuration to take effect.

Changing the WordPress site URL

After adding the redirect rules to your web server’s configuration file, you should change the site URL in the WordPress dashboard from HTTP to HTTPS.

Verify the SSL certificate installation

After completing the installation and redirects, verifying that your SSL certificate is installed and functioning as expected is essential. Perform the following checks to validate your SSL certificates.

1. Checking the SSL certificate installation

Visit your website using the HTTPS protocol (e.g., https://yourdomain.com).

Check if the browser displays the padlock icon or a secure indicator next to the URL.

Click on the padlock or secure indicator to view the certificate details and ensure it matches your website.

2. Verifying HTTPS redirection

Access your website using the HTTP protocol (e.g., http://yourdomain.com).

Ensure that you are automatically redirected to the HTTPS version of your website.

Confirm that the URL in the browser's address bar changes from "http://" to "https://".

3. Running an SSL test for security and compatibility

Use online SSL testing tools such as SSL Labs (https://www.ssllabs.com/ssltest/) or Qualys SSL Server Test (https://www.ssllabs.com/ssltest/) to perform a comprehensive test of your SSL configuration.

These tools will provide a detailed report on the security and compatibility of your SSL certificate, encryption protocols used, and any potential vulnerabilities or misconfiguration.

Ongoing SSL management and maintenance

Installing an SSL certificate is just the first step. To ensure the continued security of your website, consider the following.

Setting up SSL certificate expiration reminders

SSL certificates have a validity period, typically three months to several years. Keeping track of certificate expirations is crucial to avoid website security disruptions.

Set up reminders or notifications to alert you in advance when the SSL certificate is nearing its expiration date. This can be done through calendar reminders, email notifications, or SSL management tools provided by your hosting provider.

Renewing SSL certificates before they expire

Plan and renew your SSL certificate before it expires to prevent security warnings or service interruptions.

Contact your certificate provider or follow their instructions to renew the SSL certificate. The process may involve generating new certificate files or updating the existing certificate with renewed information.

If you are using Cloudflare or a hosting provider that automatically renews your SSL certificate, then you will not need to renew your certificates manually and install them again.

Fix mixed content issues

Mixed content occurs when your website loads both secure (HTTPS) and insecure (HTTP) content. This can trigger the "Not Secure" warning in browsers. To fix mixed content issues, you will need to force HTTP to HTTPs redirection.

Plugin Assistance: Use plugins like Really Simple SSL or SSL Insecure Content Fixer to fix mixed content issues on your WordPress site.

These plugins handle the necessary URL rewriting and content modification to load all resources securely.

Manual Fix: If you prefer a manual approach, you can review your website's source code and look for any hardcoded HTTP URLs. Update them to use HTTPS.

Also, check for insecure resources, such as images or external scripts, and update their URLs accordingly.

Update Internal Links and Resources: Review your website's internal links and ensure they use HTTPS. This includes menu links, navigation elements, buttons, and internal URLs within your content. Update them to use the secure HTTPS protocol.

Conclusion about how to install SSL certificate on WordPress

Having an SSL certificate on WordPress installed and properly configured is a must-have security measure for any website that handles sensitive information or engages in e-commerce transactions.

Without an SSL your website will not be shown in the search results, so ensure you have a properly configured and working website that uses the HTTPs protocol.

The post How to Install SSL Certificate on WordPress appeared first on Patchstack.

Backups are even more crucial for high-traffic and complex websites, like eCommerce stores, membership sites, or large publication websites. There are multiple ways to create backups of your WordPress websites easily; there are plugins, services, and hosting companies that provide backups as a built-in feature. 

Also, for tips on how to choose a reliable and secure backup service, you can read our comprehensive ranking of the best WordPress backup plugins & services in 2024.

What does WordPress backup mean?

WordPress backups are copies of your website's data, including its files, database, plugins, and themes, created and stored as a precaution against data loss, corruption, or any other type of website-related issue.

Regularly backing up your WordPress website can help you restore it to a previous state if it gets hacked, if your server crashes if you accidentally delete something important, or if there is a software malfunction. With a backup, you can retain your website's data, which could benefit your online business or personal website.

There are various methods for backing up your WordPress website, including manual backups, automated backups with a WordPress plugin, or a backup service provided by your web hosting company. Regardless of your chosen method, storing your backup files is important to ensure they are available in an emergency.

What you need to backup for your WordPress site

To ensure that your WordPress website is fully backed up, you should include the following items in your backup process:

Files: This includes all the files that make up your website, including the WordPress core files, theme files, and plugin files.

Database: Your WordPress database contains all the content of your website, including posts, pages, comments, and user data. It's important to back up your database regularly to ensure you keep all important data.

Media: Any images, videos, or other media files uploaded to your WordPress website should also be included in your backup process.

Plugins and Themes: If you have installed any third-party plugins or themes, including them in your backup process is important. It will ensure you have a copy of all the customizations you've made to your website.

Method#1: Use your web hosting provider to create WordPress backup

Most of the hosting providers have the option to create backups of your websites either manually or schedule them. Some managed WordPress hosting providers go as far as creating and storing backups on a third-party server, such as Amazon S3. 

The process for backing up your WordPress site will vary depending on your web host. But if you use a hosting server that uses cPanel or Plesk, you can easily find the options in their dashboards. 

You should also talk to your hosting provider to help create a backup policy. Some hosting providers will even help you restore your WordPress website from the backups they have.

If you are managing backups through the hosting provider, here are the steps that you should follow.

Step#1: Accessing the hosting dashboard

Access the management interface of your web host or dashboard. It is typically accessed through your web browser and requires your login credentials.

Look for a section related to backups. Depending on your web host, this may be called "Backups," "Site Backups," or something similar.

Step#2: Creating the backups

Choose to create a backup of your WordPress site. It may be a one-click backup option, or you may need to select specific files and folders to include in your backup.

Set your backup preferences. You can choose the frequency of backups, the location where backups are stored, and the format in which they are saved.

Initiate the backup process. It may take some time, depending on the size of your website and the speed of your web host's servers.

Verify that your backup was successful. Check where your backup was saved to ensure all your website's files and data were included.
Finally, consider backing up any configuration files you have modified, such as the wp-config.php file. These files can contain important settings specific to your website and can be difficult to recreate if lost.

By backing up all of these components, you can be sure that you have a complete backup of your WordPress website and can easily restore it if something goes wrong.

Why you should have WordPress backups in multiple places?

While making backups of your WordPress website, it is best to consider where your backups will be saved. 

1. On the hosting server
2. On a third-party server
3. On cloud storage service

Many hosting companies allow you to create backups directly on the same server your website is hosted, but if your entire server goes down, you will lose access to your backup files as well. 

Some hosting companies have more options for creating the backups, like on a third-party server or your cloud storage account, e.g., Google Drive. We recommend that you at least have your backups saved in two separate places, that is, on the local server and a third-party service. 

Restoring from the local backup can be the fastest, but when losing the server, you can download the backup from your third-party storage and host the site on a new server.

Method#2: Use a WordPress plugin to create backups

Using plugins to create backups is possible, but it can be a slow process as it stresses your server resources, and the chances of failure to create a backup completely are higher when compared to how hosting companies create the backups.

You can find a lot of free backup plugins on the WordPress.org repository here. Two of the popular choices are UpdraftPlus and WPVivid. No matter which plugin you use, the method of creating backups is pretty straightforward, as these plugins automate the process of creating backups of your website's files, database, and media files to your designated backup location. 

All these plugins guide you through each step, and then you can manually create new backups whenever you want, or you can schedule the backups. 

Plugins like UpdraftPlus and WPVivid allow you to select the destination to save the backup files, be it your Google Drive, DropBox, pCloud, or the local hosting server. 

We are going to use WPVivid to create a backup in this tutorial. 

Step#1: Installing the Plugin

Log in to your website’s WordPress dashboard and navigate to Plugins > Add New, search for WPVivid, and install and activate the plugin named “Migration, Backup, Staging – WPvivid”

After installation, navigate to “WPVivid Backup” from your WordPress dashboard's left sidebar. You will see a lot of options that this plugin has to offer.

Step#2: Creating Your First Backup

Creating manual backups with WPVivid is easy with a click of a button. To create one, select the options “WordPress Files + Database” and “Save to local”, and click “Backup Now”. This will create a full website backup inside a folder on your hosting server. 

The plugin will automatically start creating a backup file that is also compressed and will be saved in a folder. The folder location will be mentioned, as highlighted in the screenshot below.

The time to create the backup depends on the size of your website and the server resources. 

Step#4: Scheduling Automatic Backups

If you manage multiple websites or a large website, scheduling backups when your website is less busy than usual is recommended. You can find out through Google Analytics or Traffic logs of your website and see when your website has less traffic and schedule a backup at that time. 

While creating a backup of your WordPress website, the performance of your website will be affected. Since the backup process will utilize server resources.

To schedule a backup with WPVivid, navigate to WPVivid Backup > Schedule tab, and select the frequency at which you want to create automated backups. 

Step#5: Restoring From a Backup

To restore a backup, you will first need to have the compressed backup files that WPVivid created. You can easily restore your WordPress website to a previous version by uploading the backup file under the “Backup and Restore” tab or clicking the “Restore” icon. 

That is it, creating, managing, scheduling, and restoring WordPress backups is easy with WPVivid or similar plugins. These plugins help you save a lot of time on your maintenance tasks and give you an added sense of security.

Method#3: Creating manual WordPress backups

It is good to know how to create backups of your WordPress websites manually; this method is useful if you want to backup some files, all files, the database, or both. 

Backup WordPress Files Manually: Connect to your website using FTP or File Manager from cPanel or any other hosting control panel. Once connected, download all your WordPress website files to your local computer. It includes your WordPress core files, theme files, plugin files, and any other files that you have customized.

It will take some time to download all the files and folders, depending on your internet connection speed and the hosting provider. 

Backup WordPress Database: Next, you need to create a WordPress database backup. You can do this by logging in to your hosting account and accessing the phpMyAdmin tool. Select your WordPress database, then click the "Export" button. It will export your database as a .sql file.

Save Files and Database Backup: Save both the files and database backup in a secure location on your computer or an external hard drive. A secure storage location for your backups is essential.

By following these steps, you will have a complete WordPress site backup. To restore your website from the backup, upload your WordPress files to your web server and import your database backup using the phpMyAdmin tool.

It's important to note that manually backing up your website can be time-consuming and requires technical knowledge. You can also use a WordPress plugin or a backup service provided by your web host to automate the backup process and simplify the restore process in case of any issues.

How frequently should you back up WordPress?

Regular backups are advised to be made of a WordPress website to prevent data loss in case of any unforeseen issues. The frequency of backups can depend on factors such as the frequency of changes made to the website, the size of the website, and the level of risk associated with data loss.

A general guideline is to take backups daily, but more is needed for some websites. For websites with frequent updates, taking days or even hourly backups may be necessary. On the other hand, for websites that are updated infrequently, weekly or monthly backups may suffice.

Additionally, it is advisable to take a backup before making any significant changes to the website, such as updating the WordPress core, themes, or plugins. That ensures you have a recent backup if any issues arise after the update.

In summary, the frequency of backups depends on the individual website's needs and risk tolerance. It's essential to evaluate the website's frequency of changes and potential risks and adjust the backup frequency accordingly.

How to choose a reliable WordPress backup

Choosing a reliable WordPress backup solution is critical to ensuring your website's data is secure and easily recoverable during a disaster. While Here are some key factors to consider when selecting a backup solution:

Automatic Backups: Choose a backup solution that offers automatic backups regularly so you don't have to worry about forgetting to do it yourself.

Incremental Backups: A good backup solution should perform incremental backups, meaning it only backs up the changes made since the last backup. This approach reduces backup times and storage requirements.

Backup Frequency: Look for a backup solution that allows you to customize the frequency of backups to match your website's needs. For example, a site with frequent updates may require daily backups, while a less active site may only need weekly or monthly backups.

Backup Location: It's crucial to store your backups securely. Choose a backup solution that stores backups on a remote server, cloud storage, or external device.

Easy Restoration: A reliable backup solution should make it easy to restore your website if something goes wrong. Look for a solution that offers one-click restores or easy-to-follow instructions.

Reputation and Support: Choose a backup solution with a good reputation and responsive support. Look for reviews and customer feedback to ensure you're selecting a trustworthy backup solution.

In summary, consider features such as automatic and incremental backups, customizable backup frequency, secure backup storage, easy restoration options, and the reputation and support of the backup solution when selecting a reliable WordPress backup.

Conclusion

Regular backups of your WordPress website are crucial to ensure that your data is secure and easily recoverable in case of unforeseen issues. Think about elements when choosing a backup strategy.

Automatic and incremental backups, customizable backup frequency, secure backup storage, easy restoration options, and the reputation and support of the backup solution.

By choosing a reliable backup solution and customizing backup frequency to match your website's needs, you can help ensure that your website's data is safe and recoverable. Remember to periodically test your backup and restoration process to ensure it works correctly.

The post How To Perform a WordPress Backup In 3 Simple Methods appeared first on Patchstack.

But it doesn't have to be.

At Patchstack, we've seen firsthand the devastating impact of WordPress vulnerabilities. That's why we created this guide: to equip you with the knowledge and strategies to defend against cyber threats.

In this comprehensive WordPress security guide, you will learn:

1. Why you need to secure your WordPress site.
2. Why and how WordPress sites get hacked.
3. Practical ways you can easily improve your WordPress security.

This guide has been written by security experts at Patchstack, a WordPress security company focusing on vulnerabilities as the core security issue.

At Patchstack, we have seen many WordPress websites hacked, taken over, and their private information stolen – all because they overlooked a single vulnerability within their website.

That’s all it takes.

If one loophole in your website is discovered and exploited, you risk losing your digital presence.

WordPress security is a vast topic, as there are many techniques for securing your website and hosting server against malicious attacks.

In this guide, we will aim to cover every method there is to secure a WordPress website. 

Before we begin, we should mention that it is not necessary to implement every single technique discussed in this article. You can use this guide as a reference to create a security policy for your websites. With that said, the following methods are highly recommended by our team, while others will depend on your use case:

1. Use a vulnerability management solution (like Patchstack).
2. Use a web application firewall to block IPs known to exploit sites.
3. Have multiple website backups.
4. Keep your WordPress core, theme, and plugins up to date.
5. Use the latest version of PHP and other server software, such as Apache, LiteSpeed, and Nginx.
6. Use strong passwords and usernames with two-factor authentication.
7. Secure your WordPress admin login URL.
8. Protect SSH access (if applicable)

Why do you need to secure a WordPress website?

You might be under the impression that only big businesses with thousands of customers get hacked and that hackers won’t spend time or effort hacking smaller websites as it is not worth their time…

…but this couldn’t be further from the truth.

In our State of WordPress Security In 2024 report, we highlighted that a large number of cyber-attacks are automated – malicious robots crawl the internet throughout the day looking for vulnerabilities, and they don’t discriminate between big or small businesses.

With so many malicious bots continuously scanning WordPress websites for vulnerabilities, it is vital to invest in website security.

It is essential for agencies and website owners to understand that without a proper security policy, they risk losing their time, investment, data, domain, and much more.

What are the most common WordPress security issues?

As mentioned above, hackers have built bots and scanners that can find and automatically try to hack into your WordPress websites. These bots carry out many types of attacks. One of the most notorious involves brute force attacks on the login page, in which bots keep entering vast numbers of username and password combinations on your website’s login page in the hope of cracking the combination.

Once the bot gains access, it will notify its hacker, who will gain immediate access to your WordPress dashboard to carry out further attacks. Choosing strong, unique passwords will stop these brute-force bots from succeeding. Better yet, consider 2FA.

Another common attack on WordPress websites is a DDoS attack, in which a set of compromised servers or websites try to send vast numbers of requests to a WordPress website to waste the victim website’s server resources and eventually render the website unreachable. The best solution to this kind of attack is blocking the attacking IPs at a network level.

However, the most common attack is gaining access to a WordPress website by exploiting a vulnerability in a theme or plugin.

At Patchstack, we see that most compromised websites had a vulnerable plugin that wasn’t updated as soon as a patch was available. That is why it’s vital to have a vulnerability monitoring service that offers vPatching. This service can help detect issues with the plugins you are using and fix them even before an official patch is released, keeping your website secure and protected at all times.

Why do WordPress sites get hacked?

WordPress is used on millions of websites, so it’s no surprise that many hackers invest their time finding vulnerabilities to access WordPress websites.

WordPress also has a large open-source community that builds plugins, themes, and other scripts to extend WordPress’ functionality. Since thousands of plugins and themes are being built and are continuously updated with new functionalities, there are bound to be vulnerabilities within the code that hackers can use to attack WordPress websites.

To combat these hackers, an active community of security researchers invests its time in finding security loopholes within the WordPress core, plugins, and themes before they are exploited.

At Patchstack, we have always actively encouraged security research. As part of this effort, we established the Patchstack Alliance – a global team of security experts combined with a bug bounty program that encourages further in-depth research into any current WordPress security issues.

Will my site be protected from all the vulnerabilities?

Many people ask us at Patchstack, “Is there a guarantee that my website will be safe?” The answer is no, but you can take security precautions to block the most common attacks. These make it much harder to access your website, and you can secure your data by having backups that you can easily restore if your website does ever get hacked.

The role of the hosting provider in WordPress security

WordPress hosting is big business, and since we trust hosting providers with our digital assets, it only makes sense to know what level of security your WordPress hosting provider has.

There are many types of hosting services, and although it’s beyond the scope of this article to go into detail about each one, there’s one particular aspect to look out for.

If you are using (or considering using) a hosting service that calls itself a specialist WordPress hosting provider or a “Managed WordPress Hosting” provider, then that should be a good indication that your hosting service provides the support, speed, and security needed for WordPress websites.

A good WordPress hosting service should provide some level of security and offer features such as:

• Timely server software updates.
• Automated backups.
• DDoS attack mitigation or easy integration with third-party services. 
• Secure connections, SSL certificates, and SSH/SFTP access.
• Using secure hosting networks/servers.
• Uptime monitors with logs of incoming traffic.
• Real-time support.

Essential WordPress security practices

Keeping WordPress updated

The best method to avoid vulnerabilities is to have an up-to-date version of all WordPress-related software. This includes WordPress core, themes, plugins, and any other third-party code or scripts that you may be using.

In our blog post about the WordPress Core 6.5.5 security update, we discussed how WordPress websites can be hacked if you are using a vulnerable version. If you are using an older version of WordPress that is no longer supported, you are leaving many backdoors open for attackers to take over the website.

This is also true for plugins and themes. Some websites have a great many plugins installed, and have older theme files on their WordPress websites. It is best to remove unwanted plugins and themes if they are no longer needed (not just to disable them, but to fully uninstall them).

If you have multiple WordPress websites, updating and testing everything on every website can take much of your time. That is why it’s a best practice to use a service that automates checking outdated plugins, themes, and WordPress core and gives you a single dashboard from which you can update all your websites easily. 

Our WordPress security app, Patchstack, provides a central dashboard from where you have complete control over multiple WordPress websites.

Patchstack automatically scans and notifies you immediately if any outdated software version is installed on your WordPress website. You can also turn on the auto-update feature in Patchstack to automatically apply any new updates to the WordPress core, themes, and plugins as soon as they are available.

Use complex passwords and usernames

In a previous post, we explained how to protect WordPress against brute-force attacks. We mentioned that using common usernames, such as “admin,” and passwords, such as “drowssap,” will make it much easier for brute-force attacks to succeed.

The "admin" username is a prime target for brute-force attacks because it is the default administrative account in many WordPress installations.

To mitigate this risk, create a new administrator account with a unique username, then delete the original "admin" account.

It is also recommended to use a complex combination of passwords and usernames for each user on your WordPress website to make it more challenging for hackers to attack your site. 

If you’re unsure how to change your WordPress password, you can refer to our guide on how to change (or reset) a WordPress password. 

Use the principle of least privilege

Simply using a complex password is not enough to protect your website. To more fully harden your WordPress security, we strongly recommend implementing the principle of least privilege.

The principle of least privilege dictates that users should only have the minimum level of access necessary to perform their tasks.

In WordPress, this means carefully assigning user roles and permissions. Instead of giving everyone administrator access, use editor, author, or contributor roles as appropriate. For plugins that offer additional user roles, review these carefully and assign them judiciously.

Patchstack can assist in this process by monitoring user activities and alerting you to suspicious behavior, such as multiple failed login attempts or unexpected privilege escalations.

Harden SSH settings

Secure Shell (SSH) is a critical component for any hosting environment, and improperly configured SSH servers can lead to security breaches. If your hosting provider offers SSH access to your servers, then you are responsible for protecting it.

First, you should always use SSH keys instead of passwords, as SSH keys are significantly more secure and resistant to brute-force attacks. You can generate a strong key pair and disable password authentication on your server without additional charges.

You should also never use the root account for SSH access. Instead, we recommend creating a separate user account with sudo privileges. This adds an extra layer of security by requiring an additional step to perform system-level changes.

We also suggest changing the default SSH port (22) to a non-standard port, which can help reduce automated scanning attempts. However, this is security through obscurity, and should not be relied upon solely.

To further protect your SSH service against brute force attacks, we recommend using an advanced service such as fail2ban. This service monitors log files and automatically blocks IP addresses that show malicious signs, such as multiple failed login attempts.

Force user logout in WordPress

In our guide to forcing user logout in WordPress, we discussed why forcing user logout in WordPress is a powerful security measure – especially when you either suspect unauthorized access or need to implement system-wide changes.

We mentioned that by changing the session tokens, you invalidate all existing sessions, forcing users to log in again. This can be particularly useful after detecting a security breach, updating user roles, or implementing new security policies.

While it is a powerful feature, it's important to use it judiciously, as it can disrupt user activities if used too frequently.

If you want to protect your website, Patchstack's security suite offers additional features that complement this logout functionality. For instance, you can restrict access to the WordPress dashboard to specific IP addresses and only during certain times of the day.

Security headers

Security headers are a critical yet often overlooked aspect of WordPress security. These HTTP response headers instruct browsers on handling your site's content, significantly enhancing protection against attacks.

Implementing proper security headers can help you defend against cross-site scripting (XSS), clickjacking, and many other common web-based attacks.

Read our previous posts to learn more about various security headers:

1. How to Avoid Caching Sensitive Information In WordPress - Patchstack 
2. How To Prevent Image Hotlinking in WordPress - Patchstack 

Use secure WordPress hosting with updated software

We mentioned earlier that many WordPress hosting providers do offer some level of security for your WordPress websites and hosting servers. One essential security feature that a hosting provider should have is the ability to easily create, schedule, or automate backups and restore your website’s older versions if your site is compromised. 

Some noteworthy WordPress hosting providers that provide good security, along with optimized servers, include:

• WP Engine
• Pagely
• Plesk
• One.com
• Hostinger
• A2Hosting
• Convesio
• Gridpane

Note: The above list is not exhaustive, and we recommend that you conduct your own research when choosing a hosting provider that will fulfill your security needs. 

Use an uptime monitor

Some hosting companies do provide a built-in uptime monitoring service. However, installing an independent uptime monitoring service on your website is still a good idea because if your entire hosting provider goes down, the built-in monitoring service won’t notify you about this outage.

It is important to note that if your website is offline, that doesn’t mean it is hacked or under attack. It could be that your hosting server is experiencing an outage. But in any event, it is a good idea to be warned as soon as your website goes down so that you can investigate the cause and take necessary action.

Read our post on how to add uptime monitoring on a WordPress website to learn what it takes to configure an effective monitoring setup.

Change the default WP-login URL

As mentioned, automated bots continuously try to gain access to WordPress websites by conducting brute-force attacks on the /wp-admin or /wp-login.php URLs. Disabling the default login URL and using a custom URL to log in to your WordPress dashboard protects you from many automated attacks. 

It is important to note that you shouldn’t simply redirect your default login URL to a custom URL. Instead, you should restrict access to the/wp-admin and /wp-login.php URLs to protect your website. If you use Patchstack, you can enable this feature under Hardening > Login Protection with only a few clicks. You can read about this feature in our post, "How to Change the Default WordPress Login URL". 

Use a vulnerability monitoring service for early detection

Blocking hacking attempts is a vital strategy, but fixing or patching vulnerable software even before the vulnerability is disclosed to the public is an even stronger approach to website security.

Patchstack offers a 48-hour early warning service that continuously monitors WordPress websites for vulnerabilities and notifies you if outdated or vulnerable software is installed. 

The best part is that if your website does have any vulnerabilities, Patchstack notifies you and blocks malicious attacks using its vPatching functionality, even if you haven’t updated it.

Have a solid backup solution

It is highly recommended that you have a multi-tiered backup policy to be better prepared for any potential loss of a website and its data. You should create multiple website backups and store them in multiple locations.

For example, have a backup of your website files and database on your hosting server and an offsite backup on a cloud server or storage service such as (Dropbox, Amazon S3, or Google Drive).

Many hosting providers offer a backup service, but if your provider does not offer this functionality, you can follow the steps described in our post, “How to Back Up a WooCommerce Store”.

If you want recommendations for backup plugins and services, read our post on the best WordPress backup plugins and services in 2024 (ranked by security).

Block brute force attacks and attacking IPs

Brute-force attacks have become a nuisance for WordPress websites, and the only way to prevent them is to block the attacking IP addresses. However, it is almost impossible to block them manually as brute force attacks can come from a large number of IPs.

If you’re using Patchstack, you can block attacking IPs with only a few clicks.

In the Patchstack dashboard, you can manually enter IPs to block them. However, even if you don’t add all IPs manually, Patchstack will automatically block them on your behalf if it detects potential issues such as repeated attacks.

Read more about this functionality in our article, “How to Block IPs, Countries, & Regions for WordPress”.

Limit login attempts

There are many methods to secure the login page of your WordPress websites, but limiting the number of allowed login attempts is a sure way to deny access to automated bots. These bots are not intelligent and only try to guess passwords one at a time – which takes many attempts (at least, in most cases!).

If you are an advanced user, you can set firewall rules on your login page to block anyone who fails to log in after a certain number of attempts.

For example, you can block an IP address if it fails to log in after three attempts. However, you can implement this feature with only a few clicks using Patchstack. Read our post discussing how to limit login attempts on WordPress to learn more.

Add Recaptcha on the login page

One very effective way to block robots is to use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) service, a specialized test that distinguishes between humans and robots. A CAPTCHA can be implemented on the login page and any contact forms to block automated spam inputs.

Many different types of CAPTCHA services are available, but at Patchstack, we use Google’s offering - reCaptcha.

If you are using Patchstack, you can add reCaptcha to your site with only a few clicks, as described in our post, “How to Use CAPTCHAs on WordPress to Protect Your Site From Bots & Spammers”.

Use Two-Factor (2FA) authentication

Two-factor authentication adds another layer of verification to authenticate logins to your WordPress website. Adding Two-Factor Authentication (2FA) on your WordPress website will greatly reduce the chances of unauthorized access to your dashboard. 

There are many ways to perform 2FA, such as sending a one-time code to your email address or mobile phone, or using an authenticator app with time-based OTPs.

If you are using Patchstack, you can easily enable 2FA on your site by navigating to “Hardening >Login Protection” and enabling the toggle next to 2FA. To learn more about this, check out our guide on multi-factor authentication in WordPress.

Use a web application firewall

A web application firewall is a software component that blocks malicious web requests on any website. We recommend adding a firewall to your WordPress website as it will protect it against many known attacks. 

If you are using Packstack, you can use our advanced firewall and protection rules by enabling different protection modules on your website. Our vPatching functionality safeguards your WordPress website even if no patch is available for a security vulnerability.

Use SSL and migrate to HTTPS

Deploying SSL certificates and using the HTTPS protocol to access your website will encrypt any information shared between a client (visitor) and your server. This makes it harder to crack information and do man-in-the-middle attacks.

Using the HTTPS protocol will secure visitors if they access your website through unsecured networks, such as public WiFis that are not password protected.

Almost all hosting companies provide free SSL certificates by Let’s Encrypt, but if your hosting provider does not provide a free SSL certificate, you can refer to our guide to learn how to install SSL certificates on WordPress. 

Disable file editing within the WordPress dashboard

The WordPress file editor is enabled by default, and allows anyone with admin rights to edit the theme files by navigating to Appearance > Editor. Although this is useful, it can also allow users to run unauthorized code on the server – which is a security risk.

You can easily avoid this security risk by disabling Editor access within the WordPress admin.

Add the following line of code in your WordPress wp-config.php file to disable this functionality:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Disable PHP file execution

Some folders in the WordPress directory, specifically those under wp-content (where your themes, plugins, and images are uploaded), have very open permissions. If an attacker can upload a malicious PHP script on your website and execute it, then it can be a significant security risk.

You can’t entirely revoke permissions to write in these folders because doing that will stop you from uploading and installing plugins and themes. You can, however, stop PHP code from executing in these folders.

To prevent PHP from being executed, you must create .htaccess files and upload them to the folders where you want to prevent PHP files from being executed.

The uploads folder under the wp-content folder is where all the media files are uploaded, and hackers can often trick you into uploading a file that is named as though it is an image, but is actually a .php file containing malicious code. 

Create a .htaccess file with the following code and upload it to wp-content/uploads to stop all .php files from executing in that particular folder:

<Files *.php>
deny from all
</Files>

If you need more detailed instructions, check out our in-depth guide, which explains how to disable PHP execution in WordPress. 

Disable directory indexing and browsing

If a server is improperly configured, WordPress subfolders may become accessible, allowing anyone on the Internet to access your server logs, backup files, etc.

To protect yourself, it is a good idea to entirely disable the chances of directories being viewed through browsers by adding the following line of code at the end of the .htaccess file in the root folder of your WordPress installation:

Options -Indexes

You can also disable file indexing by simply enabling the option “Disable index views” within Patchstack under Hardening > Firewall > .htaccess Rules, if you are using Patchstack to secure your WordPress website.

If you want to learn more about this topic, refer to our post on how to disable directory browsing in WordPress. 

Disable XML-RPC in WordPress

XML-RPC is a WordPress functionality that allows you to interact with your WordPress website remotely. If you aren’t going to use this API, then we recommend turning it off by adding the following lines of code to your .htaccess file: 

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

If you are using Patchstack, you can also easily disable XML-RPC and WP-REST API on your WordPress website. This option is located under Hardening > Hardening Features. 

Implement file integrity monitoring 

File integrity monitoring is a tracking mechanism that allows you to monitor and track all the files on your server. By implementing advanced kernel-level filesystem tracking and sophisticated hash-based comparison techniques, you can detect unauthorized modifications across core WordPress directories, theme repositories, and plugin installations.

These monitoring mechanisms create an immutable baseline of system configuration, which can be used to identify changes, potential malware injections, or unauthorized file manipulations. Some hosting providers offer file integrity-monitoring servers with their hosting plan, but if your hosting provider does not offer this service, you can try third-party plugins such as Melapress File Monitor.

Implement activity logging

Activity logging lets you capture detailed logs of login attempts, content modifications, plugin installations, and user permission changes. Website administrators can get an invaluable forensic trail to detect threats and investigate incidents.

These granular logs provide immediate insights into potential security breaches and create a comprehensive historical record that can be crucial for understanding attack vectors and implementing proactive defense strategies.

For readers seeking a deeper dive into advanced activity logging techniques and best practices, we highly recommend checking out our previous in-depth post, which offers extensive insights and expert-level strategies for implementing robust WordPress security logging mechanisms.

Wrapping up

In this post, we have provided a comprehensive list of security tips and tricks that you can use to protect your website from a vast number of cyber attacks.

It is important to note that while implementing these techniques will significantly enhance your website’s security, we cannot guarantee that your website will never be hacked. 

Most of the techniques mentioned above apply to any website on the Internet, but if you are using WordPress, you can implement all of these techniques with only a few clicks by installing Patchstack on your website. 

FAQs related to WordPress security

Is WordPress secure?

WordPress is generally a secure platform, but like any website or software, it can be vulnerable to hacking attempts if it is not adequately secured. It is important to follow security best practices and use security plugins to protect your site and prevent security breaches.

Is WordPress easily hacked?

WordPress can be hacked if it is not adequately secured. However, if you follow security best practices, use the latest version of WordPress, and use a security plugin, you can significantly reduce the risk of hacking. Read our in-depth blog post “Is WordPress Secure?” to learn more about this topic. 

What percentage of WordPress sites are hacked?

There's no definitive percentage of hacked WordPress sites. The estimated number fluctuates significantly based on factors such as website security practices (the use of strong passwords, regular updates, and security plugins), the WordPress version being used (older, unsupported versions are far more vulnerable), and the quality and security of installed plugins and themes.

While precise figures are unavailable, the trend in Patchstack’s state of WordPress security report shows a consistent and concerning rise in attacks targeting WordPress websites each year. 

Do I need a WordPress security plugin?

While WordPress has built-in security features, a security plugin is highly recommended. A security plugin can provide additional protection against hacking attempts and help you detect and fix vulnerabilities in your site.

Does WordPress have built-in security?

WordPress has built-in security features such as password protection, user roles and permissions, and automatic software updates. However, it is still essential to follow the best security practices and use a security plugin to ensure the highest level of security.

An advanced security plugin is necessary to protect against advanced attacks, but you shouldn’t settle for plugins that only tweak minor settings. You should use a plugin focused on core WordPress security and login protection. Read our in-depth blog post, which discusses The Six Best WordPress Security Plugins, to know which is best for you.

The post The Complete Guide To WordPress Security appeared first on Patchstack.

Criminals often hide their tracks and won't visibly damage sites right away, so they could create a zombie network of breached websites which can later be abused as proxies to perform further attacks on other targets.

With years of analyzing such attacks, we are confident that 99% of attacks fall under the following list of 4 reasons why WordPress websites get hacked. Once you address these 4 issues, you'll understand that WordPress security is much easier than thought and everyone can do it.

In this article, we'll go over each of those and provide some practical ways to stay protected.

Before we get started

It's important to understand that malware infection on websites, SEO spam, backdoors, and all those nasty things that can happen are consequences.

An average clean-up service costs around $200, while protecting your site for a year is a fraction of that.

It's very important to have a plan B and C as backups and malware scanners, but you should keep your plan A as solid as possible - which is that your site won't get hacked or infected at all. In this article, let's explore how to do that.

Vulnerable WordPress core, plugins, and themes

Whenever you see a blog post about WordPress security, almost every single one of them keeps saying that the number one priority is to keep your website updated. That includes the WordPress core and every plugin or theme you have installed.

The reason behind this is simple - if something is outdated, then there is a chance that you have also missed an important security fix that was released by the developers within the recent version.

Vulnerabilities within popular WordPress plugins are known to be the biggest threat to the security of the WordPress ecosystem. A single vulnerability in a popular plugin can give the criminal unauthorized access to thousands of sites with a single automated attack.

Criminals actively monitor the changelogs

Whenever WordPress core, plugin, or a theme releases a new version, it will include an update in the changelog file, which lists all the new changes made. These changes often include lines such as "Proper sanitization/validation of some requests.", "Prevent XSS in form title", "+Fixed: Security issue.".

Since we're talking about open-source code, a criminal can instantly compare the previous version with the latest one to see which exact functions were fixed. If a vulnerability is critical enough, it can be weaponized within hours after the release.

Such attacks are known as 1-day attacks in the information security field. That means a vulnerability has a fix released by the developer, but the attacks happen before the users have installed the patched version.

Criminals look for zero-days

Criminals regularly scan the code of popular plugins and themes to find vulnerabilities that nobody knows about. Instead of reporting the found vulnerabilities responsibly (read why you should report vulnerabilities responsibly) to the developer, they instead weaponize the vulnerability right away.

Such attacks are the most dangerous and will cause the most damage. Attacks may go undetected for days before site owners start to report problems on their sites. As the developer is not aware of the vulnerability, even sites that are completely updated will become a victim.

What can you do about it?

Keep the number of plugins/themes installed on the website as low as possible. With every new component you install to the website, you'll increase the chances of introducing vulnerabilities to your site. If you de-activate a plugin, don't forget to delete it as it can still be attacked.

As the first step, update your WordPress core, plugins, and themes as fast as possible. If you're worried about the site breaking down with automatic updates, you can use Patchstack to enable auto-updates only for the plugins/themes that fixed a security issue in a recent version.

Look out for new vulnerabilities found in the plugins/themes you use. You can't protect yourself from the things you don't know about. You can use free services like this to get alerts every time a vulnerability is found on any of your websites.

The best-known way to minimize the attack window is to enable vPatching. vPatching is like a security firewall on your website that eliminates the vulnerability without changing any functionality/code on the website. In many cases, vPatches can also protect you from security issues that have no fixes available. You can read more about vPatching here.

To protect yourself from zero-day attacks, you should use a web application firewall. It filters out malicious requests that don't look like regular visitors or match exploitation patterns of known vulnerability types such as XSS, SQLi, LFI, etc. For that, you could try a combination of Cloudflare and Patchstack.

Compromised privileged accounts

The second biggest reason for websites to get hacked is compromised privileged accounts. Criminals have deployed massive zombie networks of hacked websites and servers which are searching for WordPress sites and try to guess the usernames and passwords - automatically.

We're still living in a world where the username "admin" and password "admin" are terrifyingly common combinations. Short passwords without any numbers and special characters are the easiest for bots to brute force.

As computers have become more powerful so have the bots. Nowadays, there are also lists of millions of leaked usernames and passwords which can help bots use to guess even more complex combinations.

Learn how to become an expert on password management.

Criminals try to brute force usernames and passwords

Brute forcing is probably one of the simplest methods to gain unauthorized access. In its nature, it's just blindly guessing the username and password for as long as it happens to be the right combination.

By default, WordPress has the login page available on /wp-admin/ location. Without rate-limiting the login attempts or applying a captcha to that page, anyone could try to guess your username and password as many times as they want.

Criminals are of course abusing this with automated tools that search for WordPress websites and then bombard them with automatically generated combinations. Some of the bots are more advanced than others and use previously leaked usernames and passwords to create plausible combinations that people might use.

For more targeted attacks check your leaked passwords

Have you heard about the website haveibeenpwned.com? It's a project that combines all known data breaches where usernames and passwords have been leaked. It includes a whopping 11 billion leaked usernames and passwords.

Most of this data is available to criminals and is being sold on the darkest corners of the web. If a criminal knows the email of the website administrator, he could look up if any passwords connected to this email have previously leaked as there is a chance that the same password is used elsewhere.

What can you do about it?

Luckily, this is one of the easiest threats to mitigate. Some simple thing you could do to protect your WordPress accounts is to enable 2 Factor Authentication (2FA) on your accounts. With 2FA (also known as Multi-Factor Authentication) even if the criminal has your password, he would also need access to another factor, which is usually your phone.

To take the power away from bots, you can enable login rate-limiting and reCaptcha which will challenge the bots to prove if they are humans before they can try to log in and will block the IPs after a few failed attempts. You can set that up under Hardening settings within Patchstack App on your site view.

You've probably heard it before but use strong passwords. As a tip, use a password management tool such as LastPass, KeePass, or any other to create randomly generated passwords for every website that is impossible to guess so you don't reuse passwords across different sites.

Insecure hosting environment

This isn't just about how good your hosting company is. This has a lot to do with how you've configured your hosting account or server and how you're actually using it. Even on the cheapest hosting services, you can have quite good security if you keep some basic security principles in mind.

We've seen many hosting accounts filled with hacked sites in both high-end premium hosting companies and in cheap shared hosting companies. It's especially true with cheaper shared hosting companies where users look to save money and therefore make some bad decisions.

When it comes to configuring your hosting environment, it often comes down to hardening, for which there are an incredible amount of free WordPress security plugins in the WordPress plugin repository such as SecuPress, ShieldSecurity, and iThemes Security to name a few.

Not isolating websites from each other

One big problem with some cheaper hosting companies is the fact that they don't properly isolate the website within shared hosting from another. That means if a criminal managed to hack one of your websites, he may take over other websites hosted on the same server.

In some shared hosting environments, it's been possible to get root access to the shared server which then exposes access to sites owned even by other hosting customers. Security has generally been improving over the years and such vulnerable configurations are not that common anymore.

Read more about the dangers of shared hosting here.

Many managed WordPress hosting companies have decided to run each website in a dedicated virtual machine or in a containerized environment to isolate websites from others as much as possible. So you might want to look at services that do that.

Having WordPress installations in sub-folders

This is something we see all the time. Many who own multiple websites aim to save money and therefore make multiple WordPress installations into different folders. In such cases, multiple websites share the same directory and even database.

This is a goldmine for criminals because breaching just one website may give them access to many other sites which might have not been vulnerable at all. We keep seeing this all the time and it's one of the worst things that can happen.

At this point, as the sites are now infecting each other, the only way to clean the sites up is to close access to all of them and clean up every site at the same time. Saving some money can result in an average bill of $3000 if there happened to be 15 different WordPress installations.

What can you do about it?

First of all, if you plan to host a WordPress website, look for a hosting provider that has specialized in hosting WordPress sites. They often put much more detail into the specific characteristics of WordPress which also includes security.

Don't forget to ask if the hosting company creates backups of your sites. Good hosting companies have at least some level of automated backups in their standard plans and more frequent backups in higher-tier plans.

Great hosting companies automatically scan your sites for malware. Scanning your websites regularly for malicious code is important, but instead of using malware scanning plugins, the scanning should happen deeper on the server. This approach is more efficient in terms of performance and results. Ask about that from your host.

Nulled/pirated plugins and themes

Can we call this karma? Actually no - there are many different ways how nulled/pirated plugins can end up on the website and not always are the site owners or even those installing the plugins aware of the plugin or theme being nulled.

Nulled plugins and themes are usually premium versions that have been made free by removing the licensing part from the code. There are many malicious websites where criminals host such software to attract those who want to save some money and in return, they get a pre-infected version that hides a backdoor to the website.

We've seen cases where an agency that builds websites for its customers is constantly using nulled plugins and themes on the customer's websites. The sites eventually get hacked and when it happens the clean-up cost is forwarded to the customer.

Read more about the dangers of nulled WordPress plugins here.

Nulled plugins include backdoors and other malware

Everyone who is searching for "Free {insert_premium_plugin} download" should think about why someone paid for it and then made it free for everyone else to download. The chances are that it was not Robin Hood and whoever did it gets some kind of value out of it.

That value is the website and its server resources. Criminals create nulled versions of popular plugins and themes to get people to install malware on their sites voluntarily. In fact, there's even an organized gang called WP-VCD who regularly produces nulled plugins and spreads them through a large number of websites.

Once a victim has installed the backdoored version of the plugin or theme to the website, the criminals have the freedom to do anything they want with the website. It's the usual activity - redirecting traffic, hosting SEO spam, sending out spam emails from your website, and infecting visitors with malware.

Nulled plugins don't receive updates (and can be vulnerable)

Whenever nulled plugin or theme is created, it's whatever version that the criminals got access to at this point in time. Since popular plugins and themes are actively developed they receive updates quite frequently. Therefore most nulled plugins/themes available are not the latest versions.

As the nulled plugins and themes have licensing removed from the code, it mostly also means that it has no access to the updates anymore. So, as a bonus to having malware on the site, the website will also be stuck with an old version of the plugin.

Taking all that into account, installing nulled plugins is probably the worst thing one could do as it not only infects the website with backdoors and malware - it has significant chances to make the website also vulnerable to other criminals.

What can you do about it?

If something sounds too good to be true, it usually is. Download plugins only from the WordPress.org repository, from the official website of the plugin developer, or from a trusted marketplace like Envato.

If a website was built for you by a developer and you see any premium plugins installed to the site ask for the licenses or confirm that the plugin is connected to the licensing server from your WordPress admin panel.

PS! There is a professional or maybe even a whole team behind the premium plugin who has put months and years into building this tool. If you really need to use it then support the developer!

Main takeaways and conclusion

If you made it so far then, wow, and thanks!

For many many years, dealing with the consequences of poor security has been the main way how people get exposed to security in the WordPress ecosystem.

TLDR; Take these 4 steps to prevent ~99% of attacks.
- Prevent having vulnerable plugins installed on your sites
- Protect your accounts with 2FA and rate-limiting
- Find a good hosting specialized in WordPress sites
- Don't install nulled/pirated plugins

It's still common that WordPress security isn't thought about until sites get hacked. Keep in mind that malware on the website is not a problem, but a consequence. Most of your attention should go to improving the security proactively so the breach never happens!

I hope this article gives you a good understanding of how to do that. Good luck!

The post If You Approach WordPress Security Like This, It's Easy appeared first on Patchstack.