We have brought together the security vulnerabilities that occur as a result of common mistakes in the use of Wordpress. With the information you will get from our content, you will be able to make your website more reliable.
Wordpress is the indispensable software of millions of sites due to its ease of use and great features it brings. However, mistakes made can lead to many problems. Now what are the most common mistakes in Wordpress security? Let’s look for an answer together.
- Non-configurable security plugins
- Keeping unused themes & plugins
- Unconfigured chmod settings
- Installing unknown themes and plugins
- Choosing wrong PHP version
- Not paying attention to backups
- Keep database table insert fixed
- Leaving file edit accesses open
- Failure to set .htaccess settings
- Not using Cloudflare
Non-configurable security plugins
Administrators generally think that they can fix all kinds of problems and security problems with the security plugin. Although security add-ons really provide many conveniences in terms of security, when factors such as usage errors and incomplete information come into play, they can even cause harm.
Top of the most used security plugins wordfence and Ithemes Security companies stand out. So what are the mistakes made and how should they be used?
- First of all, installing and activating these plugins alone not enough. Users have the idea that when they install and activate the plugin, everything will go smoothly, on track, but this is definitely not true.
- The issue of how to make the settings in the plugin is important because many features in the plugin such as directory blocking, chmod settings, xml-rpc deactivation may be turned off and may require additional/manual adjustments.
- For this reason, the documents they provide about which settings do what and which ones should be used should be examined.
- Another important and overlooked error is logging. Security plugins keep many details such as logins, prevented attacks, changed files in the log system. Situations such as cleaning this log system for a long time or turning off the auto clearing setting may cause serious loads on your database.
- For this reason, these cleanings should be provided manually or auto cleaning should be provided by providing the settings.
Keeping unused themes & plugins
Keeping unused themes and plugins in Wordpress directories can mean leaving an open slot for problems that may occur over time. So much so that the updates that are not made can lead to vulnerabilities. Malicious users who exploit these vulnerabilities can access all directories by accessing theme/plugin files in unused folders.
For this reason, the themes and plugins that you do not use must be “Plugins” and “ThemeIt will be useful to remove it from the ” folders in terms of additional precaution. In addition, many operations such as Shell backup are provided in these unused folders.
Unconfigured chmod settings
One of the overlooked issues is the chmod settings. So much so that after Wordpress is installed, most people do not even look at these permissions. This can actually leave doors open for files to be accessed or overwritten.
Moreover, while it is a very easy process to make settings, it can be ignored. In order to provide the correct chmod settings, you can refer to the image below;
Installing unknown themes and plugins
The software in the Wordpress library is usually referenced when installing themes and plugins. However, administrators who do not have sufficient knowledge on this subject may think that the plugins they download from foreign websites and forums will work.
The mentioned themes and plugins may be full of vulnerabilities. This is one of the most favorite attack methods by malicious users, as they do not go through adequate control and approval processes.
Whether it is reliable or not, we should not download and install it into our system, except for the Wordpress library. Of course, if it is necessary to open an additional parenthesis here, not every plugin in the library is completely reliable. It is known that even the most downloaded and popular add-ons create vulnerabilities over time and their exploits are published.
In this context, the most correct action would be to use a minimum of plugins.
Choosing wrong PHP version
For PHP version Wordpress now recommends 7.4 and above. If a lower version is already selected, you will see a warning that the old version is used at the start of the panel. In this regard, users may be afraid of version upgrades due to the old themes and plugins they use.
So much so that when the version is upgraded, the plugins and themes that are not updated may cause errors. To prevent these errors from occurring, php versions can also be kept old. In such cases, it will be beneficial to use up-to-date themes and plugins and keep your php version up to date.
Not paying attention to backups
There are many paid and free plugins available in the Wordpress plugin library for backup. At the same time, backups can be easily taken with the help of the server panel used. But despite all this, being careless about backing up can cause serious damage to your site after a possible threat.
For this reason, backups should be taken with the help of plug-ins or panels, at least the last 3 backups should be kept and in case of a possible problem, reinstatement should be provided.
Keep database table insert fixed
Wordpress installation is usually created from the server panel or manually, while the database table attachment is left as “wp_”. In fact, this minor but serious problem can leave your site vulnerable to potential attacks.
Changing the aforementioned “wp_” suffix more specifically randomly will benefit you in terms of security. It is also possible to change this process after installation. You can use security plugins for this or provide manual action. To provide manual action, you must change the relevant field in the wp-config file and then make the change via phpmyadmin.
You can find many detailed documents on this subject on the internet.
Leaving file edit accesses open
When we want to edit the code of a theme or plugin, it can be an easy process for all of us to use the editor on the panel. But it can also bring many problems with it.
Therefore, you can easily provide such operations from Filezilla or the server panel. To turn off the aforementioned settings, it is sufficient to add the following code to the wp-config file:
define( 'DISALLOW_FILE_EDIT', true );
Failure to set .htaccess settings
We can easily make many permission settings such as preventing php files from running in Wordpress subdirectories, defining wp-admin access only to certain ip. We can take the following steps to ensure these simple but effective operations:
To grant access to specific threads:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic order deny,allow deny from all allow from xx.xx.xx.xxx allow from xx.xx.xx.xxx
To prevent php from running in /wp-content/uploads/:
deny from all
Transaction can be provided.
Of course, correctly configured security plugins will provide these operations for you in a more practical way.
Not using Cloudflare
Cloudflare provides many measures and optimization possibilities for you completely free of charge. Cloudflare, which is generally preferred because it prevents many attacks such as Ddos attacks, can also provide additional measures in terms of accessing the server by masking your IP address with a proxy.
Of course, since it is discussed that it offers some disadvantages as well as many advantages, it is recommended that you decide after a good research and put it into practice.