Translate

Thursday, April 28, 2022

How to Improve Your Wordpress' Website Security

 Source: https://dzone.com/articles/improve-wordpress-site-security?edition=596291

How to Improve Your Wordpress' Website Security

Here are common WordPress security issues and how to improve your WordPress security including tips to avoid being hacked.

  · Security Zone · Tutorial

WordPress security has been an important topic ever since the content management system was released back in 2003. As with any highly popular piece of software with a long and rich history, the CMS can sometimes become the target of WordPress hackers. Hostile actions could include a cross-site scripting attack, sql injections, brute force attacks, and a number of other ways to gain unauthorized access. 

As hackers gain experience in finding new ways to exploit WordPress vulnerabilities, developers and security specialists get better at creating sites that are more difficult to breach. There are things developers and WordPress site owners can do if they don’t want hackers to gain access and bypass server security. In this article, we will discuss some actions a WordPress admin can perform to prevent a platform from becoming one of many hacked websites.

Enable Proper Permissions for wp-config.php and .htaccess on the Server

Change:

644 -rw-r–r– /home/user/wp-config.php

644 -rw-r–r– /home/user/cgi-bin/.htaccess

to secured permissions:

600 -rw——- /home/user/wp-config.php

600 -rw—— /home/user/cgi-bin/.htaccess

Use an Up-to-Date and Secure Version of PHP

As of October 6, 2021, the most recent and recommended version of WordPress is 7.4. One can always check for supported and secure PHP versions by following the link: https://www.php.net/supported-versions.php . As with any piece of software, keeping everything up to date is an important factor for WP security.

Disable the Editing of Themes and Plugins From WordPress Admin Panel Level

If hackers gain access to an admin account, it will be very easy for them to input malicious code into themes and plugins. We are going to use DISALLOW_FILE_EDIT to disable file editing and improve website security. Here is how to do it:

  1. The first step is to open wp-config.php using a text editor.
  2. Within that file, find the line: /* That’s all, stop editing! Happy blogging. */ and place the following code above it: define( ‘DISALLOW_FILE_EDIT,' true );
  3. Save changes end exit the file.
  4. If you go to your WP dashboard and if you did everything correctly, the “Plugins > Editor” and “Appearance > Editor” links should no longer be visible

Keep Your WordPress Plugins Updated

It’s a good idea to follow technological blogs and WP fan groups on social media, such as Facebook. Many WordPress users share notifications about critical errors in specific WordPress plugins. If you see an error concerning one that you use on your WordPress website, perform an update immediately. Furthermore, make sure to delete unused plugins to avoid unnecessary security vulnerabilities.

Install WordPress Themes and Plugins Only From Trusted Sources

The safest way is to use the official database/repository. For WordPress themes this is https://wordpress.org/themes/.

Trusted WordPress plugins can be found here: https://wordpress.org/plugins/.

The files in this repository have been verified, and likely subjected to malware scanning software before upload.

Change the wp_prefix in the Database During WordPress Installation

By default, WordPress installation proceeds with the wp_ prefix, but it is worth changing it to an original one during the process. By doing so, we will make it more difficult for malware to gain access to our database and extract data.

Do Not Use the Default 'Admin' Login, Use Strong Passwords

It is imperative to change the login to an original one. Strong passwords with multiple different symbols are also more difficult to crack.

Disable User Registration if You Do Not Need This Function

To do this:

1. Go to the Settings page, General section

2. Uncheck the “Anyone can register” field in the Membership section.

3. Save changes.

Disable Comments If They Are Unnecessary

There are several ways to do it, you can use code, the built-in options of WordPress, or a plugin.

To disable comments globally using WordPress itself, follow the steps below:

1. Go to Settings, the Discussion section

2. Uncheck the “Allow people to post comments on new articles” field

3. Save changes

You can also write your own code or use a plugin to achieve the same effect, but in this tutorial, we only present the fastest option.

Configure robots.txt to Block Unauthorized Access to WordPress Files

This file, which is placed in the main folder of the domain, acts as a signpost for Google crawlers showing the pages they should visit and index, and the ones they should not. You can use the example presented in the grey box here: https://wpninja.pl/artykuly/zaawansowane-pozycjonowanie-wordpressa/#robots-txt (remembering to change http://www.example.com/ to your own domain)

or have a look at the official Google guidelines for robots.txt: https://developers.google.com/search/docs/advanced/robots/create-robots-txt

Protect Yourself Against User Enumeration

User enumeration is a form of malicious activity that allows hackers to use brute force attacks in order to gain access to user accounts. Check out the discussion on StackExchange on how to reduce the risk: https://wordpress.stackexchange.com/questions/182236/completely-remove-the-author-url

Secure Access to wp-admin / wp-login.php, Two-Factor Authentication, Limited Login Attempts

This action can be performed in many ways. The most popular one is to limit access to specific IP addresses or to display an additional window with authentication information. We can also set up a limit for login attempts or use two-factor authentication.

Two-Factor Authentication

To set up this functionality, first, download the Google Authenticator plugin.

After installing, go to the Profile page and check the “Active” field in the Google Authenticator Settings:

Now it’s time to get the Google Authenticator app for Android or iOS.

After launching the authenticator, a request should appear to input a code or to scan a QR code. Go back to your plugin settings and either copy the code to your app or select “Show/Hide QR code” and scan it with your phone:

This will begin automatic configuration, you should accept all changes and then click “Update profile” on the “Your profile” subpage. From now on, each attempt at logging in will require two-factor authentication on the WordPress login page.

Login Attempt Limitation

As mentioned before, one other method of preventing brute force attacks is to limit the number of times a user can attempt to log in. How to do it?

Probably the simplest solution is to use one of the many WordPress security plugins, such as the WP Limit Login Attempts by Arshid. You can download the security plugin here: https://pl.wordpress.org/plugins/wp-limit-login-attempts/

Make Backup Copies Regularly

Even the best protection may not be enough to save your website from WordPress hackers. Therefore, make sure you always have a backup in case the worst happens. Check if your hosting provider makes regular backups every day. Alternatively, you can make use of the following security plugin: https://wordpress.org/plugins/updraftplus/

Hide Information About the WordPress Versions You Use

The information about your version of WP can be of use to hackers, so there is really no need to share it freely. First, block access to your readme file by adding the following lines of code to your .htaccess file:

<files readme.html>    order allow,deny    deny from all    </files>

Second, use a security plugin to deactivate this information. One such plugin is Sucuri, which should automatically hide this information once it is activated, but verify this by visiting “Settings” > “Hardening” tab just to be sure.

You can also remove version information by adding the following lines of code either to a site-specific plugin or a code snippets plugin:

function wpbeginner_remove_version() { return ''; }
add_filter('the_generator', 'wpbeginner_remove_version');

Third, remove information on WP version in the CSS/JS files loaded on the website. Here is a link on how to do it, following the recommendations by user tjhole: https://gist.github.com/tjhole/7451994

Block the Execution of PHP Scripts in Specific WP Catalogues

Disable PHP file execution in unnecessary directories to improve your security. Following the solutions at wpbeginner.com, open a text editor and type in the following code:

<Files *.php> deny from all </Files>

Save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website.

Disable Access to the REST API of Your WordPress

If you aren't planning to use it, disable access by using the following plugin: https://pl.wordpress.org/plugins/disable-json-api/

Limit or Disable Access to XML-RPC

If you are not using XML-RPC, disable it with:

function remove_xmlrpc_pingback_ping( $methods ) { unset($methods['pingback.ping']); unset($headers['X-Pingback']); return $methods; } add_filter('xmlrpc_enabled', '__return_false'); add_filter('xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );

or with .htaccess:

<Files xmlrpc.php> Order deny,allow Deny from all </Files>

Check out this link if you need additional information: https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/

Make Sure Your Website Has an SSL certificate

Theoretically, you could use a plugin to do it, but we recommend a more “manual” way suggested at https://thecamels.org/en/compendium-how-to-secure-your-wordpress. Check out the “How to properly enable SSL in WordPress” section, and follow the guidelines.

Conclusion

Security should be a top priority of any enterprise, big or small. We hope you find these suggestions useful in the fight against hackers and malicious software. Make sure to follow us for other tips and guidelines.


 

Friday, April 22, 2022

5 Steps to Strengthen API Security

Source: https://dzone.com/articles/five-steps-to-strengthen-api-security?edition=596291

5 Steps to Strengthen API Security

API misconfigurations and the attacks they attract occur more regularly than you might anticipate. Strengthen your API security using these best practices.

  · Security Zone · Analysis

 

 

APIs are the connective tissue of scalable websites — fundamental to functioning in today’s digital world. But much like the physical world, weaknesses in connections and associated protocols can result in significant, sometimes existential, trouble.

A recent instance includes data leaks that stemmed from the misconfiguration of Microsoft Power Apps portals to enable public access. When examining this case, UpGuard found that the type of data varied between portals, and even included personal information that was used for COVID-19 contact tracing and COVID-19 vaccination appointments — as well as Social Security numbers, employee IDs, and millions of email addresses and names. 

The operators of those portals aren’t alone. API misconfigurations and the attacks they attract occur more regularly than one might anticipate. As a Salt Security report found, 94% of the nearly 200 enterprise security officials surveyed said their organization experienced an API security incident in 2020. The report also uncovered a 348% increase in malicious API traffic over six months, highlighting how attackers are focusing their attention on data access.

OWASP also started a separate “OWASP API Security Top 10” in 2019 to monitor API weaknesses. APIs represent a ready method to access data exposed by an organization, some APIs are intended for public use, while others are intended for use solely by applications and webservices within an organization. Regardless of usage, APIs are constructed to provide direct data access, which is why explicitly testing to ensure an API doesn’t return excess data or allow authorization bypasses is crucial. In the BSIMM12, activity ST2.6 covers fuzz testing of APIs, but only 12% of organizations were found to be performing this activity.

To change this API narrative for the better, the following five best practices can be used to strengthen API monitoring and protection.

1. Know What You Have So You Can Keep It Protected 

While it may be considered a cliché, it’s true — when it comes to security, you can’t protect what you don’t know you have.  This is the problem with far too many APIs. Code may not be formally documented in a way that humans or machines can accurately digest. This can lead to it not getting tested.

In order to address this and ensure you know what you have:

  • First build an inventory of your API-based application assets.
  • Next, you’ll want to prioritize them by risk level based both on business impact and data usage.
  • Once assessed by risk level, it’s time to find API endpoints for those assets.
  • To preserve your API inventory, you’ll also want to track automated deployments. 
  • Lastly, you’ll want to simplify issue detection through automation via security tools and services.

Identity and access management (IAM) is a standard security practice, but when it comes to APIs, the focus should be on how users authenticate with the API and how API authorization segments or scopes the data provided by the API. Luckily, there are many ways to go about this, the key being to track a user through the system. It’s critical that each method within an API is developed with an understanding of user authentication and what the minimum dataset for the activity implemented by the method might be. 

2. Understand Data Validation and Trust Your APIs

APIs validate the request data they receive from a data consumer and determine whether or not it is malformed. If it is malformed, will the request data be validated?

Similar to web applications, conducting input validation is essential for APIs. An application that uses public APIs accepts the risk of a man-in-the-middle attacker that could modify the data returned by the API or modify the data presented to the API on its behalf.  This is why an API must know what to do when presented with malformed data. The validation process here is a bit different — while the values of parameters need to be checked, API data is often a part of a data schema which means each parameter could have meaning relative to the remainder of the data. This is why you need validation at the schema level versus solely in the data element or parameter level.

3. Don’t Overlook the Cryptography

Ensuring data at rest and in transit is encrypted in a secure manner as and when needed is vitally important, and should go without saying. This includes implementing expiration semantics for items like the AuthZ JSON Web Tokens, request forgery tokens, or for validating various cryptographic signatures and certificates used during authorization and by message encapsulation protocols.

4. Avoid Misconfiguration

Deploying an API in a cloud environment or with containers can weaken efforts put into securing your APIs. If you plan to select one of those deployment environments, make sure that they are configured securely. Even the most securely developed application can be weakened by poor deployment practices, and APIs are no different. API security misconfiguration can include a variety of things such as: unpatched systems, unprotected files and directories, unhardened images, missing, outdated, or misconfigured TLS. In fact, OWASP API Top 10 categorized API misconfiguration as API7:2019.

5. Ensure Active Monitoring/Alerting

Successfully monitoring your APIs and ensuring an effective alert system requires several key areas of focus, including:

  • Examine the content: Perform application layer scanning. This will help monitor for someone trying to use SQL injection or another HTTP-based attack. Having a clear understanding of how you are examining traffic coming into your API is essential, but traffic monitoring must also include processes to identify anomalies.
  • Bot/attack detection: Ensure that controls are in place or baked into your APIs to protect against common attack techniques. It’s critical to also be able to identify automated attacks conducted by bots, including brute force attacks.
  • Data throttling: Have a strategy in place on how you will limit API usage for rogue API clients. Excess traffic might not be malicious, but if it impacts operations, your customers will care.
  • Build an audit and trace program: Put in place a tactical auditing process, including auditing logs and meaningful activity alerts. The program should be able to clearly identify the source of any findings such that corrective action is taken. 

Security should be built into your software, and by applying these concepts it will help to ensure a deeper understanding of your APIs and the role they play in your software.