Protect Your WordPress Site With a Website Firewall
by Ben Gabler on
The huge popularity of WordPress has made it an enormous target for criminals and hackers who try to exploit your WordPress site to make a quick buck. It could even just be script kiddies looking to score some internet cred with their peers by defacing your site for kicks. It doesn’t matter how it happens, any form of site compromise is going to cause a serious loss of trust with your clients and could easily spell the end of your brand.
Protecting your website, your clients and your brand are therefore a primary priority whenever you deploy a WordPress instance. Unfortunately, hackers have developed sophisticated tools and techniques to exploit WordPress and wreck what you’ve created. The only way to stay ahead is to understand how your WordPress site can be targeted and how to guard against those threats.
In this article, we will look at all the ways that hackers can take advantage of the ways that your WordPress site communicates with the internet and the defenses you can erect to stop them before they do any damage.
Filtering The Bits and Bytes – A Network Firewall
Sending data across the internet is a surprisingly complicated process. There are many “layers” from the hardware layer at the bottom that defines the physical infrastructure to several software layers above, each of which depends on the ones below. The layers that are of interest to us in this section are the host-to-host layers. In these layers data, such as an image that you send to a friend, is split into small chunks called packets. These are routed across the internet from you (the source) to your friend (the destination) where they are re-assembled into the original image you sent.
These data packets all have several characteristics which include:
- Protocol – E.g, TCP, UDP, ICMP and more
- Port – E.g., Web 80/443, Email 110/25
- IP Addresses – The source and destination IPs of the computers that send and receive the packets
A network firewall sits between the network interface and the operating system and inspects each packet as it arrives at the server. It will allow or deny a packet to proceed on to the operating system based on a set of allow and block rules. Packets are discarded if they violate any of the firewall rules.
A network firewall is an indispensable part of a server and WordPress installation as it blocks any unauthorized communication with processes that are accidentally or deliberately listening for malicious traffic. The only traffic that is allowed through to the operating system and beyond that to WordPress must conform to the strict rules that they firewall imposes.
A properly configured network firewall is a standard part of every internet-connected server. Unfortunately, this does not mean that they are easy to install and manage. In fact, if you only have access to your WordPress instance then managing a firewall is impossible to do right because an effective firewall will not be accessible from inside WordPress.
Filtering The Web Requests – A Web Application Firewall
Hackers have extended their arsenal with a sophisticated method of network attack where they crate malicious web requests to attack your WordPress site. These web requests will not violate any of the network firewall’s rules so they will be allowed through to interact with your WordPress site where they can cause serious harm.
To understand how malicious web request work first consider how web requests have grown in complexity over the years. Before active web technologies like PHP a web request was very simple and looked like the following:
This request breaks into parts as follows:
http://– The request is using the HTTP protocol.
www.example.com– The hostname that resolves to the webserver’s IP address.
index.php– The file being requested.
As you can see, this request is very straight forward. When you wanted to secure a website you simply created a blocklist of files that were private so the webserver would refuse to serve them. There wasn’t much else to it.
As website technology has gotten more complicated the opportunities to exploit these complexities have also increased.
One example of such a malicious request is known as an SQL Injection attack. This type of attack attempts to read sensitive information from or modify the WordPress database. It does this by crafting a web request that a PHP script will run, and, if the scrip has not been written to check its inputs, will allow the attacker to read or write to the WordPress database.
Let’s take a look at a simple SQL injection attack web request. For example, imagine you have a login form is sent to the clients browser. When they fill in the form it sends a web request back to the server that contains the account username they entered. In this example request, the username ID is JohnSmith which gives us a web request that looks like this:
If the PHP script on the server takes this input and does not check its validity it can lead to problems serious problems. For example, a hacker could try to send the following malformed URL which has no ID at all, e.g.:
This simple change of omitting the customer ID and replacing it with a
' has a special significance in SQL, the language of databases. It may cause a badly written script to send back a full listing of the customer database perhaps including passwords and other sensitive information. This is obviously a disaster.
So how do you protect yourself against these forms of attack?
This is where a Web Application Firewall (WAF) comes in. A WAF is placed between the internet and WordPress and inspects every web request as it arrives at the server. If it finds any request that is malformed, like the one above, or violates its list of rules it will block that request from making it to your WordPress. A WAF effectively defeats whole classes of common programming errors that can easily compromise a WordPress site that would otherwise require checking every PHP file on your site.
Obviously, that is only one example of a malicious request from a huge and rapidly evolving range of possibles. This makes a truly effective WAF an ongoing challenge to add rules that keep pace with the hackers. Just as a network firewall a WAF is a technically challenging proposition to set up and more importantly maintain.
Stopping The Bots – Bruteforce Protection and reCAPTCHA
The final layer of effective network defense is to stop automated attacks against your WordPress admin panel login page. These attacks are launched by programs that are commonly called “bots” taken from the word robot. Bots are used by hackers because they work tirelessly and in huge numbers to launch coordinated attacks.
The most common method of attack is to target a login page is with a brute-force attack. This tries to guess a usernames and passwords so they can log into your WordPress site.
A bruteforce attack works by trying very many different username and password combinations. Usually, these will be combinations of the most popular usernames such as
root along with the most common passwords such as “123456”. A bruteforce attack would start by submitting the following username and password combinations:
- admin : 123456
- admin : passw0rd
- admin : letmein
- admin : qwerty
- root : 123456
- root : passw0rd
- root : letmein
- root : qwerty
And continue from there trying less and less common combinations.
The bot will try a few hundred to many thousands and depending on how it is configured. The bruteforce protection will notice all the failed logins and then block any further requests coming from the IP addresses submitting the bogus login requests. This is an essential safeguard from WordPress users will often choose weaker passwords when they are allowed to choose their own passwords.
Bruteforce attacks are not the only use bots are used for. They are also employed to probe your site for weaknesses, exposed sensitive files, or plugins and themes that can be compromised.
These bots can be stopped in their tracks by an Google’s industry-standard anti-fraud ad abuse tool called reCAPTCHA. reCAPTCHA automatically sorts humans from malicious bots allowing the humans through to visit your site and turning bots away. This usually happens invisibly and seamlessly to the human user while being impossible for the bot to make it through to your website where it would try its best to break in.
But How Do I All Of This?
If you don’t have the time, expert technical knowledge, or budget to configure and maintain a network firewall, WAF, bruteforce detector and reCAPTCHA then you should leave it to the experts like Rocket. Rocket are a managed WordPress Hosting provider that gets security. The include all of these essential security tools as standard on every WordPress install.
All you need to do is sign up, launch a WordPress site and a few seconds later start creating.