We manage and host several WordPress sites in both development and production scenarios. WordPress is one the leading CMS out on the web, and as a result, it’s a prime target for attackers.
In this post, we are discussing the attacks we are forced to mitigate regularly and some general practices we used to minimize the risks. Not going into all configuration options for obvious reasons, but you may still get something out of this.
WordPress Attack Vectors
Admin Login attempts – This is relatively common and probably the easiest to defend at a basic level with non-standard admin names, strong passwords, and Two-Factor authentication. We, Will, discuss more advanced options later in the post.
Querying /Autodiscovery/Autodiscovery.XML URL: This is strange, but the second most frequent query attempted. This does not impact Linux as it seems to be related to Microsoft Outlook and Exchange autodiscovery feature. If you know more, post in the comments. In our case, there is no directory anywhere on the server that matches this.
XMLRPC.php – This is the method many third-party clients use to talk to your WordPress site. Clients that allow you to publish/edit a post from your iPad or desktop use xmlrpc.php to do this. As a result, we see many attempts via this method to compromise the site. You can disable this functionality, but you may not publish blog posts unless you are directly on the site.
Prevention: Here are some ways we protect our WordPress site from Basic to advanced.
Basic
Wordfence: This is a server-based Web Application firewall designed explicitly for WordPress that you can configure based on your needs. Each WordPress install should have this plugin installed for protection. If you are running on a shared environment, you can still install it as long as you can install a plugin.
As an admin, if you are responsible for a WordPress site, this is a must regardless of where your WordPress is being hosted.
The caveat is Wordfence is running at the WordPress level, not the server level, so your server could be compromised, just not your WordPress installation.
Advanced – AWS Specific
Production is immutable – We don’t update WordPress in production, and our instances are based on AMI (Amazon Machines Images). When it’s time to update production, existing AMI’s are replaced with new ones that have been created and tested in the Dev environment. We use launch configuration and create a new version with the new AMI’s.
ALB’s – Application Load Balancers
Our web servers sit behind the ALB, and security is configured to only accept traffic from the load balancers.
WAF – Web Application Firewall
The WAF sits in front of the ALB and screens all traffic before the traffic is sent to the ALB. AWS has some managed rules that we include in the WAF ruleset that determine what traffic is allowed to pass through. We also have a country block rule that prevents traffic from countries such as Russia, China, and other known bad actor states.
Note: On production, we don’t have a whitelisted IP address, so even administrators cannot make WordPress changes. On development, we do have whitelisted IP’addresss for developers and admins.
Cloudfront – This is a CDN that caches web pages at various AWS edge locations in North America and Europe. Our DNS record points to the Cloudfront URL and if a page has not changed in the configured time. The page will be displayed from the Cloudfront cache. Using Cloudfront also speeds up web page retrieval times for your site.
With Cloudfront, you get the benefit of utilizing AWS’s security tool, AWS Shield, to reduce the impact of DDOS attacks as AWS is responsible for the security of the edge locations.
To give you an idea of what we are dealing with, below is a graphic showing WAF blocking statistics for the last 2 weeks. As you can see the WordPress-specific rule had the most blocks as WordPress was targeted directly. The common rules are specific to Linux and prevent the most used attacks for Linux. The country blocks are the pre-defined countries that we chose to block. Some attempts get past the WAF and are blocked by Wordfence so the total attack numbers are greater than the ones you see here.