Security 101

Security is easy to overlook or take for granted when working with shared and managed WordPress hosting providers. Some things are handled by the provider behind the scenes, while others are simply not possible due to platform constraints or plugin restrictions.

When self-hosting WordPress, things are a bit different. Security is now your responsibility, along with the great power that comes with it. There are plenty of techniques, tools, plugins, and services available. We'll cover some of them in this module.

WordPress attack surface

Before diving into specifics, it's important to understand the "attack surface" of a WordPress site. This includes everything required to run it:

• Application layer: WordPress core, plugins, and themes
• Server layer: OS, PHP, Nginx, MariaDB/MySQL, phpMyAdmin, SSH
• Network layer: firewalls, DNS, SSL/TLS
• Human layer: passwords, SSH keys

Attackers don't need to compromise all of these. One weak point is often enough, and can lead to a full site or even server compromise. Unfortunately, there is no single solution that addresses all these layers, each must be dealt with individually.

Common attack vectors

Let's explore some common attack vectors against WordPress sites and hosting environments. These are usually automated large-scale botnet attacks that happen to land on your domain, rather than target it specifically.

Authentication

This is by far the most common attack on WordPress sites. Large distributed botnets maintain lists of millions of WordPress domains and hit wp-login.php or xmlrpc.php using leaked password databases, attempting to find a match.

Even with very strong passwords and two-factor authentication, this type of attack is annoying, it targets routes that can't be cached effectively, causing WordPress to load the entire environment, themes, and plugins to perform a password check.

With a plugin-heavy site, this can quickly become a performance bottleneck, even if there's little risk of someone actually getting in. All PHP workers may end up busy comparing password hashes, leaving your real users waiting.

Similar brute force attacks often target SSH, MySQL, phpMyAdmin, and other software.

Vulnerable core, plugins, and themes

Open source is a double-edged sword. A patched vulnerability in a plugin or theme can be quickly reverse engineered into a working exploit. A single outdated plugin can expose the entire site.

Shady WordPress and WooCommerce marketplaces, and nulled software, are almost guaranteed to contain backdoors.

File uploads

This attack is common on websites with upload forms, resume/CV submissions, contact forms, support forms, and more. Lack of validation, unfiltered MIME types, and improper permissions can allow attackers to sneak executable scripts onto your server.

Automated input exploits are also common, with bots filling out comment forms with spam links or triggering trackback/pingback spam.

Server and infrastructure

These attacks may target outdated or vulnerable server software, such as Nginx, OpenSSL, PHP, and various extensions or libraries. An open mail relay is another thing spammers love to find. Some attacks even target the underlying infrastructure, such as AWS or GCP credentials, cPanel passwords, and more.

We've already covered some aspects of server security in the Server Hygiene module, including firewall configuration, SSH brute force protection, and unattended upgrades.

While less common for sites that aren't directly targeted, denial of service and resource exhaustion are still real threats, sometimes aimed at a neighbor or the underlying infrastructure.

These are just some of the common attack vectors that happen daily at massive scale. Patchstack and Sucuri report that last year alone there were nearly 8,000 new vulnerabilities in the WordPress ecosystem. With so many different entry points, it's impossible to eliminate risk entirely.