Reducing Your Attack Surface

The attack surface is the sum of all the different points where an attacker can try to gain entry into your system, extract data, or add/modify data. For a WordPress website, your attack surface would include things like:

• Login function
• Weak passwords
• Commenting
• Custom forms you may have on your website
• Defective plugins with security vulnerabilities
• Unused themes
• Unused plugins
• etc.

Reducing your attack surface means reducing the number of ways an attacker can get in.

Speaking of unused plugins, have you deleted the “Hello Dolly” plugin?  Hackers like to hide backdoors in unused code that might be laying around. Deleting it is probably the fastest way to reduce your attack surface.

There are two other attack surfaces I want to bring to your attention:

XML-RPC Interface

XML-RPC is used to implement WordPress’ trackback/pingback function.  If you are using the WordPress mobile app to manage your blog from a mobile device, then XML-RPC is used in communication between your WordPress website and the mobile device.

The XML-RPC interface can also be used to make your website be an unwitting participant in a Distributed Denial of Service (DDoS) attack.  It can also be used in a very high-speed ‘password-guessing’ attack (called a Brute FOrce attack).

It’s easy to disable XML-RPC and I recommend doing so.  There is a plugin available in the WordPress repository named “Disable XML-RPC”. Install and activate it.

REST API

The REST API was added to WordPress in version 4.71, and provides the facilities for managing your blog/website remotely, among other things.  Vulnerabilities were discovered in the WordPress REST API resulting in the release of versions 4.7.2 and 4.7.3.  If you are not already running 4.7.3 or later I urge you in the strongest terms to update now.

If you manage a server on the internet, then you know that a best practice is to disable all ports that you won’t reasonably be using. (Reducing the attack surface.) likewise unless you have a specific application for the REST API, I recommend disabling it.

The best we can do without getting too technical is to install a plugin that disables the REST API for everyone who is not a registered user on your website.  That plugin is “Disable Rest API” and it is available in the WordPress repository