WordPress Website Security. A few years back website security was a relatively minor issue. Today it’s a major, growing problem for site owners and their host providers. Most intrusions come via automated malware-type bots that attack sites on a regular basis. It’s worse if you’ve done good work around SEO to get more traffic and sales, which will bring in both good and bad traffic. Sadly you can’t have one without the other…
Below is an example off one of our client sites showing a tenfold increase in bot traffic over several days. Any weakness on your or your hosts part, will have dire consequences.
So, what are these bots trying do do?
According to the 2013 DBIR report most security attacks required no special resources to perform – in fact only 1 out of 621 confirmed breach cases used sophisticated hacking methods. Most attacks were opportunistic in nature. i.e. there was never a specific target, just an easy one. So, what’s required to ensure your site is not an easy target?
FIX THE BAD SERVER ENVIRONMENT FOR WORDPRESS WEBSITE SECURITY.
Use a local host provider running the latest software and hardware
Not all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked. When choosing a web hosting provider, don’t simply go for the cheapest you can find which seems to be the trend today as everyone assumes every host offers the same technology and services.
Cheaper shared hosting not only have very erratic performance on slow hardware, but typically run outdated server software too, opening up security issues. e.g. Ask if they are running the latest Apache (2.2), MySQL (5.5) and PHP (5.4) versions. This is the server ‘software stack’ that WordPress needs to run on. Older versions may work, just not as well.
A key item is the version of PHP you are given (and unless you run your own VPS, you’ll seldom get a choice). Many cheap hosts are still using PHP v5.2 which is an old, end-of-life product having nil security updates since 2011. Even PHP v5.3 which most hosts are only now upgrading to, is not the latest version, released in 2009 when most of us were still using Windows XP or Vista.
Typical of most are the major providers like Hostgator who still run v 5.2. V5.3 is an option, but not 5.4 or later. For WordPress sites at least V5.3.27 or preferably v5.4.20 which are well supported, provide higher performance and are more secure. Most budget hosting companies like Hostgator, Net24 and Openhost tend to be conservative/lazy, avoiding updates due to the support overhead it often generates.
The security and performance benefits of utilising the latest web server software is superb. WordPress 3.7 + is industry-leading software that runs best on the latest technology. Issues will only arise if you have a badly coded theme or plugins, or are running an old version of WordPress, which are all things you do need to know about and fix asap…
FIX POOR USER ADMINISTRATION FOR WORDPRESS WEBSITE SECURITY.
1. Strengthen up those passwords
According to this infographic, around 8% of hacked WordPress websites are down to weak passwords. If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.
2. Never ever use “admin” as your username
..or administrator or your domain name. In April 2013 there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords. If you use “admin” as your username, and your password isn’t strong enough, then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account. If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.
3. Don’t use an admin level for day to day site editing
When establishing a new site, most obviously use admin level access, but continue to use this same login for day to day editing too. After the site is setup and design finalised, it’s better to have a separate editor access for day to day editing and site updates. Admin level should only be used for site maintenance purposes. Make sure all articles or posts are set as written by this person.
4. Have a secure home / business PC
Seldom mentioned, but one of the other avenues for getting your website logins is from your own PC. Nastier viruses can look at your browser or pc files to gather up your credentials, giving them admin access to your site and/or hosting account. This happened to me a couple years back, accessing a key password file, ultimately destroying a dozen client sites. It took me days to sort out. And I was running the [free] AVG antivirus program thinking it would protect me. I now use a professional paid-for version. e.g.
5. Keep a backup
I can’t overemphasize the importance of making regular backups of your website. Don’t just rely upon your host company for this. Many people put off backups until it’s too late. Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack and corruption of data. If that happens you want to make sure all of your content is safely backed up.
There are many good backup tools available. Updraft is a free one I like, with the files sent to my free dropbox account. However if you want a set and forget solution, go with vaultpress, not free but probably the best WP backup system out there.
http://wordpress.org/plugins/updraftplus/
http://www.dropbox.com
http://wordpress.org/plugins/vaultpress/
FIX ANY SOFTWARE VULNERABILITIES FOR WORDPRESS WEBSITE SECURITY.
1. Update all the things
Running updated software is important at the host server and the WordPress application. Every new release of WordPress will contain patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you may be leaving yourself open to attacks, though the risk of WordPress itself having a security issue is small these days, especially if you’re running v 3.7 or later.
Many hackers will intentionally target really old (2.6-3.5) versions of WordPress with known security issues, so keep an eye on your Dashboard notification area. The same applies to themes and plugins. Update to the latest versions every few months and immediately when there is talk of security-related issues. But do a backup of your site first. Updates occasionally break things. (Quite rare compared with other systems, but can occur)
2. Add in Security plugin(s)
In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address. Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
But there are ways around this, as most attackers now use a large number of different IP addresses. Other more powerful security and firewall plugins like Wordfence work well here doing everything limit login does and much more.
http://wordpress.org/plugins/wordfence/
https://wordpress.org/plugins/better-wp-security/
http://wordpress.org/plugins/wp-security-scan/
Be well aware that WordPress security plugins, although having an important place, are NEVER enough to resolve all security issues or stop a nastier bot attack from taking down your website, but a side effect is that they can also slow your site down in normal use from the monitoring alone. The value of security plugins is often ‘oversold’ with many believing it’s all they need. Sorry, if you’re told this, the person is either lying or ignorant of the facts. Some host companies specialising in WordPress, seeing the proliferation of security plugins and the problems they can generate, have started banning many of them.
There are in fact better ways to harden WordPress installations than just relying upon plugins. Protection done at the level below WordPress or plugins, being the host server software, config and network layers. Talk to your host company or developer about this.
3. Try to avoid free wordpress templates
As a general rule, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems. 8 out of 10 site reviewed on one WordPress theme directory site pushing free themes contained base64 coding. If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer. If you’re uncertain of a theme/site having spam, enter the url at www.sucuri.net
p.s. Consider Cloudflare.com
This doesn’t fit in any specific category since it’s not a server, admin or specific software issue. But for high traffic business websites receiving a lot of this nasty traffic, some handy bot filtering and security measures can be done at the DNS level, long before it hits your host server or WordPress install. www.cloudflare.com is the one we recommend. Most utilise this free service for performance. I use it primarily for the added security, although being US-based, there are annoying latency issues. But that’s another story..
Or let the Geeks Sort if out….
Sometimes, when none of the above works, some of the issues can really only be addressed by the host company and a good sysadmin person that knows their way around apache, unix command lines etc.
Setting up host servers, cloudflare and similar is often beyond the amateur user and not even done much in local developer circles. Yet these low level tools are another very handy option in further reducing the number of nasty bots and website attacks. For assistance with security, hosting or cloudflare, fill in the form below. Source: http://aucklandmeetup.wordpress.com/