Securing WordPress – Basic Steps to protect your site from hackers
I’m sure that anybody reading this is aware that the Internet is a potentially dangerous place – something I’m painfully aware of as my website is currently undergoing persistent attempted hacks.
Update: Day 4 of attack
The futile attack continues – you can see when it began from the spike in recent traffic stats below. New counter-measures have reduced the malicious traffic but it’s still too high so looking to make another couple of defensive tweaks this evening. On the off-chance that this may be a diversionary tactic I’ve also taken other steps to monitor and validate traffic, files & databases.
Just because you’re paranoid doesn’t mean they’re not out to get you..!
Recent traffic overview showing start of attack
Villains and rapscallions are prolific in Internet Land – continuously trying to take advantage of the less security conscious and make off with critical information that would enable them to steal identities, pillage bank accounts & credit cards, damage on-line reputations and more. One of their favoured tactics is to infect popular (or even not-so-popular) legitimate websites with malicious content that may compromise the PCs of anyone unfortunate enough to visit them in good faith – I reckon that’s what they are attempting with my site right now.
WordPress Two Factor Authentication
This website has various bespoke and plugin security measures in place that make exploiting my WordPress site substantially harder than average – honey-pots, complex user names and passwords, automatic blocking based on behaviour and others that I won’t mention.
Attempted hacks are commonplace, but tend not to last too long when the attackers or their bots realise they are getting nowhere.
For the last 48 hours, however, I have an uncommonly persistent attack taking place – thus far there have been ~2,500 attempted hacks from almost 1,300 IP addresses based predominantly in the USA, although France, Ukraine & the UK are close behind – this is still continuing. The number of IPs and the range of ISPs these are spread over strongly suggest a bot-net is targeting my site.
WordPress is a popular hosting platform (very popular) and as such is considered a worthy candidate for the attention of those with malicious intent… if you host a WordPress Site I can’t express strongly enough how important it is to take steps to secure it..!
In addition to my existing counter-measures I have now also added two-factor authentication: as well as my username and password, a 6 digit pin that changes every 30 seconds, is required (which I get from my smartphone).
In order of importance, to protect your website, I’d recommend the following steps:
- Keep your site and plugins updated
- Choose a complex username and password
- Delete the default admin account
- Install a login page security plugin
- Install 2FA for WordPress (two-factor authentication)
None of these are difficult to do (Google searches will provide numerous sites with how-to details). If you posses the know-how, drop in a couple of honey-pots with automatic blocking (which can be permanent or temporary). Note that the current attacks on my site are using ‘admin’, ‘administrator’, ‘williamfaulkner.co’ & ‘williamfaulkner.co.uk’ as the usernames – so be a little creative with yours.
Do it now – it’s a lot easier to protect your site and reputation right now than trying to fix them after your site has been compromised and your visitors and clients potentially exploited.
You can always post a comment if you’re not sure about something.
Update 2 – success
Finally killed them off for now – simple really – put a rule in to only allow access to wp-login.php from the 2 IP addresses I use to login to my site.
Tried to deny access on the basis of ‘no referrer’ (or ‘no referer’ as it seems to be spelt these days) but couldn’t get the rule working 100%, this would have allowed legitimate logging in from anywhere but as I only ever use the 2 IPs it’s not an issue… and I can always add others if needed.
Last few days traffic to the login page
Hundreds of 403 access denied log entries and no successful posts to the page (apart from legitimate ones).
Is WordPress Safe..?
If you employ a little common sense with your plugins and keep both them and WP up to date then yes, as safe as any other web server.
Is WordPress secure enough for Corporate Sites?
Absolutely – with the above caveats.
I have several Corporate Sites running on WordPress – however I would suggest that if you intend to use WordPress as your Corporate site that you utilise the 5 steps referred to above and preferably have it set up by a competent user familiar with both Web Server and Web Application security who can lock it down with tricks referred to throughout this article.
At the risk of sounding pretentious, the most secure of systems can be left completely unprotected by unwise configuration.