The Top Eight Things You Can Do Secure your WordPress Site

  Posted On: April 12, 2013  |    Posted by: Mick  |    Posted In: Internet Technology

As you may or may not have heard, there have been several instances of distributed brute force login attacks on WordPress sites over the past few months.  In late 2012, wordpress.com saw a distributed attack in this fashion, and just over the last few days a variety of hosting providers saw a similar attack waged against self-hosted WordPress sites.  This most recent attack appears to have subsided at this time.  Earlier today, Sucuri actually released a brief analysis of the most recent attack, questioning whether or not it was actually happening or all just hype… and not to spoil it for you, but it actually DID happen.

With the onset of this recent wave of attacks, one might think that the core WordPress development team may consider adding something into core that guards against this a bit more natively, but until that time, there are a few things you can do to guard against this type of attack (as well as others) – so here you go.

The Top Eight Things You Can Do Secure your WordPress Site and Guard Against A Variety of Attacks:

1) Usernames to avoid

When animals want to hide from their prey in nature, a common strategy is to blend into the background by looking the same way everything else does.  It’s a solid tactic, but if you take that tact online and consider it literally, you are doing the exact wrong thing.  It’s an excellent idea to use nonstandard usernames, specifically for your administrative usernames.  In fact, in the most recent distributed brute force attack, Sucuri mentions that “the shear fact of having a non- admin / administrator / root username automatically [puts your site] out of the running.”  Usernames to consider avoiding include:

  • admin
  • test
  • administrator
  • Admin
  • root
  • support
  • sysadmin

2) Secure your passwords

File this in the “is-it-plugged-in” category, but seriously… use secure passwords.  A password that includes your dog’s name and the year you were born is not a good idea, and it’s an even worse idea to use similar passwords across a bevy of websites.  Difficult passwords may be difficult to remember, but they are also difficult to crack… and frankly, if you have not yet started using a password management program like 1Password or LastPass, you really should consider it.  Really folks, it’s 2013… I’m taking the time to write this because I care.

3) Limit Login Plugin

Limit Login PluginI wrote an article on this back in 2011, but it’s still holds true and is worth having a look at.  Consider adding a plugin to your WordPress site that limits the number of times that somebody can try to login to your website and fail.  Once a specific threshold is met, that person cannot attempt to login again for a set amount of time, or you can even blacklist them.  While alone this will not stop a determined individual from cracking into your site via brute force tactics, it WILL stop all but the most advanced automated scripts dead in their tracks.  Go ahead… install it.  It’ll feel good.

4) Use a CDN like CloudFlare

CDNs (or Content Delivery Networks) are really cool for a whole host of reasons including geographically leveraged speed of content delivery, redundant delivery points which provide a large measure of protection against the single point of failure one may encounter in a traditional server environment, or even marketing opportunities that can be leveraged in different ways… But the point here isn’t to talk about all that.  Because the nature of a CDN is that they are sitting in front of web requests prior to actually distributing them to the host server, they can (and will) take proactive steps to protect you from attacks when they know what to look for.  For example, in the attack that just took place, CloudFlare actually pushed out a rule to detect the signature of the attack that was being performed and proactively stop it.  Very cool, very useful, and very worth noting…

5) Migrate your config.php file

This one is an oldie but a goodie… and something not a lot of developers appear to be aware of – and I honestly don’t know why.  It’s not exactly a very well guarded secret that the config.php file is located in the root WordPress directory of every WordPress site by default.  If you don’t understand what that means, think of a master file that includes all of the master locations and passwords it would take to get access to everything inside your site, sans a username and a password.  For years, security experts have pointed to this as the single-most insecure aspect of core WordPress.  The easy, 15-second workaround?  Just move the file outside of the public_html directory to the server’s home directory.  It’s a gimme, and it works fine.  Again, go ahead and try it… and it you want a tutorial, check it out here!

6)  Install WordPress in its own directory

Another oldie but a goodie.  If your intent is to blend into the background by not looking like everybody else (a bit of juxtaposition in verbiage, but something that applies completely), just give WordPress its own directory so it doesn’t just sit in the root directory of your website.  I don’t have a tutorial on how to do this one, but there’s a great one in the WordPress Codex right here.

7) Install Wordfence

wordfence-logo-429x324I love Wordfence.  It’s a handy little WordPress plugin that you can get for free that looks over your WordPress code 24 hours a day, 7 days a week like a shepherd would tend to his flock.  You basically get your own personal little firewall just for your own WordPress site… and if you choose to pay the low, low price of about $18 per year, you can also get additional features that are useful too – like the ability to wholesale block out entire countries and regions from being able to use your web site.  Don’t do business in Nigeria and tired of worrying about random hackers from the region making your world a living hell?  Yeah, Wordfence Pro will make that go away.  Other fun benefits, straight from Wordfence’s website:

•    Repair infected core, theme and plugin files
•    Show you what has changed in your infected files
•    Constantly scans your posts, pages, comments and plugins for malware URL’s
•    Shows you all your traffic in real-time giving you situational awareness to help your security decision making.
•    Separate human and crawler traffic intelligently.
•    Show you detailed data on traffic including reverse DNS lookups and city level geolocation.

8) Use a dedicated server or VPS

Okay, so this is a post about security and there’s nothing particularly more secure about having a dedicated server or a VPS, but consider this… the vast majority of people buy shared hosting for their businesses, not really understanding what that means.  So allow me to explain… shared hosting means that you share all of the resources available on the physical server your website is sitting on with everybody else who is also on that server.  In other words, if you do everything I listed above correctly but you happen to be sitting on shared hosting, your site could still experience significant hardships because of all of the other people on the server that happen to be doing everything wrong.  For example, in this recent brute force attack over the past few days, many people who did it all right… secure passwords and unique usernames, login limiting plugins, CDNs, Wordfence – the whole bit… many of those sites still experienced problems because when you are on shared hosting, their is a direct relationship to your fastest available speed and the slowest site running on that server.  Additional issues can ensue in other areas too if file systems are corrupted or what have you.  Am I espousing the notion that EVERYBODY should go out and buy a dedicated server or run a VPS?  Absolutely not… but I am suggesting a working understanding of the fact that your website does not function in a vacuum… its performance is predicated upon the environment in which it lives.

While this list is not meant to be exhaustive, I do hope you find this useful… if so, please feel free to leave a comment or ask a question!


Warning: count(): Parameter must be an array or an object that implements Countable in /srv/users/serverpilot/apps/mickolinik/public/wp-content/plugins/testimonials-by-woothemes/classes/class-woothemes-widget-testimonials.php on line 87

Warning: count(): Parameter must be an array or an object that implements Countable in /srv/users/serverpilot/apps/mickolinik/public/wp-content/plugins/testimonials-by-woothemes/classes/class-woothemes-widget-testimonials.php on line 88

Warning: count(): Parameter must be an array or an object that implements Countable in /srv/users/serverpilot/apps/mickolinik/public/wp-content/plugins/testimonials-by-woothemes/classes/class-woothemes-widget-testimonials.php on line 89

Warning: count(): Parameter must be an array or an object that implements Countable in /srv/users/serverpilot/apps/mickolinik/public/wp-content/plugins/testimonials-by-woothemes/classes/class-woothemes-widget-testimonials.php on line 90

Praise

Mick has consistently over delivered every time we need – ROCKSTAR is a very fitting name!

Copyright Mick Olinik 2024 | All Rights Reserved.