WordPress is known as the best blogging platform for a reason. I am sure everyone knows it as an amazing CMS platform which enfolds a multiple number of features and functions on it. One excellent thing with WordPress is it has got a plenty of plugins and resources which helps in enhancing the functionality of any website.
The recent attack on WordPress blogs by unidentified hackers has brought the vulnerability of WordPress to attention. Categorized as ‘brute force’ attacks, they made the news and warned WordPress site owners – once again – that it is in their best interests follow safety best practices.
The Evolution of WordPress
It has taken WordPress 10 years to become the most popular web content management system in the world. It is estimated that 22% of new sites and approximately 60 million sites in all, are powered by WordPress. CNN, eBay, Forbes and Sony are just some of the leading brands that maintain WordPress sites. The CMS generates over 4 billion page views and close to 40 million posts each month. According to website monitoring service Pingdom, WordPress is the blogging system of choice for the world’s top 100 blogs.
These numbers will definitely give you an idea about the massive impact of WordPress on businesses and individuals using the cyberspace.
Even as WordPress has evolved, sites and blogs powered by this system have become the favorite targets of hackers. The bottom line is, WordPress security must be taken seriously. If you are not aware of the security risks and the mitigators/controls you can use to bring risks to acceptable levels, read on.
Vulnerabilities in WordPress and How You Can Counter Them
To understand how you can safeguard your WordPress site against malicious intents, you first need to know about the vulnerabilities in the system. An idea about the possible ways in which your WordPress site/blog can be attacked, can prepare you for counter-measures at your end. These are the most common attacks on WordPress powered sites:
1. Brute-force password attacks:
If your site has been the victim of a brute force attack, then right off the bat, it can be assumed that your username and password credentials are not up to the mark. Basically, this type of attack involves trying to guess your username and password. So, if you still have the default ‘admin’ username or a weak password, you are extending an open invitation for attacks. Keep in mind that brute force attacks don’t stop after one failed attempt; attackers keep at it and manage to get the better of you. The persistent attempts at infiltrating your site can cause performance issues as they take a huge toll on your server memory.
How do you prevent it? The basic precautionary measure you can take includes not continuing to use the ‘admin’ username. Create a unique and hard-to-guess user with Administrator rights. If your name is Jennifer or Tim – which you display publicly on your blog – don’t use the same as your username. That would make it too easy for anyone to guess. It cannot be emphasized just how important it is that you set a strong password. A good one will have lower and upper case letters, characters and numbers. An example for a complex password is
IlOve&28BlOg. Here are some don’ts of creating a password:
- don’t use string numbers in sequence like 456789
- don’t contract your domain name, username or company name; avoid permutations of these names as well
- don’t create alphabet-only or only numerical passwords
- don’t create short passwords, i.e. less than 8 characters long
- avoid using a word from the dictionary as your password
- never use a password that is the same as your username!
You can also consider installing a login limiter for WordPress. This basically quarantines or blocks a username/IP address that is trying and failing to complete login requests above a specific threshold rate. For instance, a penalty time-out of one hour can be imposed on a limit of 10 attempted logins every 5 minutes. Such limits will discourage and frustrate hackers as they won’t be able to try enough variations to gain illegal access.
2. Cross-site scripting:
Abbreviated as XSS, cross-site scripting allows attackers to inject client-side scripts into webpages being viewed by other users. Attackers may take advantage of this vulnerability to circumvent access controls.
How can you prevent it? There are different measures you can take to combat cross-site injection. File validation, data validation and output sanitization are some techniques. As these involve some technical background, it is best to look them up and understand them in their entirety, for successful application.
3. Attacks on specific vulnerabilities in older WordPress versions or WordPress plugins:
It is not uncommon to hear about attacks on older WordPress versions. If you are using a version of WordPress after 2.8.3, you’re on the safe side; it is however advised that you upgrade to the latest version (3.5.1), which includes a number of fixes that can keep your site safe. Out-of-date plugins are extremely vulnerable to attacks – if you have been holding back on updating to newer versions, it’s time to do the right thing.
A good way to prevent hacking is to use quality plug-ins with good ratings, many downloads and active author support. Reliable authors will address security issues and accordingly update their plug-ins.
How to Keep Your WordPress Site Secure
WordPress site/blog owners can take a number of precautionary steps to strengthen security. Here are some you can invest in.
A basic technology update to keep hackers away from identifying system loopholes is essential. There are many areas where hackers can spot loopholes and plan attacks. A comprehensive technology update will include malware checks, laptop password updates and anti-virus updates. Also make sure that your operating system, ISP and router have adequate firewalls.
It is important that you back-up your entire database using a plug-in or even manually. You can choose from some excellent plugins that perform automatic full-site backups, such as BackUpBuddy (available on a yearly subscription and the easiest option for restoring a WordPress site), VaultPress (monthly subscription) and WordPress Backup to Dropbox (free and premium).
As mentioned earlier, don’t hesitate to update plug-ins or your WordPress site, fearing that it would break your website. Some best practices in this regard include (a) ensuring that back-ups are up-to-date, by scheduling them on a daily or weekly basis (b) updating WordPress, plugins or themes at the earliest – pay attention even to minor updates as they will contain critical security fixes and (c) for major WordPress, theme or plugin updates, wait for a while until developers have conducted live testing on the updates. If you have another WordPress install, you can try duplicating your website and updating it first to determine if it’s fine to do the same with your live site.
Note: You can follow news about the latest fixes/patches on WordPress Development.
It is best to invest in a good hosting service. A provider well-versed with WordPress will be able to handle permissions and installation more capably, and the variation in service will be apparent to you. Partnering with a reliable service that knows WordPress can do its bit for site/blog security. Here are some options:
Bluehost: A popular choice, Bluehost offers shared and upgraded shared hosting with added resources and fewer users on one server.
Dreamhost: It detects hacks proactively
WP Engine: This is a good bet if you want top-of-the-line WordPress security. From regular security scans to daily back-ups, it helps you address security issues easily and conveniently.
There are quite a few free and paid security plugins that can monitor and protect your WordPress site. A free security plugin – Wordfence – offers multiple monitoring levels and is also available as a premium plan. Bulletproof Security (limited monitoring), Sucuri (malware clean-up), WordPress Firewall 2 and VaultPress are other options you can explore. The WP Security Scan is also a good security solution; this plug-in scans your blog for vulnerabilities and reports malicious codes to you.
New WordPress sites are more prone to attacks as there is a much less likelihood that they will have all the key security fixes. Hackers have been seen to capitalize on this. You can avoid presenting your WordPress site as a newbie by removing the text link ‘Powered by WordPress’ in the footer, removing default posts on the Homepage and adding as many posts as possible to your site, to make it appear as if it’s been in existence for a while.
As discussed earlier, it is important that you change the default admin log-in and have a strong password. There is a good choice in tools to check password strength. Some you can explore are Password Meter (AskTheGeek), Password-Review (LBW-SOFT) and Password Checker (Microsoft).
As a cautionary measure, you can keep your visitors from browsing your entire directory. Hackers can study directory structures to identify security holes. To disable directory browsing, you can add the following to the .htaccess in your WordPress blog’s directory:
# disable directory browsing Options All – Indexes
Note: .htaccess is a file used by Apache to define your website’s access rules
Make sure that admin files are adequately protected; only you and a limited number of bloggers should have access to them. .htaccess is one way to restrict access. Depending on whether yours is a static IP address or multi-user blog, you can restrict access only from a defined number of IPs. For more information on how to go about the same and step-by-step instructions, you can look up Apache’s documentation.
As a responsible WordPress site/blog owner, the onus is on you to address security proactively. There are multiple ways to do this. Download new WordPress software updates through CMS backend. When you do this, also verify the compatibility of the new release with your web server’s MySQL and PHP versions. If you notice any violations or bugs you can report the same to the WordPress community. You can submit information at firstname.lastname@example.org. Encouraging users to report security issues is a good way for the WordPress community to be aware of the latest threats and effective measures at their disposal.
How Can You Deal with Spam?
Spammers are just as troublesome as hackers; WordPress site owners will vouch for this. Thankfully, there are different ways in which you can combat spam. Here are a few:
- Moderate comments made by readers. Bots will be moderated but manual comments can be blacklisted or marked as spam. Enable the “Comment author must have a previously approved comment”. This means comments from trusted readers will get approved automatically.
- Block suspected spam bots by noting the IP address on your dashboard. You can block one or a range of IPs to address spam.
- Installing anti-spam plugins is also one way to combat spam. Three of the popular plug-ins that do this job pretty well are Quiz, Akismet and Simple Trackback Validation.
- If you have the time and inclination for it, delete all the spam comments on a regular basis, depending on their frequency of occurrence.
There is no predicting when your WordPress site may be the target of malicious elements. If – despite your best efforts – your site is compromised, don’t panic. Inform your host about it, let your fans and readers know about (through Twitter or Facebook), implement the necessary fixes, change your passwords and importantly, make a note of what you should have done to prevent the attack. This will help you enhance site security for the future. Also, remember that it’s not the end of the world – you can have your hacked WordPress site up and running pretty quickly, depending on the type and extent of attack.