WordPress & Security – What You Need to Know
As you might be aware, WordPress has been the target of ongoing hacker attacks for several weeks. Many have wondered why lowly little sites are being targeted because they don’t necessarily have customer data or credit card numbers. The reason for the massive attack is that the bad guys are looking for ways to either distribute their evil (use your site to host their fake Wells Fargo page or put malware on your visitor’s computers) or they want to use your site as a way to get control of your host’s server so it can become part of the their botnet network (think computerized minions).
Why is WordPress a target?
Well, for the same reason that Internet Explorer was the hacker’s favorite target last decade. There are lots of people using it, they aren’t necessarily very security savvy and most of the users just use the default settings. This means that a little effort on the hacker’s part can have a big payoff because one method of breaking in will work on tens of thousands of sites.
What Should I Do?
As I’ve said before, security is the opposite of convenience. Above all else, you should be using a very strong password (at least 8 characters long, no dictionary words and use all types of characters). I know, I know, it is so hard to remember that kind of password. That is why you should get a password manager.
WordPress tries to make it easy for users to get set up & running by always starting with the same username, admin, and that user is identified in the database with an ID of 1. If your username is admin, you should immediately log in and create a new user with a unique username (preferably something not related to your site or domain name). Be sure to copy over all your user profile information to your new user. Then log out as admin, log in as your new user and delete the admin user. You will get the opportunity to assign blog posts created by admin to another user during the deletion process.
Beyond keeping all your plugins & themes updated, using a unique username and very strong password, there are many other things you can do to further secure your site. They range from relatively simple to crazy complex for the ultra paranoid. For most of us, it makes the most sense to use a plugin to handle additional security measures. Here are a few to consider:
Better WP Security
This plugin keeps things simple by offering one click activation for most features. And it is a long list of features, ranging from ways to hide common access points to detecting bots and unauthorized access. It is prudent to completely backup your site before starting to turn on the features of this plugin as it can make significant changes to your database and other site fundamentals that sometimes won’t play nice with other plugins you have installed.BBQ: Block Bad Queries
The other danger of these massive attacks is that even if the bots fail to access your site, just them trying to knock down your door can cripple your site performance. BBQ can help by protecting against malicious URL requests.Wordfence
This plugin is a Swiss Army Knife of security. It includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence can verify and repair your core, theme and plugin files, even if you don’t have backups. This plugin can be a little intimidating for a novice user.
If you want more information on this round of WordPress attacks and how to protect your site, you can check out these additional resources:
- Ongoing WordPress Security Attacks, The Details and Solutions by Chris Jean, iThemes CTO
- Global WordPress Brute Force Flood by Sean Valant of HostGator
- Sucuri has a whole series for you:
Have you experienced a site hack? How do you secure your website? Share your experiences in the comments.
