WordPress has become an incredibly popular web design platform, and currently has about a 25% share of all web sites on the Internet. As an open-source software product that is free to download and use, with a great support and documentation through WordPress.org, and a huge, international development community providing an endless array of themes, plug-ins and widgets, it is easy to understand why. Also anyone can buy a book or view an online tutorial and learn enough to get started with this versatile web publishing tool. And then there is the Codex at WordPress.org.
But many of the people who are creating and publishing WordPress sites, especially the very large do-it-yourself crowd, have very little knowledge of or appreciation for the importance of proper web site security. This had made WordPress a popular target of cyber-criminals. Exploits can range from simple site defacement, to extortion. or subverting websites for hosting pornography, hosting and spreading malware, or being used to create fake web pages as link destinations for phishing exploits. Many times web site owners have no idea that this content has been surreptitiously added to their website.
Last month, this website was itself subject to brute-force password cracking attack. Someone in the Ukraine was repeatedly trying different passwords in an attempt to access the website’s design dashboard, for who knows what reason. I suspect that is was an attempt to take on the website of a cybersecurity professional with the goal of basically making me look like a noob. Or maybe something worse.
How did I know this? Well I added a popular WordPress security plugin called Sucuri to my website, and the plugin was sending email notifications to me of the attempts. This included the IP address of the perpetrator, which I was able to track back to a city in the Ukraine. Now if the attacker was using TOR, the Ukrainian address may just have been the closest hop in the chain of TOR proxies that the attacker was using. Or it might have just been some cyber kid in the Ukraine.
The effect of this attack though, was enough for me to change my password, and to move up from the free Sucuri product to the paid version.
So – what can you do to protect your WordPress website? Here is my short list:
- Change the defaults. Rename your admin account from “admin” to something else. In spite of the fact I changed my admin login name, for some reason my attacker had it. I suspect he got into the configuration files and found it there. Good attackers can, and do.
- Create a good password. These days this means 12 characters minimum, unique and complex (upper and lower case, numbers, symbols). If you have several websites, DO NOT use the same password on all off them.
- Multiple sites have their own root directory. If you have an unlimited hosting program, go to the effort to create a unique root directory for each site. Lumping them all into the same htdocs directory means that if the attacker gets into one, he is in all of them.
- Look at other access. Your web server also supports File Transfer Protocol (FTP) and Secure Shell (SSH) access. Make sure your user ID and passwords meet the standards laid out above, and for heaven’s sake, make them different than your wp-admin login!
- Check other users. WordPress allows you to have multiple contributors with varying levels of control. Make sure ALL users on your site are adhering to good password practices.
- Install a backup plugin. If your site gets hacked, this is the fastest way back. Also really handy if you or one of your web site elves screws up the site. I have been using Backup WordPress.
- Limit login attempts. WordPress by default allows unlimited login attempts, which is a playground for automated brute-force password cracking software. There are plugins you can add to your site that will change that. WordFence, one of the security products I will recommend in a minute, has that as a feature. Sucuri looks at the failed login rate and makes appropriate decisions about limiting logins. The plugin Login LockDown will limited failed attempts to three before creating a timeout. Timeouts start at 5 minutes and increase incrementally to an hour.
- Install a security plugin. I am currently working with Sucuri and WordFence on different sites of mine. Another good recommendation that I will be evaluating is Bulletproof. One good one should do it. These come with a basic, free level of protection, and a more robust protection that you pay for. Securi was about $200, but for me it was well worth it. And stay tuned – we will be offering more detailed insights after we have more time to play with these tools.
And if you need help setting all this up, help is available from cybersecurity professionals like me. This is an area of specialization for our cybersecurity practice, and due to the nature of WordPress, we can help anyone, anywhere. If you need help drop us a line at email@example.com.