May 09, 2014, 6:00 AM —
The popularity of Wordpress has made it a prime target for site attacks. The more people using the same platform of any type, the more success hackers will have exploiting a larger number of users. Wordpress is one of the best CMS and publishing platforms out there, so rather than avoiding it entirely, you should do the work to improve the security of your site instead.
If you run a site on the internet, you’re going to be attacked, it’s as simple as that. The larger and more successful your site, the higher the frequency of these attacks. Mostly these attacks start by probing your site to see what they can find out about your environment - what web server you’re using, what (if any) platform you’re using, what server side language, etc. Your site is then grouped in with sites running similar configurations, like all sites running Wordpress for example.
There are many Botnets out there with thousands, possibly hundreds of thousands of nodes attacking Wordpress sites around the clock. The attack software knows what to look for in vulnerable Wordpress installations and will attempt to exploit a vulnerability to work its way into your site’s source code and install code of its own with malicious intent. With so many sites using Wordpress, the bots have a lot of chances to find insecure sites. The attack software will target the default settings that come with a Wordpress installation in the hopes that they haven’t been changed - and odds are they haven’t.
So what can you do to help protect your site from these attacks? A lot if you’re handy around a linux terminal or are a developer, but what about for regular folks without IT staff? There are two free Wordpress plugins that I’ve come to rely on for threat prevention and for security hardening. They are All in one WP Security & Firewall and Wordfence.
All in one WP Security & Firewall is a great tool for guiding you through the common threat prevention techniques with Wordpress. It has the ability to make most, if not all, of the necessary changes to your system for you through its administration pages. It will guide you through tasks like eliminating the admin user account, altering your database tables to prefix them with something other than the default wp_, limiting login attempts to prevent brute force attacks, preventing file modifications, setting file permissions, setting firewall rules and much more. Almost every task is a single click away making these vital security features accessible to folks without a computer science degree. It also rewards your security efforts with a points system to show you just how secure you’ve make your site when you perform the steps. In addition, it has a file change scanner which you can schedule to run periodically to let you know if any of your site files have been modified. They offer a premium monthly service which will scan your site daily for malware, clean malware,monitor uptime and response time, and blacklist known attacks.
Wordfence is another valuable tool for preventing site attacks. While some of its features overlap with All in one WP Security, it has additional complementary features and does firewall in a different way. Wordfence’s core feature is the site scan. It will execute a site scan automatically or you can trigger them as desired. The scan will, depending on your options, analyze every file in your site looking for malicious code. It’s smarter than most scans in that it has the knowledge obtained by every user of this plugin to reference to determine what is malicious and what is not. This also helps it adapt to the most recent attacks on each scan since it’s always learning from new attacks. It’s got another trick up its sleeve as well. During the scan, a fresh copy of your version of wordpress is compared against your copy of wordpress to see if any of the code has been modified. If it finds a difference, it give you a warning and even lets you inspect the differences before deciding what to do. If the change was not made by you, it gives you the option to automatically restore the file to its original state. It can perform this function on themes and plugins as well making it supremely useful. In addition to the scanner is a very handy firewall rule creator. It allows you to automatically block attacks based on a threshold you define for 404 pages encountered, pageviews per second, known malicious URL’s, and more. You can then have the IP of the offender blocked for a defined period of time.
Beyond the malware scanning and attack prevention, Wordfence also supplies caching options for your site to boost performance, two factor authentication for your site (premium), full country blocking (premium), disk space monitoring, and even live traffic monitoring of your visitors and crawlers.
These tools are not the end of your journey to secure a wordpress site, especially if you host the site yourself. There are many other steps to be taken, but if you’re hosting your site with a large provider, chances are they’ve taken many of those steps for you. Wordpress is my personal favorite for CMS and/or publishing platforms. I’m using it on many dozens of sites including some that get millions of visitors and it works great. I’ve also experienced the pain and frustration of being compromised. Doing nothing and leaving the defaults where they’re at is the worst thing you can do, and it gives Wordpress a bad name from a security standpoint. Prevention is the name of the game, and these two free plugins will ramp you up in short order.