WordPress is one of the most popular open source blogging platforms. Unfortunately, this also seems to make it a popular target for hackers. While keeping your WordPress installation up to date can prevent a lot of potential security breaches, that’s not a guaranteed way to stay safe. Today, I’m going to cover a few steps you can take to give yourself extra layers of protection against hackers and evil robots.
Although these first steps may seem extremely basic, it’s always good to be reminded of the fundamentals. A great example of this was the Twitter happiness fiasco that occurred a couple of months ago. While it did have some entertainment value, it also served as a reminder that even the most basic security measures can be overlooked if you aren’t proactively taking steps to be more secure. Here are a few lessons that can be learned from that fiasco:
Don’t use words from the dictionary for your password
For example, passwords like password or happiness.
Most brute force attacks attempt to gain access by trying a prearranged list of dictionary words. If you choose a password that is not a word from the dictionary, you won’t leave yourself open to this type of attack.
Don’t use passwords that aren’t strong
For example, all lowers case with no numbers or other characters.
What exactly makes a password strong? Strong passwords have the following characteristics:
- Lengthy: Each time you add a character, your password becomes exponentially more difficult to guess.
- A combination of letters numbers and symbols: The more characters the better
- Uses both upper case and lower case letters
- Use a password that is easy for you to remember but difficult for others to guess
Microsoft has some more detailed tips on how to create strong passwords that are easy to remember but difficult for others to guess.
Whatever you do, don’t allow UNLIMITED login attempts!
In the case of the Twitter fiasco, the hacker actually launched an automated brute force attack which ran overnight while he was sleeping. The WordPress Limit Login Attempts Plugin is an ideal way for WordPress users to protect themselves from such brute force attacks. It works using both IP addresses and cookies. It can be set to notify you via email when someone has been locked out due to four failed login attempts. The first time four failed attempts occur the user or potential hacker is locked out for twenty minutes. After the next four failed attempts, the lockout last for twenty-four hours. These are the default settings, but they are fully customizable.
Robots Behaving Badly
There are all kinds of robots that roam the web. While some of them are friendly (Googlebot), others have malicious intentions (like harvesting your email address so they can spam you to death, or spamming the comments section of your blog).
Bad Behavior is a very cool WordPress plugin that stops these robots dead in their tracks. This plugin actually stops them from ever even visiting your website. The unique way Bad Behavior works is by analyzing the http request to see if it looks spammy or malicious. Besides the obvious benefits of having less spam on your site and in your email inbox, this plugin also keeps robots from using up your bandwidth and ensuring that your analytics stats more accurately reflect actual human visitors.
While this plugin is intended mainly as a spam prevention tool, I have also discovered that it may also prevent others from being able to view your site through a proxy server. This is a nice benefit since many hackers attempt to conceal their identity by hiding behind a proxy. Here is the message that usually will be presented when someone attempts to access the site from behind a proxy:
Secure WordPress Is another wordpress plugin that does many things in an effort to make WordPress more secure. Here are a few of the benefits of the plugin:
- removes error-information on login-page
- adds index.html to plugin-directory (virtual)
- removes the wp-version, except in admin-area
- removes plugin-update information for non-admins
Limit WP-Admin folder to One IP Address
“Most of the vulnerabilities found in WordPress, affect files in the wp-admin directory. By IP restricting this directory, and the WordPress login page, you’re adding an extra security layer on top of your WordPress installation.
You can IP restrict this folder, by creating an “.htaccess” file in your wp-admin/ directory, with the following contents:
Of course, if you have a dynamic IP, this .htaccess file needs to be updated to reflect your current IP address. Multiple IP’s can be added by adding extra “allow from IP” lines, in case you want to access the admin from say your home, and office, or if you have mutliple blog authors.“
Note: where it says (allow from 000.0.0.0) actually put your IP address there. If you are not sure what your IP address is you can find out by visiting http://www.whatismyip.com
Note x 2: If you use this method to IP restrict the wp-admin directory, there is no need to use the Limit Login Attempts Plugin. The reason is because anyone who does not have their IP included will not even be able to view the admin login page; instead, it will simply go to a 404 page.
Always Have a Backup Plan
Even after implementing the security measures we discussed today, there is still the possibility of a worst case scenario where you are hacked and everything is lost. Fortunately, as long as you have a backup, you will be able to easily restore your data and files. The WP-Database Manager will backup and email a database backup to you on a daily, weekly or monthly basis.
While this is great to have in the event of a database meltdown, it only backs up data and not files. So, what if all of your files were also to disappear?
Well, if you use a host like HostGator (which I do), they perform automatic weekly backups on all of their shared hosting plans. This can add a certain comfort level in knowing that you can always retrieve and restore a full backup. However, I still like to occasionally make a full backup myself, and most hosts give you a simple way to do this with only a few clicks. The best thing to do is to check with your host and inquire as to their simple procedure for manually creating a full backup.