This blog post will look at the following aspects of WordPress security and provide additional resources to help you secure your WordPress site.
1. Overview of Brute Force Attacks
2. How Your Site Gets Hacked
3. How to Backup Your Website
4. Resources for WordPress Security: Security Plugins, Online Paid Services
5. Your WordPress .htaccess File
6. Installing SSL
7. Additional Resources
1. Overview of Brute Force Attacks
If you are a user of the Wordfence Security plugin, you probably receive email alerts from Wordfence whenever there are large distributed brute force attacks on WordPress sites. A brute force attack is a hacker’s attempt to gain access to your website by using “password guessing attacks.”
On December 16, 2016 Wordfence reported a huge increase in brute force attacks that began on November 24 and continued to nearly double on a daily basis. What’s more, they have seen an increase of unique IP’s involved in these attacks and those uniqe IP’s are continuing to increase.
Consider that these statistics were for sites running the popular Wordfence plugin. How many more sites were affected that aren’t included in these totals?
These brute force attacks occur on a regular basis. If you aren’t vigilant about your WordPress website security, it’s not a question of if but when your site will get hacked.
Big Brands Getting Hacked
Even if you are vigilant about your website security, the hackers still get in. Did you know that the U.S. Department of Justice, Snapchat, and even the IRS have fallen prey to breaches and hacking?
And 17 data breaches have already been reported so far in 2017 according to a recent study published by Comparitech. Check out their informative breakdown of the biggest data breaches in history from 2004-2017 (to date).
So please don’t think that just because you’re a “little guy” the hackers aren’t interested. It doesn’t matter who you are, what your business does, or how big your firm is.
You are still a target.
Like death and taxes, cyber attacks are inevitable.
The rest of this post will look at how websites get hacked and will provide resources to help you with your own website security. Knowledge is power and a few precautions can help you lock down your WordPress website so you can rest easier.
2. How Your Site Gets Hacked
There are many ways your site can get hacked, but some of the most common include:
- Outdated themes and plugins
- Outdated WordPress framework
- Compromised .htaccess files
- WordPress installations no longer used
- Username of ADMIN and/or weak password
- Malware on your local computer or on another PC that accesses your site (i.e.: subcontractors or virtual assistants)
- Admin username in the author archives
- Allowable directory browsing which exposes sensitive files such as wp-config.php or php.ini
You may check your site every day and it may look okay to you. But hackers can send all of your search traffic to another website and you won’t even know it!
During a round of brute force attacks, I discovered (along with other website owners) that hackers were able to gain access to the author username through a website’s author archives. For this reason, you should also not use your administrative account when composing blog posts.
As an alternative, set up a user with editor or author permissions. Login with this user role, not your administrative user role.
Or, change your author archives permalink to ensure that your username is not displayed in the browser window or cache.
The Implications of a Hacked Website
- Wrecked SEO (Did you know that even someone else’s hacked website can wreck your SEO?)
- Lost sales
- Lost customer trust
- Visitors exposed to malware
- Your unintentional endorsement of products or services if the hack redirects your visitor to another site
- Hours of time needed to assess damage and repair your site
- A backdoor the hacker installs in your theme, plugin or the uploads directory for future access.
And the list goes on. All that being said, you need to be vigilant about WordPress security.
The only way to be truly safe from getting hacked is to delete your site altogether. Seriously. It’s important to understand that any content management system (WordPress, Drupal, Joomla) is ripe to be hacked. And despite your best efforts at locking down your site, the hackers get in.
Statistics generally cite that more than 27% of the top 10 million websites are using WordPress. So you can see why it’s a frequent target for hackers no matter how big or small a company is.
Sending Passwords via Email
If you hire a web design firm to help with your WordPress site, they will need to obtain your WordPress login credentials. Many times clients send over the information in an email without a second thought. However, it really needs to be said that sending your username and password information via a single email is risky as that email could be intercepted and your site compromised.
Some non-technical ways that clients have shared sensitive username and password information with me include fax (seriously we still have one!), text messages, separate emails for username and password, phone calls, and Skype messaging. Separating user name from password using separate channels is the safest approach. For example, you could email a username and send the corresponding password via Skype chat or text message.
Skype messaging and separate emails are not 100% secure, but they are still better solutions than sending all access credentials in one email.
Finally, if you have a Gmail account, Google Drive is an excellent way to securely share files and documents.
Services such as Privnote let you send a note that self-destructs once the recipient has read it.
Password Managers such as LastPass Premium allow you to share access credentials with other users.
3. Backup Your Website
First things first.
Even if your web hosting company runs daily backups, it is critical that you backup your WordPress website and store your backup offline.
I speak from experience when I say that dealing with a hacked website is one of the most stressful things you can experience. Even if your website hosting company stores daily backups on the server, make sure you backup your own website and keep a copy of the backup locally, not on your server.
This is important because many times your hosting company will not have a clean backup to restore due to the amount of damage done by the hacker. Who knows what scripts and files they may have injected?
Even if you hire a malware removal service or are using a paid subscription, there are times when the hacked site is destroyed beyond repair and malware can’t be cleaned. Sometimes all files need to be totally deleted off of the server and a fresh installation of WordPress followed by a restore of your website is the only way to get your site back up and running.
Popular Backup Solutions
Some of the best free backup plugins include:
- Duplicator: migrate, copy or clone a site from one location to another.
- BackWPup: save a complete installation to an external Backup Service (Dropbox, S3, FTP). A top WordPress backup plugin.
- UpdraftPlus (affilliate): does an excellent job of backing up the largest of sites, and you can also save your backups to external services or drives. After testing the free version of UpdraftPlus, I can confidently say that it is a great backup plugin and have started using it on all of my sites. Check out our UpdraftPlus review to learn more about backing up your WordPress site.
Best paid solutions include:
For a yearly fee, UpdraftPlus Premium is a great solution if you need WordPress multisite backup compatibility or enhanced features.
Set Up Your Pingdom Account
And head over to Pingdom to set up a free website monitoring account. Pingdom will automatically send you email alerts when your website is down. This is often a first indication that your website has been compromised.
Your Site is Down ~ Now What?
If you do receive an alert that your site is down, don’t panic. Head over to Sucuri (affiliate) and run a free website scan. It will tell you immediately whether malware is detected. However, be advised that depending on the nature of the malware, Sucuri sometimes will return a false positive.
For example, you may check your website and the home page comes up just fine. But if you check other pages you may receive a 404 error, which means the page can’t be found. This can be an indication that your site has been hacked and Sucuri may not detect it.
If the scan comes back clean, contact your web hosting company and have them check the server. More often than not it’s a temporary outage with your hosting company.
If the scan detects malware, you have several choices:
- Check to see if your hosting company can help you get to a good restore point and/or remove any malware
- Hire an Upwork (previously oDesk) freelancer to remove the malware. However, I would advise you to spend time in due diligence to find a trustworthy freelancer with a proven track record of malware removal.
- Contact Sucuri, sign up for one of their plans, and request malware removal.
- Contact Us
4. Resources for WordPress Security
Below are some great resources to help WordPress users of all skill levels to secure their WordPress sites. Even if you implement just a few of these suggestions, your WordPress security will be greatly improved.
The following is a list of effective plugins that you can use to boost WordPress security:
If you want a solid, lightweight, and free security plugin, look no further than WP-Bruiser. I first heard about this plugin from a colleague, Robin Strohmaier, at R&R Web Design. Check out Robin’s excellent post and learn more about WP-Bruiser.
WP-Bruiser not only protects against brute force attacks, it also integrates with popular contact form and comment plugins and will protect your site against comment spam as well.
Their free version offers the following features:
- On-demand scanning of your websites files and notifies you of any needed updates or vulnerabilities
- Will help repair hacked files even if you don’t have a backup
- Blocks potential threats on your site if someone else’s site is attacked
- Collects data in real time to help block attacks
- Filters live traffic and shows: all hits, humans, registered users, crawlers, and Google crawlers
- Shows lists of IPs attempting logins which you can block immediately. They will stay blocked for 4 minutes unless you block them permanently.
The premium version offers:
1. Two-Factor authentication
2. Country blocking
3. Scan scheduling
Many sites are protected by WordFence; however, the plugin is resource-intensive and you will receive lots of email notifications from the sites on which it is installed. Additionally, should you ever delete the plugin, it leaves behind a dozen-plus tables in your database.
The BulletProof Security plugin enables .htaccess website security with a few clicks and you don’t have to know anything about .htaccess files.
From the WordPress.org Plugin Repository: “BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection… hacking attempts.”
Sucuri Security – Sitecheck Malware Scanner Plugin
The Sucuri plugin is a free WordPress plugin that will detect malware, blacklisting, spam, and other security issues on your WordPress site. This plugin offers a 1-click hardening option for your site by restricting access to wp-content and wp-includes and protecting the uploads directory.
If malware is detected on your website, you can check out Sucuri for urgent help such as malware removal and firewall blocking.
Sucuri plugin integrates the APIs (application programming interface) of blacklisting authorities such as Google Safe Browsing, Norton, AVG, and McAfee to check whether your website has been blacklisted.
Paid Subscription Services
Sucuri Security (affiliate) is a top-notch website security scanning service which you can use for free. You can visit their website and run a manual scan of your website anytime to see if it’s malware-free.
A yearly paid basic subscription of $199.99 offers you the following services:
1. Website-scan every 12 hours
2. Server-side scanning daily
3. Text, email, or SMS alerts of malware detection
4. Malware clean-up
5. Blacklist removal
Plus if Sucuri is unable to remove the malware, your money is refunded. For an additional $9.99/mo you can get a subscription to a website application firewall (WAF), which blocks malicious incoming traffic.
Note: it’s important to check in periodically to make sure your Sucuri scans are running as scheduled. An upgrade to the WordFence plugin caused a problem with our Sucuri subscription service and actually blocked the Sucuri scanner from running. We had to whitelist the Sucuri scanner to ensure the scans resumed as scheduled.
SiteLock is another option for online website scanning and protection services. However, you do have to request a quote for their packages which include daily scanning, malware detection and/or removal, plus a website application firewall (WAF) that will block malicious traffic.
Both services offer a website seal that you can place anywhere on your site to show your visitors that your site is guaranteed to be malware-free.
Subscription services aren’t cheap, but they do offer you peace of mind and free up your time.
On a personal note:
I have used both of these paid services.
I used SiteLock in 2013 and have since switched to Sucuri. I recently spoke with SiteLock on behalf of a client, and still am not impressed with SiteLock’s pre-sales and customer service.
I’ve only been with Sucuri for a while now, and so far I’ve been very happy with their service and support. I like the peace of mind in knowing that my website is constantly being monitored and that I have an action plan should my site become compromised.
CloudFlare is a content delivery network (CDN) provided by many major web hosting companies for free. CloudFlare works for both static and dynamic websites as well as sites secured with SSL.
Once you have an active CloudFlare account, your web traffic routes through CloudFlare’s network. Your website performance is improved since content will be served by a server that is closest to your visitor. Additionally, CloudFlare blocks malicious incoming threats, which helps keep your website safe.
Many hosting providers are CloudFlare partners and offer CloudFlare integration for free. We recently took advantage of CloudFlare’s integration and set up our website on the free plan. You can learn more about our experience with CloudFlare.
A2 Hosting ~ A2 Optimized Plugin
A2 Hosting (affiliate) recently developed their own A2 Optimized plugin which automatically hardens your WordPress site when you create a new installation through Softaculous. For your existing sites, you may install and configure the plugin manually. The A2 Optimized plugin “combines custom A2 Hosting settings and functionality from third-party plugins to provide speed and security optimizations for your WordPress site.”
We’ve used it on several WordPress sites and has simplified the task of hardening those sites.
5. Your WordPress .htaccess File
Your .htaccess file is the single most critical file of your WordPress installation. It has no file extension; rather the name is the file extension. The .htaccess file is a simple text file that can be created and edited in notepad. It is a configuration file used in an Apache environment and provides commands for managing your WordPress installation in specific directories.
Your .htaccess file can be used for functions such as:
1. image compression
3. custom error pages
4. blocking an IP
5. blocking a range of IPs
And much more.
For this reason, it is also a popular entry point for hackers. Once they have compromised your .htaccess file, they can redirect your visitors wherever they want and more.
Locking down your .htaccess file is one of the most powerful ways to harden your WordPress security. You can do this through the BulletProof Security plugin which lets you create and activate .htaccess WordPress security for your website.
It is important to note that a typing error in your .htaccess file can prevent your WordPress site from working properly. So make sure you back it up prior to adding any changes.
Block Brute Force Attacks
If you and/or a few trusted employees or outsourcers require admin access to your site, consider blocking brute force attacks by limiting access to only those few IPs. All other IPs will be denied. This is one quick and simple way to stop these types of attacks.
Please note: If you are on CloudFlare, do NOT use this method or you may lock yourself out of your own site. This is because CloudFlare acts as a reverse proxy so all connections appear to come from their IPs. All you need to do is to add a few lines of code to the .htaccess file to solve the reverse proxy issue. Learn more here.
6. Installing SSL
Installing SSL on your website ensures that your sensitive visitor information is encrypted and protects you as well as users.
This means that any data submitted by your visitors via a website form will be protected from 3rd parties that may try to intercept the data. This includes when you submit your username and password to log into the WordPress dashboard.
SSL also readies your site for e-commerce should you want to sell products or services on your website.
SSL is covered in great depth in our 3-part blog series as listed below:
7. Additional Resources
The following excellent resources are intended to supplement the highlights of this blog post. Several were touched on earlier, but are repeated here for those of you who just skipped down to this section.
It’s important to test each step you take when tightening your WordPress security especially if you are using a combination of plugins and manual steps.
To summarize, you should make the following efforts to help improve WordPress security:
- Keep current backups.
- Use strong username and passwords. Never send these credentials through an email.
- Install a security plugin such as WordFence, Sucuri or BulletProof.
- Don’t expose your username through the author archives. Consider setting up an editor role when creating posts.
- Consider a paid security subscription service such as Sucuri that monitors your website and does malware clean-up should your site become compromised. It’s a worthwhile investment and a small price to pay for peace of mind.
- Install a SSL certificate on your website. This is especially helpful if you need to access your website while traveling as it encrypts your username and password credentials.
- Modify your .htaccess file to deny all IPs except those that are allowed access to your website. (Note: this is not practical if you travel frequently and need to access your site).
It’s easy to become paranoid and obsessed with WordPress security to the detriment of your business. Make your best effort to take the appropriate steps for securing your site, but don’t let it take so much time that your business suffers. Again, I am speaking from experience here. 🙂
Over to You
I hope this post has been helpful to you. Whatever your WordPress skill level is, there are steps you can take to protect your website and improve your WordPress security.
What other tools are you using for WordPress security? Please share in the comments below. We’re all in this together and it’s helpful for all when we share our experiences!