Attacks on website hosts are not uncommon. Websites have always been susceptible to attacks and data loss. However, with content management systems in use, conducting mass attacks targeting a specific technology and a flaw has become easier. This month’s attack on WordPress websites was one such example of a sweeping attack.
Website Security for WordPress in 3 Steps
Coming on the heels of the DDOS attack that choked the Internet earlier, this brute force attack on WordPress was carried out from multiple IP addresses and exploited weaknesses in WordPress username and password.
The attackers set out to bring the websites down by systematically trying some common usernames. A few common usernames attempted on our website, that we tracked using a security plugin, included Admin, Admin1, Manager, support, administrator, admins and so on.
I still remember how our website was attacked last year within days after it was launched. We still had the default ‘Admin’ username at that time. The password was fairly strong, or so we thought, but the common username made things easier for the attackers and gave them access to infect the website.
I am no web security expert, but this attack on our website made me look into website security. Here are some of the basic tips I learned that you can use to secure your WordPress website.
Server Level Security
Some of the most common attacks WordPress websites face are the SQL injection attacks. A typical attacker first goes through the .htaccess file before moving on to other WordPress files. Think of .htaccess file as the gateway to your WordPress installation. By modifying the .htaccess file, you can stop the attacker from accessing other important files and folders of your WordPress installation.
You can secure the files on your installation by defining the permissions in the root .htaccess file and adding .htaccess files to other WordPress folders such as /wp-content/uploads. This tutorial on How to protect WorPress folder with .htaccess file shows the code snippets you need to add to your WordPress installation to make it more secure.
Adding the additional code to the .htaccess file will ensure that visitors don’t have access to the documents you upload to your WordPress website or the theme and plugin files.
Website Level Security
Attackers use different methods depending on the vulnerability of the CMS. The .htaccess file changes help you secure access to your directories and files. However, you cannot always keep all the attackers at bay, and it is important to monitor your WordPress installation all the time.
WordPress plugins such as Wordfence Security and BulletProof Security help you monitor and set preferences to harden your WordPress installation. For example, with the Wordfence Security plugin you can monitor crawlers and visitors to your website and block access to any suspicious visitor. Additionally, you can keep track of all the login attempts to your website, and set the maximum number of allowed unsuccessful login attempts before the plugin blocks the user. The plugin also scans all the WordPress installation files and gives you an option to restore original files if any of these file are infected.
Moreover, most plugins have options to set up email alerts to stay informed of any vulnerability that the plugin detects.
User Level Security
Your Username and Password is the most important part of securing your WordPress website. A weak password can undermine all the work you have put-in to secure your website and give attackers access to your files.
As was the case in the recent attack, a brute force attack typically tries a list of common usernames and password on a website. To counter this type of attack, the first thing you should do after installing WordPress is create a new user with administrative privileges with an uncommon username. Something that is unique to you and not a common username such as manager, support or administrator. In addition to the username, you also need to create a strong password for your account.
Usually a strong password has at least 8 characters, is not a dictionary word, and includes digits and special characters. This list of Dos and Don’ts from the University of Maryland is a good guideline to create a strong password for your WordPress website.
WordPress is an open source CMS. Any new developments and code changes are public immediately and available to everyone. Similarly, the plugins you use on your website are also open source. Any vulnerabilities in the plugins and WordPress code can be exploited by attackers, if they are not addressed.
Thankfully, WordPress fixes and sends out an update whenever they come across any such flaws to protect the users. As a website owner, you must ensure that you install these WordPress and plugin upgrades as soon as possible.
Website security is a complex topic and needs many more tweaks than discussed in this brief post. Banks and governments spend millions to protect their data, network, and websites. However, mass attacks on technology target everyone using a specific platform. While these basic steps to secure your website may not stop a dedicated attacker bent on breaking your website, it can protect you from most of the mass attacks that exploit vulnerabilities in the system and those created by ill-informed user actions.
I hope you found these tips useful, and are off to create stronger usernames and passwords for your blog or website to say the least. If you have any questions, feel free to leave a comment below. Also, don’t forget to share this so that we can all implement stronger measures to ward off website attacks.
More Tech articles from Business 2 Community: