Security on WordPress has, especially in the past couple of months, become a serious issue. Nevér before have I seen so many determined and sophisticated hacking attempts directed against the WordPress sites I own or manage.
These run the whole gamut of attack variations:
* Blackhole Exploit Kit attacks
* SQL Injection attempts
* Login & Password access efforts
* Link Injection & Phishing attacks, where links to bank fraud efforts are made
* Etc…
Attacks are primarily initiated in Russia, Poland, Germany and India. The firewall software I use also identifies hosts being blocked from Australia, random European countries, plus sources that are unidentifiable due to IP address concealment etc.
Generally speaking, its easy to minimize the potential threat by a few minutes of pre-emptive efforts! In other words, an ounce of prevention is still easier to apply than a pound of cure!
WordPress Security Plugins
This is the first line of defense – a properly implemented security plugin will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to gain access to the internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money…
There are multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. Those that I have direct and extensive personal experience with are:
Each has its peculiarities, peccadilloes and quirks! Each works…
Better WordPress Security
I’ve used Better WordPress Security a lot and do like the comprehensive way in which it tackles a broad range of prospective threats. Its evolution has been significant and rapid. Unfortunately, the new releases have been occurring at almost weekly intervals for the past couple of months. Upgrades sometimes culminate in a crisis on the site, such as 500 Server Errors. This issue is particularly problematic if you have WordPress running in a sub-directory! Such issues can only remedied by:
* accessing the site via FTP
* deactivating the BWS plugin by renaming or deleting the directory
* editing the BWS code from the .htaccess file (or deleting .htaccess completely)
Obviously, that’s a pain in the proverbial, and is not an endearing aspect of the plugin! 🙂
If your WordPress installation runs from the root directory, BWS will give you peace of mind, but you will need a good understanding of WordPress, security issues, and confidence in WordPress troubleshooting…
Minor Irritation
* The “Backup” option being ON by default – that interferes with any backup scheduling you already have in place, such as BackupBuddy or WP DB-Manager etc. That can sometimes culminate in 2 dozen copies of your site backup arriving in your email account overnight! LOL
Major Irritation
* Checking files outside the WordPress installation will give timeout errors and lock up Admin access if you’ve got other large software applications OR add-on domains. There is an “exclude directories” option, but it requires manual selection… Such a lockup is not recoverable and requires deactivation as above.
That said, it’s damned effective at preventing security breaches and I’ve not had a single unauthorized access on a site running BWS! Despite the irritations, I actually made a $50 donation towards the BWS cause, as it’s obviously taking up a huge amount of dedicated effort to get it right, and it’s getting better and better.
Wordfence
While I would prefer to use a single WordPress security plugin across all sites I manage, I’ve got Wordfence Security installed on multiple sites because of WP running from within a sub-directory, or in the case of add-on domains as mentioned above.
Wordfence has a relatively simple interface compared to BWS or BPS, and operates in a different way. It seems very robust, and the firewall settings are easy to configure. Basically, I recommend simply selecting the following setting;
“Level 4: Lockdown. Protect the site against an attack in progress at the cost of inconveniencing some users.”
That’s going to defeat the most determined of automated hacking efforts without impacting on the site’s usability! Wordfence can be configured to provide email warning of a variety of threats, including:
* Alert on critical problems
* Alert on warnings
* Alert when an IP address is blocked
* Alert when someone is locked out from login
* Alert when the “lost password” form is used for a valid user
* Alert when someone with administrator access signs in
* Alert when a non-admin user signs in
Other important security aspects include:
* Enable automatic scheduled scans
* Scan core files against repository versions for changes
* Scan for signatures of known malicious files
* Scan file contents for backdoors, trojans and suspicious code
* Scan posts for known dangerous URLs and suspicious content
* Scan comments for known dangerous URLs and suspicious content
* Scan for out-of-date plugins, themes and WordPress versions
* Check the strength of passwords
* Monitor disk space
* Scan for unauthorized DNS changes
* Scan files outside your WordPress installation
By Ben Kemp (c) 2012