It’s worth your time to look over this list of security tips, and to
take the few simple actions to implement them. How secure is your
website?
Let’s go over the basics right now …
Why take WordPress security so seriously?
Why all the security talk? Because staying vigilant about security is an ongoing responsibility for any WordPress site owner.
In fact, it’s an ongoing responsibility for everyone online, whether you’re using WordPress or not.
So we’ll continue to discuss it here as much, if not more so, than
performance. Hey, sub-second load times are great, but not if you’re
hosting hidden links to Viagra sites or Google is flagging your site as
malware-infected.
I know that security can sometimes be a nebulous, obtuse topic. If
you don’t have a technical background, the risks and the necessary
safeguards can be difficult to comprehend.
You’re not alone.
When I first launched Midwest Sports Fans some four years ago, I couldn’t have told you the difference between DDOS and Mike Doss.
I was among the ranks of those who used the same password for my MSF
admin login as for my Gmail account … and my bank account … and, you get
the idea.
Over time, I learned the importance of taking security seriously.
Some of the lessons weren’t pleasant. But they provided me with the
knowledge to be able to educate you on simple steps you can take right now to make your site safer.
As you read this list, consider it less a “top 10 list” and more of a
checklist. If you come across one, two, or ten of these that you cannot
mentally check off as being part of your current security arsenal, stop
reading and go implement it.
Let this motivate you: we see between 50,000-180,000 unauthorized login attempts every single day
at the sites we host. The vast majority of these are hackers using
brute force techniques to get into websites and wreak havoc. It is
possible, perhaps even probable, that a hacker halfway across the globe
is trying to hack into your site at this very moment …
… I hope your password isn’t password123.
And now, on to the most important top 10 list you’ll read all week:
1. Maintain strong passwords
Let’s kick off the list with the easiest step you can implement immediately. Hopefully you already have.
If not, do not procrastinate on this one.
I’ve linked to this post before, and I’ll link to it again: “Password Protection: How to Create Strong Passwords” from PCMag. I used a number of the tips listed in that post to completely overhaul my personal password strategy.
Take this seriously.
Excuses like, “But I want one password for all of my sites so that I
won’t forget!” or “My (generic) password is good enough, and what are
the odds that someone is really going to try to hack me?” are not
acceptable.
If you aren’t using a password that’s at least ten characters, with numbers and letters, capitals and lowercase … you’re doing it wrong. Do it right. Especially this one.
2. Always keep up with updates
WordPress updates are not just released for the Google News search
results. They are released to fix bugs, introduce new features, or, most
importantly, to patch security holes.
Will WordPress (or any software program, for that matter) always be
one step ahead of the hackers? Of course not. Quite the contrary. For
the most part, as with performance-enhancing drug testing in sports,
software is always going to be one step behind the hackers. That’s just
how it goes, it’s the world we live in.
But when major security holes
are known — and patches are available — there is no excuse not to
implement them. Thus, there is no excuse not to keep up with WordPress
updates. The same goes for plugins and themes.
I know that many of you feel trepidation when it comes to updating
WordPress, afraid that it might break your theme or disrupt a plugin’s
functionality. My response to this is simple: if you’re afraid of it,
then you need to re-evaluate your theme and plugin strategy. Your theme
will certainly get disrupted when a hacker injects half a page of a
nasty encrypted code into it.
One of the benefits of investing in a WordPress theme framework like Genesis
is that our StudioPress division will have the Genesis Framework
updated damn near instantaneously when a WordPress update is released.
In fact, there’s a good chance they had input in the WordPress update
itself! So, you never have to worry about your theme breaking.
As for plugins, this is why vetting plugins is so important. If a plugin isn’t updated regularly, or you’re not paying for support, then you should be afraid of it possibly breaking with a WordPress updates. Thus, you might want to rethink using it at all.
3. Protect your WordPress admin access
Should you change the name of the default “admin” user that every
WordPress installation starts out with? Sure, you can. It certainly
isn’t going to hurt.
Just know that it isn’t the pinnacle of security measures. Hackers
can find usernames fairly easily from blog posts or elsewhere.
More important than disguising the specific admin username is to make
sure that every username of your site with administrator access is
protected by a strong password. (Yes, I’m referring you back to #1 in
this list.)
And, if you really want to protect your site, go the extra step of requiring a Yubikey
to login. That way, even if someone does have the password to a
username with administrator access, he or she cannot login without
physically possessing the Yubikey (which is easily used via simple USB
insertion when it’s login time).
And no, it’s not a hassle. It’s peace of mind.
4. Guard against brute force attacks
Remember the stat I cited above? It’s worth citing again: we see
between 50K and 180K failed login attempts a day on the sites we host.
Before you pass out at the magnitude of that number, know that you’re
far from powerless against these nameless, faceless hack attempts.
First, your web host should be helping to protect you from brute force attacks. We do. We regularly monitor where failed login attempts are coming from and then lock out the offending IP addresses.
Second, make sure you’ve checked off tips 1, 2, and 3 above.
Third, there are programs that can be installed (such as Limit Login Attempts) that will make it much more difficult for brute force techniques to work.
5. Monitor for malware …
It’s imperative that you have some kind of system in place to constantly monitor your site for malware.
The folks at Sucuri do this as well as anyone, which is why we’ve partnered with them for the server-side scanning that we do for all of our customers.
How you monitor is vitally important. Choose a method that
can actually dive into your file structure and detect deep breaches,
rather than one that just shows you where you’re vulnerable.
6. … Then do something about malware!
Monitoring for malware is not a solution in and of itself. The solution is what happens once malware is detected.
If you are not a Synthesis customer, the Sucuri team is a great one
for you to partner with because they’ll not only scan for malware,
they’ll help you clean it up once it’s detected.
And if you are a Synthesis customer, you already know that we’ll take
on the job of cleaning and repairing your site should anything bad
happen to it.
A couple of the oft-overlooked “true costs” of WordPress ownership
are those associated with downtime due to security issues and cleaning
up those issues. This is part of the value proposition that should be
rolled into your managed hosting provider’s offering.
7. Choose the right web host
I’ve already told you about the server-side scanning and malware
cleanup guarantee that we give all of our customers. And that’s far from
the only reason why our WordPress hosting is a great choice for the security-conscious WordPress user. Just saying.
One major security risk is being on a shared server. Think of it this
way: take the security risks inherent in your own WordPress
installation, then multiply it by the number of sites on the server. And
if you go with generic hosting, chances are you’re going to be lumped
in with hundreds and hundreds of other websites.
Don’t.
Your own VPS may not the right option for you. It may be too
expensive, or your traffic may not necessitate it. That’s fine. But if
you’re going to be on a shared server, make sure it’s shared with just a
small number of sites (our shared servers have no more than 10 sites)
on a hosting stack that has proven safeguards in place to protect it.
Also, find a host that doesn’t get complacent about security.
Anyone who would claim to “have security figured out” has no clue. Online security is constantly
changing. Web hosting companies need to constantly evolve with that
changing landscape, and the threats the come with it. Make sure whoever
you trust your website to operates with this mentality.
8. Clean your site like you clean your kitchen
Did you know that your WordPress installation could easily have ticking time bombs sitting on it that you’re not aware of?
If you have old themes and plugins that you’re not using anymore,
especially if they haven’t been updated, you can basically just go ahead
and start the countdown to your next security breach. A messy site also
makes it much more difficult for security professionals to operate
should your site be compromised.
You wouldn’t leave dirty dishes and silverwear sitting in stale water
for three days in your sink would you? Of course not. It would be a
breeding ground for filth and muck.
So clean up and organize your file structure like you would your kitchen. It will keep you safe in more ways than one.
If you’re asking, ‘Where do I begin?’ Start at the root. Compare your file list to that of the default WordPress core. A few extra files, like your favicon? OK. Two times as many files including Power Point presentations for work? Time to do some dishes …
9. Control sensitive information
And when you are doing that cleanup of your file structure, check to
make sure you are not leaving bits of valuable information available for
all the world to see.
For example, the readme.html file by default will say what version of
WordPress you’re running. If you’re running an older version of
WordPress with a known security hole, hackers will find you.
Similarly, look into your phpinfo.php or i.php files. They’ll tell a
hacker everything about your setup and serve as a “road map to the
house” before they even break in.
And leaving .sql database backups files is a big no-no. If a hacker
can download your entire database they’ll have every username and
encrypted password you’ve ever used at their disposal.
While your website host should be scanning for items like this, why
leave anything to chance? You wouldn’t walk out your front door without
pants on (at least I’d hope not!) … so don’t run your website that way.
10. Stay vigilant
This is one is pretty easy to explain. Just stay on top of what’s going on out there.
You don’t need to understand the intricacies of a DDOS attack or churn out a blog post about GoDaddy getting taken down. But when an issue like the TimThumb fiasco rears its ugly head, are you aware of it? Early detection is the best prevention.
You should be with a managed WordPress host who has your back, but it never hurts to have your own too.
Follow Twitter accounts like Sucuri’s or ours,
where we’ll update you when we hear of relevant security issues
affecting the web. And just keep your eyes peeled. Don’t think that
security issues are only affecting those other sites. They could just as easily be affecting yours.
Respect thine enemy, as they say.
Comments
Post a Comment