The following are a few, easy to apply, best practices you can take care of right now to reduce the risk of your site being hacked. You cannot have complete security from attacks; you can only minimize your chances. Anyone who comes to you and says they can prevent your site from being hacked is lying!
My hope is that you'll apply the following suggestions (if you're not using them already) and look into further security measures you can take.
Anyone can do the following suggestions to immediately improve your site's security. But there's much more you can do to better protect your site than what's mentioned in this article. Many advanced security measures require editing server settings and file permissions, which require someone with knowledge of server configuration. If you want to improve your site's security beyond the recommendations in this article, you can learn more or hire a professional systems administrator to review and adjust your configuration.
According to WordPress, the two most common attacks target outdated plugins, or attempting to gain access by using "brute-force" password guessing using automated scripts. The following recommendations will help minimize your risk to these types of attacks.
Using Strong and Long Passwords
You've probably heard this recommendation before if not several times. You're going to hear it again. One of the best things you can do right now to improve your security right now is updating your password so it's longer. (Yes, I said "right now" twice on purpose!)
How long should your password be? According to an online password crack estimate, a password with 16 random numbers and letters will take a computer 2,780,885 centuries to guess. I think that's an unrealistic estimate given that processing power can be increased making cracking programs run exponential faster. This is why I make my passwords at least 20 characters and include special symbols.
You're probably wondering how you're going to remember long passwords of mixed numbers and characters. There are many methods to train yourself to remember passwords from mnemonic memorization to phrases, but I gave up trying to remember passwords a long time ago. I just use RoboForm and let it manage my passwords for me.
I wish we had something better than usernames and passwords for authentication technology, but that's what we're stuck with at the moment. Again, that's why I've relied on RoboForm for the past 10 years.
Don't stop with WordPress
Make sure your hosting account password is long and as well as your SFTP account. (If you're still using FTP, please switch to SFTP, it's much more secure, encrypting your data as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.) And if you don't use FTP at all, delete any unused FTP accounts from your hosting.
What about two-factor authentication?
I use two-factor authentication (password plus a pin number sent to my phone) on sites that support it. For WordPress, I haven't found a two-factor authentication plugin that didn't lock me out of my site, so I can't recommend it right now.
If you're web host supports two-factor authentication, consider enabling it on your account.
Delete logins not being used, especially Administrator accounts
Delete all users from your WordPress site that are not being used. For added security, don't use your administration account for adding articles to your site. Use an account with an Author role instead to add content to your site.
Protect your login page
By default, WordPress doesn't do much to protect your login page. A brute-force attack can hit your login and try thousands of password combinations until it finds one, or until your web host shuts you down because your account is exceeding memory and CPU.
One measure you can take right now is to use a plugin that will limit the number of login attempts before blocking the source of the attack. There are several of these types of plugins available in the plugin repository; one I use is Limit Log Attempts.
You should understand that this type of protection can be undermined. An attacker can spoof where the attack is coming from after each failed attempt, making the plugin "think" each new attempt is legitimate. But a plugin like this can help in attacks looking for low hanging fruit, and since it's easy to add you may as well do it.
There are a number of other advanced measures you can take to protect your login page that include server access settings and configurations. You can start learning about these options by visiting WordPress Brute Force Attacks.
What about changing the "admin" username?
Popular security advice for WordPress is not using "admin" as a username. This may cause a few automated attacks to move on, but only because an attacker chooses not to find your username. It's quite easy to get the usernames of a WordPress site. It's much more important to have a long password.
Don't Login To Your Site on Public Wifi
Unless you're using SSL on your WordPress site or a protected connection, avoid logging into your site on public networks such as free airport or coffee shop Wifi. These networks, or the people on them, can log the communication between your computer and site and retrieve your username and password.
Apply WordPress Updates
I usually pick up a few new clients each month and I'm always amazed when I log in to their sites and find they are a behind in WordPress updates. When confronting one site owner about not applying updates, she told me about a blog post from an "expert" who said it's better to wait a week or two to apply an update because it may not be stable and might cause problems. This is not the best advice.
It's important to stay on top of WordPress updates as most are security fixes that address the latest exploits. Most of the time the hackers know the WordPress team will fix the vulnerability quickly so they count on the thousands of people who are slow to update their sites. It's a race against time and each day you go without updating increases the chance your site may get hit.
It's easy to apply an update and only takes a few seconds. When you see the update notification, just click the update button and the package will download and be installed.
When you see the notification of a new update you can run a backup first and then apply the update. If the update causes a problem with your site, just restore it with the backup you just made.
Minor versions of WordPress, like 3.6.1 or 3.6.2 for example, are commonly security and bug fixes. These versions usually don't introduce new features or deprecate old features that might "break" anything on your site. Major versions, like 3.6, are more likely to cause a problem (if any) because of themes or plugin compatibility.
In a perfect world, you'd have a staging (or test) copy of your site running on the same server that you can test updates to make sure there won't be problems with your site. I know most of you reading this don't have a staging copy of your site so you're best strategy is to always backup before applying an update.
To make the backup strategy work, you need to be confident in restoring your site. Use a tool like BackupBuddy and practice backing up and restoring sites. This exercise will also reveal if your web host has any issues with BackupBuddy.
Remove Plugins
Plugins are one of the most common ways sites are hacked. Delete all unused plugins from your site. Reevaluate the plugins you are using, do you really need them? Can they be replaced by something outside of WordPress?
For example, many people use the popular Contact Form 7 plugin to place an email form on their contact page. Why have a plugin that's used on only one page and probably used a couple times a week? Especially considering that it loads scripts on all your other web pages where it's not used and it might be vulnerable to new exploits and has to be updated periodically. Is it worth the overhead when there are alternatives? If you need a contact form you can use something like Google Docs to embed a form on your site without using a plugin.
Instead of using plugins that post your articles to Facebook and Twitter, you can have the same functionality without plugins by using your RSS feeds with services like Dlvr.it and Twitterfeed.
Take a look at your plugins and only keep ones that are critical to your business. Removing plugins will not only make your site more secure, but it will probably run faster.
Just like WordPress updates, make sure you stay on top of plugin updates.
Avoid plugins that bad ratings or have not been updated in months. This shows a lack of support. If there ever is a vulnerability discovered in the plugin, it may not be addressed right away by the developer.
Learn How to Backup and Restore Your Site
This recommendation doesn't help prevent an attack, but is essential for recovering from one. And since we know that 100% protection cannot be achieved, it's crucial that you to follow this suggestion.
Note I didn't say regularly backup your site. You should regularly backup your site, but backups are worthless unless you know how to restore your site.
Practice backup and restoring your site until you feel comfortable with the process. Then begin backing up your site regularly depending on how much content you publish.
If you don't know where to start when it comes to WordPress backups, a tool I recommend that's both reliable and easy to use is the BackupBuddy plugin.
Resources
As I said at the beginning, there are many more security measures you can take but these can be done right now. For more information about WordPress security, please see these resources:
- Think Your Password Is Secure, It's Probably Not
- Securi blog: http://blog.sucuri.net/
- WordPress's own security recommendations: http://codex.wordpress.org/Hardening_WordPress
- Security alerts: http://safewp.com/category/wordpress-security-alerts/
No comments:
Post a Comment