Play

7-steps-to-website-security-and-wordpressToday, I want to cover a topic that I should have covered a long time ago, because this is actually one of the more important steps to take when starting a website.

Global WordPress Security Attacks
As some of you may know, about 2 weeks ago there was a global WordPress attack (or attacks) where a hacker group used a method called a “Brute-force attack”, to compromise a huge amount of websites and servers around the globe.

Basically, what this means is they broke into people’s WordPress websites by systematically guessing people’s login and password through an exhaustive key search. It’s as if someone was repeatedly trying to guess your login for your WordPress, only instead of taking 5 seconds per attempt, they could do 1,000 attempts in a second.

These types of security breaches are very common, and the people these hackers are trying to target, are those who have weak login names and passwords. Usually, people who leave their login name as the default “Admin” and have weak passwords like “password”.
One of my first passwords, that I don’t use anymore, was “123456789“. Which is terrible, and I don’t use it anymore!
Here, let’s discuss the basics of securing your WordPress website, and why it’s important. But for more info on this attack and for those wanting to read the details, visit BackUp Buddy’s blog post about the WordPress Attack.

Website Security and WordPress

Ever since the beginning of the internet, website security has been an ongoing topic amongst us web developers as well as us consumers. Yet some of us still avoid website security, thinking it won’t happen to us. I remember asking one of my clients about adding extra features to secure his WordPress blog, and he told me that nobody would want to hack into his website because it was just a personal blog. But everyone can be a target, and you don’t have to be a huge corporation to be on the radar of some hack group or even one individual savvy “hacker”. Your website can be turned into a drone that helps carry out SPAM and even harm other websites and computers. They (hackers) don’t care what type of website you have. As long as they can find a vulnerable spot in one of your websites, your whole web hosting server can be infected.

What this means is, if your website is on a shared server, you can get compromised if someone else does. That’s one of the main reasons why they say you should switch to a dedicated server, and you can do this through your web shell or admin section of your web hosting provider. For me, I recommend IX Webhosting, and if you want to use my affiliate link, I will make sure to help you as much as I can, if you ever have any issues. I’ll link this up in the blog.

In general, you don’t have to live in fear that your website is going to get hacked, but you do want to prepare for the worst. How crappy would it be to spend a few weeks, months, or even a few years on your blog or portfolio site, only to find it gone one day? The best scenario is you lose a few hours of your time spent trying to get it back through your Web Hosting Service (they usually have some sort of back up service, although this is not something you should rely on). But the worst case is you lose traffic, readers, time and even thousands of dollars in revenue.

A few weeks ago, my buddy Pat Flynn (I’m not sure that he even knows that I call him buddy), from the Smart Passive Income Blog got hacked into and his whole server was compromised. The key thing I want to emphasize to you is that one of his websites got hacked into, which compromised all of his websites that were on the same hosting server, which in turn shut down all of his websites. Every minute his website is down, is revenue down the drain because without a website, there’s no traffic. And without traffic, there’s no money. He lost about $12,000 in that time period, which is huge.

How are WordPress Websites Compromised?

WordPress blogs can be compromised for many different reasons:

  1. Outdated plugins, themes and other files
    Outdated files are traceable and hackers can easily manipulate a plugin’s code by knowing it’s security flaws. Not too long ago, one of my plugins asked me to update because it found that hackers were using a security flaw to compromise only a portion of it’s users, but it already patched that flaw up.
  2. Weak passwords

    Passwords that are easily guessed are easy targets for hackers. Most people choose simple passwords so that they can remember them, and some even “think” that their password is hard to break, when in fact it’s pretty easy. Hackers can search for your password by going through a huge library of dictionary words and combinations, all within seconds.
  3. Your Web Hosting Server is hacked

    If your website is on a shared server, or you have multiple websites within your hosting plan, you could get compromised indirectly. If one of the websites on that server is hacked, all of the websites can be hacked. This usually happens if there’s a security flaw by the host itself, or if one website gets hacked into. You should definitely contact your web hosting service if this ever happens to you.
  4. Know of more ways? Let me know!

Mistakes that people make regarding Security

http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/

  • 
WordPress is not secure.
  • Nobody wants to hack my blog.
  • 
My WordPress site is 100% secure.
  • I only use themes and plugins from wordpress.org so they are secure.
  • Updating WordPress whenever I log in is cool.
  • Once my WordPress site is setup my job is finished.
  • I’ll just install xyz plugin and that’ll take care of security for me.
  • 
If I disable a plugin or theme, there is no risk.
  • If my site is compromised I will quickly find out.
  • My password is good enough.

What to Do to Protect from being Hacked?

First of all, I want to say that no matter what someone says, no website is hacker-proof. Trust me, if that were the case, then I wouldn’t be talking about this right now. Even high profile companies get hacked such as Facebook and even Government websites. So what’s our take away from this? Prepare for the worst, and if something happens, have a backup of your WordPress website! I’ll talk about this more.
Now the following tips and instructions I’m going to talk about should be straight forward and easy to understand. You don’t need to know how to code, or do anything other then install things and configure them. If any of these seem too hard, you can let me know by leaving a comment below. But first, here’s some basics:

  • UPDATE: 5/7/2013
    I just set up a new WordPress website and decided to experiment with Better WP Security, and I have to say, this plugin seems to do a lot (if not all) of these steps! I still need to spend some time with this plugin, but right now, I am impressed. Try Better WP Security, especially if you’re just setting up a new blog today.This plugin does not backup your whole WordPress install though, so I still suggest Backup Buddy.
  • UPDATE: 5/23/2013 (Check this out)
    So I’ve came to the conclusion that Bettr WP Security is not for me. Although it’s an all-in-one solution to securing your WordPress website, I was having trouble with the plugin due to my settings.

    First of all, I got locked out of my own site because I accessed a 404 error page too man times. It was frustrating, and eventually I was able to log back in after 20 minutes or so. I couldn’t find a way to prevent this, and since I was worried about one of my visitors getting kicked out of my site by accessing one too many 404 pages, I decided to disable the login limit function of Better WP Security.

    Secondly, some of my images weren’t showing up due to another setting I had. I tried different things including disabling some permission statements in the setting, however I had no luck.

    Eventually, I scrapped Better WP Security, and went back to the following 7 steps:

  • Step 1) Keep your WordPress up-to-date, as well as all of your WordPress plugins and themes up-to-date

    Always update your WordPress website, even if you think you don’t need to. It’s fast and easy, and all you need to do is click a few buttons. If you don’t update your WordPress, hackers will have an easy roadmap to go by, because the reason WordPress updates their core files is to patch up and strengthen any security flaws that they know of, at the time.For the same reasons, you want to keep your plugins updated to minimize hackers from getting in through security flaws. It’s like a neighbor telling you to change the type of locks on your doors because someone already broke into his home with that type of lock. If you don’t listen to him, you’re taking a risk and already know the security flaw of your house.
  • Step 2) Have a strong password
    Make sure your password is strong, and not a dictionary word. On Facebook, Eric Boggs writes in a tip: Use a phrase for your password, but change most of the characters into numbers, capital letters and other punctuation. Your password will be harder to crack, but still easy to remember.I couldn’t agree more in that we need to have complex passwords that are memorable. For instance, change all of your “o’s” into 0’s and “i’s” into 1’s, and so forth. Even throw in some random capital letters in there.Once you have a complex password, test it’s strength by going to http://www.passwordmeter.com/One trick I like to use is after I come up with a complex password, I triple it up by typing that password 2 more times. For example, if my password was 8po019bal1, I would type it 3 times (8po019bal18po019bal18po019bal1). But this may be a little extreme for some, but this is just what I do sometimes.
  • Step 3) Increase the security of your login sectionYou can take some measures to protect your login a little more. I recommend doing two things, limiting the amount of times someone or something tries to log in, and also whitelisting your IP Address when logging in.Limit Login Attempts or Login LockDown

    Limits the amount of times someone can retry a failed login attempt. After a specified amount of tries, it will lock that person out for a few minutes or so, and you can control all these settings through these plugins.WP Login Security 2

    WP Login Security 2 allows each user to maintain a whitelist of IP addresses allowed to login to the site.
I logged in to my website from my iPhone and it sent me an email where I had to verify that it was in fact me. From there I just clicked a link it sent me to “whitelist” my iPhone’s IP Address. So from now on I can log in with my iPhone. This is just extra security and peace of mind.I do want to mention that this may not be for everyone, because it is an inconvenience in the beginning. If you travel a lot, your IP Address will keep changing, and you’ll need to verify and add each IP address as you go. It’s up to you, and for me it’s easy because all I have to do is look into my email and click the link to verify it.
  • Step 4) Back everything up!This is something I didn’t do before on a regular basis, but after starting this blog I realized how sad it would be to lose anything that I’ve done. There’s a few FREE plugins that will allow you to save your database and even your complete WordPress website, but I chose Backup Buddy, a Premium plugin that costs around $75. I actually got it for around $50 or so because if you sign-up for their E-Newsletter you get a 20% or 25% discount!Backup Buddy (Premium WordPress Backup plugin)

    • easy to use
    • able to backup to dropbox(2GB) and Backup Buddy Stash (512mb)
    • schedule daily and weekly backups (daily database, weekly full backups)
    • Also includes malware scanning

    backwpup

    This backs up and saves your whole installation of WordPress, either on your own server, email, or an external place. It allows you to restore your whole installation if you need to. For a Freemium plugin, I recommend this.

  • Step 5) Scan your WordPress website for any bad stuffOnce you have a backup, now you can mess around and start doing things without the feeling of losing everything or reaching something. You want to download a plugin called Securi.Sucuri

    Scan your site for malware using Sucuri SiteCheck right in your WordPress dashboard.
I did a quick scan of my website and it detected no malware, malicious javascript, malicious redirections or modifications to the htaccess file, Blackhat SPAM. It also let me know that my site was not on any black-list and even gave me links to all the tests that were done. ALl in a minute or two.After backing up, I hardened the following:
    – Protect uploads directory
    – Restrict Wp-Content access
    – Restrict Wp-Includes access”Hardening basically means adding extra precautions and actions to increase the defensiveness of something. For instance, when hardening your content, it will make sure you can’t access that folder by itself just by going to it through it’s URL, amongst other things”
    Also checks:
    – WordPress is up-to-date
    – Your WordPress Version is hidden
    – Latest version of PHP installed
  • Step 6) Monitor your websiteOnce you’ve scanned and made sure your WordPress website isn’t compromised, now you should start monitoring it. Just like your house, you want to put up some security cams to makes sure nobody is entering or breaking into your website and adding malicious software or SPAM.WordPress File Monitor Plus

    This will monitor your WordPress website and alert you of any file changes or file additions.Now, if you guys have any questions about these plugins that I’m recommending, please let me know. Some plugins may not be as straight forward as the rest, and you may need to do a quick Google search if you’re not sure what a setting does, or what settings to choose. I know for WordPress File Monitor Plus, I had to read someone’s blog post on what to do (even though most of you will already know!)
  • Step 7) Do these same steps for all your other WordPress websitesTo safeguard your hosting server (and any websites in your hosting server), do these same steps. The reason is that if one of your other WordPress websites gets hacked, your website could get compromised as well. Or if you’re not using the WordPress website or it was just for testing, just delete them. There’s no need to have an old WordPress install that hackers could easily break into because you aren’t updating it.

Other Security Measures

If you want to get more extreme in protecting your website, you can also use SSL to protect your admin section. What I mean is using a SSL certificate and you would only be allowed to log in to your admin section through a secured network (https instead of just http). I’ve probably dropped the ball on explaining this, so if you’re to the point where you want to do this, you should research it as well as contact your web hosting service.

Today though, I just want to cover the basics an some other easy steps to protecting your WorPress website.

What to do if your WordPress gets hacked?

First of all, hopefully this never happens to you, especially if you follow these 7 steps to securing your WordPress website. But again, anyone can get hacked, and at the end of the day we only know how to protect ourselves from this point, and if some hacker figures out another way, we’re vulnerable until after it happens!
But in case you feel like you’ve been hacked, at least you have a backup ready, right? You can always restore your website and with Backup buddy it’s as simple as a couple steps. If you’re using a free backup plugin, you may need to get some help restoring your website.
Google has a full website dedicated to helping those who get hacked:
Help:
http://www.google.com/webmasters/hacked/