As the most popular web publishing platform on the internet (by a large margin), WordPress is a popular target for hackers and spammers. WordPress is known for being one of the most user-friendly website platforms available online, but out of the box it is vulnerable to attacks.
According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks, and the total number of hacked WordPress websites runs into the hundreds of thousands.
To stop your website from being one of the vulnerable, I have a number of processes in place in order to make sure your website is as secure as possible.
- Your website is being monitored for any suspicious activity.
- A salt key phrase is added and the table prefix is changed.
- WordPress is always updated to the latest version (every version of WordPress addresses security holes).
- Your WordPress themes and plugins are kept up-to-date as well.
- I never use free WordPress themes from unknown sources as they may contain malicious code.
- WordPress file permissions are set up correctly.
- Database prefixes are changed from the default wp_.
- .htaccess is used to harden WordPress security.
- Correct file permissions are configured.
- Strong passwords are always used.
- Well known brute force attackers are blocked by using a continually updated IP blacklist.
- Login attempts are monitored and limited to a few attempts.
- The i4design server firewall is always running and continuously blocking attacks.
Brute Force Attacks
Brute Force – password guessing – attacks are very common against websites. The process is very simple and the attackers basically try multiple combinations of usernames and passwords until they find one that works. Most attacks rely on a dictionary of the most commonly used usernames and passwords and try all of them. They also find words related to the web site domain and content to increase their success. Once they get in, they can compromise the web site with malware, spam, phishing or anything else they want.
Because many brute force attacks work with a list of dictionary words, the crucial and primary goal is to have a password that isn’t easily guessable.
Another common type of attack – DDoS – cannot put your account in danger or steal any information. Its sole purpose is to prevent your website from functioning properly by overloading the server with millions of requests.
- Your website has anti Brute Force Attack software installed to block known offenders.
- Your website is also scanned regularly for common issues – to detect any hidden malware.
- The i4design server is set up with a strong firewall.
- Server resources are monitored.
A recent survey by Wordfence shows that plugins are your biggest risk.
How I avoid plugin vulnerabilities on your site:
Plugins are kept updated to the latest version
Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping them up to date I insure that you benefit from fixes before attackers can exploit them.
I don’t use abandoned plugins
If a plugin developer is no longer providing updates there is a likelihood that there are vulnerabilities that have not been fixed. I tend to avoid plugins that have not been updated in over 6 months, particularly if the developer is not well known.
I only download plugins from reputable sites
If I download plugins somewhere other than the official WordPress repository, I make sure the website I download a plugin from is reputable.
Your website can never be 100% secure. Hackers are always trying new things and discovering new vulnerabilities to exploit. The online world changes quickly and the same is true of security. Good security is about minimizing risk. If anybody tries to sell you a 100% secure solution, they’re scamming you. You’ll never be completely safe, but there’s a lot that can be done do to minimise the risk.
Some people like to say that WordPress isn’t secure. That’s not necessarily true – it depends on how WordPress is set up and used. If the WordPress core files, themes and plugins are not updated, or the site is not built using best practices, then no, it’s not secure. Many security issues have little to do with WordPress and more to do with server vulnerabilities, cross-contamination and poor passwords. There are three phases to security: protection, detection and restoration.
First and foremost your website needs to be locked down to keep it safe. Anti-virus, brute protect and other security plugins are installed to protect your site from a variety of assaults.
No matter how good the protection is, the bad guys might find a way to hurt your website – and it won’t always be obvious your site has been hacked. Sometimes they’re sneaky and bots will put a bunch of hidden code into your site. Because of this, your website’s files are monitored to detect any unexpected changes.
The best protection and detection strategies can still be foiled and that’s why I make sure a good backup plan is in place so that your website can be restored if the worst does happen.