Celtic Haxor - hacking computer Wordpress security laptop DJ

How to secure WordPress

Horrified by the amount of login attempts my WordPress sites gets (something in the region of 1-5 a day, sometimes more – and this is after each one being blocked), I tweeted today about locking down your WordPress. I’ve already had a few responses confirming that they too have this deluge of hackery, some of it trying to be quite clever, or is not some random bot. So at the risk of putting my head above the parapet, I thought I’d list the things if you have a WordPress site – or any site really – that you should do.

(Obviously here I am talking about self-hosted WordPress, WordPress.com is a different kettle of aquatics – and is mass protected by WordPress itself).

  1. Don’t rely on just a strong password – although setting one is a good idea. Everyone probably know the one about special characters and numbers, but in fact using spaces and long password phrases is just as effective, as brute force usually has to work character by character, and usually assume people won’t use spaces. But obviously non-dictionary words are even better, if you can remember them.
  2. Disable or rename the root ‘admin’ user – most of the attacks this and my other sites get are trying to login via this name. Weirdly and rather badly WordPress doesn’t allow you to edit the default admin user name out of the box but a plugin called Edit Author Slug will. Be careful if you delete users, it will ask you if you want to assign the posts to another user, don’t mess that up if you want to create a new user. It might be safer to just edit the slug and display name.
  3. Don’t use a display name the same or similar to your user name. Might seem obvious, but WordPress is rather good at ‘revealing’ what your display name or author slugs are, and some hackers or bots are using this, or trying to guess them from your posts. Best to use a different and unconnected display name versus your user name – and make your username something you’ve never posted about or mentioned, and a word you’d not find in a dictionary, or proper names (I’m guessing that proper name attacks are also common since compiling a dictionary of common proper names is trivial).
  4. Install Wordfence. It’s really good. Especially take part in their security network and accept their emails as they send out good warnings on plugins with vulnerabilities or attacks that are going around. Set the maximum logins and login lock out to 20 or less – I think 20 is the default. By default WordPress will quite happily let someone hammer a site day and night without limit, which obviously makes it easy to run a brute force program to try and guess your password or username. Also, click on ‘Immediately lock out invalid usernames’ – this is why you did step 2 above. This means someone hacking around looking for ‘admin’ immediately gets the naughty step. Talking of which, set ‘Amount of time a user is locked out’ to at least an hour or more – I have much more, but then again I don’t forget my passwords! and ‘Count failures over what time period’ to at least a few hours, preferably more. I’ve counted the same attack IP coming back about 24 hours later before now.
  5. If for some insane or technical reason you can’t/won’t install Wordfence, then use Login Lockdown, this limits the amount of logins, which is basic 101. But you’ll be missing all the blocking goodness, and the joy of trapping these little epenis cockroaches and squishing them.
  6. Spam isn’t really security, but I’d guess that a spam covered blog would also be a target for bots and hackers as it’s a visual indication that the person isn’t either watching or securing their blog well. I’d recommend at the very least the standard Akismet plugin with a WordPress API key, and some form of CAPTCHA or G.A.S.P. type plugin. There are some good anti spam/crawler/attack bot plugins too, these can be great or sometimes ineffective or too effective, locking you and everyone else out. It’s up to you, but before you start installing ANY security plugin (including Wordfence above), make a backup of your site, and get access to your plugin folder via FTP, ready to rename the folder…that’s how you mass disable all the plugins remotely! Old skool, yes.
  7. If you have access to the server itself, and  can install software, I recommend installing Fail2Ban or DenyHosts, they do a similar job to Login Lockdown, and block those who try SSH/shell and other logins and get X amount wrong. Now, you have to be careful here, as obviously you can block yourself from your own server! Always whitelist your main IP or block of IPs your ISP uses, and set a high enough number of retries just in case – check the manual or websites on how to do this. And always remember, if you leave a shell login logged in then put the computer to sleep, if it wakes for some reason, say Time Machine, this can lead to false login retries and thus being blocked – at least it did with me! Be careful with that.
    Another method is to deny any password based login for SSH/Shell and use a private key…that’s beyond the scope of this article, but if you only login with one machine to your server this is the way to go.
  8. Always keep your WordPress install, plugins and server software up to date. Holes are regularly patched, but quite often those who get hacked are using old software or old plugins. From version 3.8 WordPress updates itself for security upgrades which is a great step in the right direction, but plugins can reveal as much risks, so they need to be kept up to date also. Regular logins to your server and running ‘apt-get update’ then ‘apt-get upgrade’ or similar depending on your system are a really good idea, especially with the recent scandal over the encryption TLS hole on many versions of Linux – the updates arrived within a day or so patching this for my distribution, but I bet many people haven’t updated theirs. I suspect this and the recent holes in Apple IOS/OSX were probably how the NSA were gaining access to those machines and bragging about being able to spy on everyone…certainly scary that some of these security holes have been there since 2005, or 2012. Don’t make it easy to be spied on!

Comments

Leave a Comment! Be nice….

This site uses Akismet to reduce spam. Learn how your comment data is processed.