Running several WordPress sites, especially ones that gather a lot of welcome and unwelcome visitors, is a crash course in security. I’ve been using WordPress since version 1.2, where hacks were much more common, and thankfully have only been hacked once *touch wood*, back in the 1.5 days. For those not part of the WordPress ecology, it’s currently at 3.9.1 and version 4 is just around the corner, so it was a LONG time ago! This isn’t a security blog, but if you run WordPress you need to lock it down. I think a lot of people live in a sort of denial bubble until it happens to them, like taking backups – but then it’s far too late.
So I’ve gathered a lot of tips and tricks about how you can reduce or stop the deluge of spam and hacking attempts, quite simple and plugin based so those who self-host their blogs should be all able to do most of these. Some require some access to the server, and some require administration rights to install software. But everyone should be able to do something (apart from WordPress.com hosted blocks – although I suspect you still can install some of these plugins?).
My site ran a lot faster when I blocked many of the hack attempts and spammers – a lot of bots can bring down a low-end server, a kind of botty DDOS, with repeated access attempts. I show you here how you can limit, restrict or block that.
There is a theme to all of these – that although WordPress has been security hardened by the many attacks over the years and is a good stable platform – it could do a lot better with default functionality to secure the blog as a whole. It seems to live in an older genteel more idealistic age, an age without bot-farms and cyber terrorism. It’s a shame you have to do so much work to patch these holes – Why oh why oh why oh why Automattic can’t we have GeoIP, login lockdown and an easy way to change/select less guessable login names as standard?
Putting up a Wordfence
My first line of defence is the Wordfence plugin. I’ve tried many ‘firewall’ and WP security plugins, but they usually fall along the wayside as the developers lose interest and the nasties swarm in – but currently this plugin is updated regularly and checks your install a bit like the elderly Exploit Scanner does, but with steroids – sometimes it complains about some txt file being slightly different, but if you have been hacked this is minor to the stress of working out which of the 1,000s of files has some evil code in it. It also locks down multiple login attempts, like Login Lockdown – in fact it seems to work happily in consort with that, although for safety’s sake you might want to choose one unless they interact somehow in the future and ban you!
As a default not only does WordPress have an easily findable login panel, and gives you a default admin name of ‘admin’ on installation *facepalm* it also allows people to try as many login attempts as they like. 10, 1,000 or 10,0000 – all trying to find out your login and password. This Is A Bad Thing. I didn’t realise til I installed Wordfence how many attempts were happening on my blog, there were a lot. Even with certain countries and evil IP ranges blocked, I still sometimes get 1-10 attempts slip through, before Wordfence all of these went unnoticed and unblocked.
You can setup Wordfence to block these attempts after X amount of tries, even limit or block humans, crawlers and bots taking up too much bandwidth, like with a download script or scraping. Wordfence will alert you about the login attempts – very useful as you can check the IP with something like DomainTools and get the country and IP range, very useful for persistent attackers, and then block the range with Wordfence’s Advanced Blocking.
I recommend if you see Russian or Hostkey registered domains or FirstVDS/FVDS appearing, block immediately and ask questions after. Some ISPs and VPS hosts are either corrupt hacker/bot farms or don’t care about their security, so leave their abuse@ alone and just block their arses. Yes I have tried writing to them. No, unlike some of the UK/US hosts, it did precisely nothing. Currently OVH seems to be doing a similar head/sand interface, as well as some old time faves.
It will also inform you about updates to plugins – which is not only useful, it’s a security measure as many times hacking exploits are using out of date plugins to gain access. This is why plugins should be kept up-to-date, you should only use plugins that are kept up to date regularly and that you trust – best installed from the official WordPress Plugins site.
Also the newsletter is well worth subscribing to, as it will let you know of mass hacking attempts that are going around, plugin issues, security news, solutions etc.
Edit Those Slugs
Another simple thing to stop the hackers is to make sure what is called your author slug (what appears in the URL), ‘nice name’ (what appears on the blog) and login do not match. WordPress crazily defaults to them all being the same i.e. ‘admin’ login will be shown on posts as ‘admin’ unless you edit them with a plugin, or in the database. The Edit Author Slug plugin is far easier, although annoyingly you can’t change your login name with it as well – which if it’s ‘admin’ is HIGHLY recommended as that’s the first thing the hackers try.
There are two ways of also changing your login name – one that involves database voodoo, another involving creating another admin user then assigning all the old posts to the new one. They both sound more scary than they actually are, especially for me the last one but it’s fine as long as you DON’T forget the last step, that would be messy to fix if like me you have thousands of posts. As with anything like this – backup the database FIRST!
So make the author slug (e.g. /archives/derek) and the ‘nice name’ (e.g. Posted by Derek B) completely different and unrelated to your login. Then change the login something that isn’t obvious, preferably a word or words not in the dictionary. This means you can set Wordfence to automatically IP block any attempt to login with anything else.
Another good idea to click the option in Wordfence to stop the bots trying to find author/user names, which WordPress will happily reveal unless stopped. Yes it’s that dumb.
Also probably not a good thing to allow user registrations on your blog, spammers will try to register realising that many antispam plugins are bypassed with registered users. Turn it off. I’ve had one user account hacked also, so any extra users also make sure they can’t easily be guessed or found and have secure passwords. Wordfence has an alert to let you know that non-admin users have logged in, if you have those turn that feature on, as it saved me a possible hack attempt that time, and it could you.
Country Block It Like It’s Hot
When you look at your logs, your Wordfence blocks and emails you will start to see the same countries again and again – China, Russia, Ukraine, various Eastern European countries. This is because a large part of the world’s spam and hacking comes via those countries. In fact, if you’re in China unless you’re viewing via foreign proxy you won’t even see this post, as China is blocked from this website for this very reason. The majority of the spam I got was via ChinaNet, and even though I went through DomainTools and blocked all their IP ranges I could find, some still slipped through. As I don’t think Radio Clash gets many Chinese viewers, I blocked China. You can do this via a plugin, I use iQ Block Country which uses the free MaxMind country database. It’s not perfect (upto 95% accuracy) but look at the prices for the commercial databases and you might suddenly not mind having to block the odd interloper!
Obviously the trade-off like with Wordfence’s IP-ranges is whether you want to blocking genuine visitors to your site, versus those who have less good intentions. It depends purely on your site content and who visits it, a good place to look is your web stats or comments on your site – if no ‘real’ people in China or Russia ever seems to visit or comment, then why allow the comment spammers and hackers free reign? I so wish there was a plugin or setting for geo-blocking comments – I’d much prefer to block commenting rather than the whole site from certain countries anyday.
As well as the frontend (ie. homepage, visible parts of the site) you can also block the backend (i.e. wp-admin, wp-login etc) by country too. This you have to be careful to not block your own country from logging in (i.e. preventing you from doing so!) but there is no reason to allow attempted logins from Guatemala, St Kitts or Tibet if you don’t live in those places. This also blocks a lot of hacking attempts, as although many come via compromised accounts in the US and Europe, the easiest to hack or use are those in second and third world countries, probably where the majority of hackers are from.
Again this is something I wish was in WordPress from the start – Automattic has enough clout and userbase to negotiate a good deal for geoIP databases, even set up their own or make it free? Like with MaxMind the commercial uses are expensive – even Wordfence Pro which is reasonable if you have one site, less so if like me you have many WP installs. It would be better if charged per server or person rather than per install, actually.
Spam, spam, spam, glorious spam
Spam seems to be seen as inevitable in the blogging world, but it doesn’t have to be. There are ways of limiting or almost stopping the flood of comments about Nigerian Princes, Game Cheats, Credit ratings and the like. The first line comes free with WordPress, Akismet, and is well worth using especially with an Akismet API key. Currently it has stopped over 43,000 spams on this blog in the last 8-9 years, a +1 like to Automattic on that one.
But Akismet is good but not 100% failproof, it does sometimes miss spams especially those generated by teams of people paid to spam blogs (yes virtual sweat-shopping, it does happen). Others I recommend are G.A.S.P. (Growmap Anti Spambot Plugin) which adds a checkbox for humans and a hidden secret key, and the Bad Behavior plugin – which is an anti-bot plugin a bit like Wordfence but much more specialised. It checks and updates the ProjectHoneypot http:BL blacklist which like Akismet you’d need to register a API key for, but it’s currently stopped 12,402 access attempts in the last 7 days, so not to be sniffed at! Although how many of those were false positives I don’t know, seems many are from IPs from the blacklist…but pretty sure any genuine visitor via a browser shouldn’t be troubled. It is a bit trigger happy though, so beware setting it to a fiercer mode unless you are being currently attacked.
But if spam gets through – even 1% or 0.5% false positives of many thousands is still quite a few – it’s good to know who the frequent spammers are. This is where the old but still working Block Top Spammers come in, it lists the top spammers, and in one click you can delete and block them via .htaccess.
Also. as mentioned in the previous section, if you get a lot of spam from one or several countries, you can block them with various GeoIP plugins or systems.
Deny and Fail
I’ve been mostly talking about things you can do within WordPress, but it’s a good thing to add similar ‘login lockdown’ features to the server itself. If you have admin access to your server, then install Denyhosts and/or Fail2Ban (depending on your flavour of server OS you may or may not be able to run those). These limit the amount of tries for logins to FTP, Secure Shell (SSH) and other non-Wordpress Apache sites. It’s too complicated to describe the installation and setup of these two here, follow the links and google for your OS you’ll probably find a guide or an alternative. If you don’t know what ‘apt-get’ or ‘yum’ or github is, or how to SSH into your server, you might want to get someone who is to do it for you.
Other things you might want to look into is public key logins, mod_security and hardening Apache and installing PHP Suhosin, even caching like Zend or X-Cache if you get a lot of DDOS/bot attacks. Most of these have caveats and you might break stuff, so please backup your server and check before you dive in!
And like with WordPress plugins, keep your server up to date! Great thing about Linux (most web servers are Linux based) is that patches are available for it all the time, and very quickly. It’s those people who don’t bother to update who get hacked – and their servers get turned into those that are currently spamming or hacking YOU. And you wouldn’t want your domain or IP blocked for a long time, would you?
Backup is the Best Offence
All of this could go horribly wrong – you still get hacked via a previously unknown Heartbleed type exploit, or you could also nuke something while locking down your blog – so regular backups is very important. I recommend BackWPup plugin to backup to Dropbox, S3 server or email. No backup plugin is 100% – especially with large backups, so always check Jobs from time to time, and check emails for errors and warnings. Quite often a server config or change can prevent a backup, so it’s not ‘fire and forget’ exactly, but BackWPup has been a lot less problematic than it’s rivals. Good idea is to set separate jobs with emailed database dumps and server uploads, at least one might work, and in a hack or crash situation, redundancy is key.
Also if you’re going to upload server backups of any sort to Dropbox, encrypt them. Sadly BackWPup won’t do this for you, and not found a way of doing that with database dumps. (BackWPup developers – please can we have this?) But if you backup via script to Dropbox I recommend using AES 256 CBCwith salt using a command something like this in your script. Because Condi ‘I Want To See Your Emails’ Rice is now on the board, and Dropbox doesn’t encrypt their space.
Also if a hacker has gotten into your WordPress site, next thing will be probably going for your Dropbox account, you don’t want all your server details sitting there in a handy zip…
I hope this helps those who are setting up or using WordPress to be more secure, there are many more little tricks but these are the main ones I’ve discovered – sometimes quite painfully!
[picture: This would be a good safe place for a server! WW2 Pillbox near Pagham, Essex by Tim B aka fingertrouble]