Security

Securing Your WordPress Blog With Plugins And More

3 weeks ago I wrote about my 4 favourite security plugins. It only took about a week for me to discover another plugin that I found so useful that it instantly expanded the list. Now it’s my 5 favourite security plugins!

stolenadminThe theory I work to is one of layers. Don’t leave all your security down to one method. At the time my blog was under attack – a very persistent attack as you can see here:

loginattempts

The attack went on for over a day with the attacker trying different passwords. Eventually I installed the new plugin and stopped their attempts. By stopping them from trying to guess the password there’s a new level of security in place.

Security through obscurity

This one is often hotly debated. Security through obscurity is basically hiding what you need to protect. But that level of security is breached by knowing where the hiding place is.

An example is leaving your front door key and alarm code in a plant pot by the front door. Anyone looking in the plant pot knows how to get in. This is where this type of security is poor.

Another example is the army camouflaging large tanks. Obviously a layer of paint doesn’t physically protect the vehicle and if you know where the vehicle is you can attack it. But the camouflage can make it more difficult to find the vehicle. It is adding a layer of security.

So I installed WPS Hide Login by WPServeur. Now anyone trying to access 13weekchallenge.co.uk/wp-admin (try it if you want) doesn’t see the admin page and can’t try to login. You need to know the URL of where it is moved to in order to try to login.

The other layers

I still maintain other vital layers of security. The next is Limit Login Attempts by Johan Eenfeldt. This detects multiple failed login attempts from the same IP address and blocks access from that IP address after a few failures. However, in the main attack I think they were using infected machines to direct the login attempts from different IP addresses, so getting around this tool.

After that Plainview Activity Monitor by Edward Plainview was setup to record all failed login attempts. I could see the userid and passwords tried on every attempt. Useful to see if the attackers are getting close…

This brings me to the base layer of security. Strong passwords and secret userids. I can’t stress too much how you should not use Admin nor Administrator as your userid (see the previous post for details on how to change your userid). 2 in 3 attempts that day used one of these, the remainder tried the website name. Simply by not using these I had ensured they could not guess the userid & password combination.

After that you are down to passwords. Use a good one. Most attempts to hack this blog have used password, 123456 etc. See the list of useless passwords that I detected hackers trying on this blog before I hide my admin.

Off site layers of security

After that we’re down to best practices. Keep your connection secure and virus free. An unencrypted internet cafe connection could just be being watched and give everything away.

Security isn’t complicated

None of the above security steps are difficult to apply, but together they give your blog a much stronger chance of staying safe and away from the control of hackers.

Please follow and like us:

Hackers Want Your Blog – But Have You Ever Watched Just How Many?

It’s absolutely frightening how many attempts are being made to break into blogs. Even this blog, which is just 2 months old, is under frequent attacks. But, are you aware of the scale of the problem and what are you doing about it?

This site is new. There’s no Google Reputation to worry about and it’s only just starting to get traffic. But hackers have found it and are taking an interest.

In the last 90 minutes I’ve been watching my blog as it is under attack from what looks to be several hackers. Why, I have no idea. Most likely because I have made posts about how to increase blog security. Maybe they want to stop me from telling other people how to protect themselves.

I’m recording all of the failed attempts to watch what they are doing and there’s around 100 failed attempts in those 90 minutes. However, by watching these failed attempts it’s quite easy to see that they are very basic and the first level of security is working – use a difficult to guess username.

On top of that the passwords are all very basic. You can see the list that I’ve collected so far here. They certainly are poor passwords to use and demonstrate that you really do need strong passwords that do not have any predictable sequences in them.

Another level of security that I do apply is being avoided here. The attackers are managing to use a whole array of ip addresses, so I’m guessing that they could be employing computers that have been taken over by viruses to ensure they hit me from different IP addresses.

Normally, from such a huge amount of attempts Limit Login Attempts would do it’s job and lock them out. However, they are skipping around so much that it’s job becomes far harder. Also, just for the “fun of it”, whilst I’m monitoring the site I’ve set the lockout limit much higher so that I can continue to watch what the attackers try.

What have I learned so far?

  1. Use a complex userid. The attempts are coming in triplets, each trying the same password, from a different IP address and these 3 userid: admin, administrator, 13weekchallenge.co (obviously created from a bot that hasn’t realised that .co is part of the URL suffix!)
  2. A complex password is required. Write it down if needs be, or store it somewhere secure. But anything with a regular pattern might be guessed. e.g., some attempts are qazwsx and 159753. Look on the keyboard (a numeric keyboard for the second one) to see why they might be popular.
  3. Monitoring attempted break-ins is essential. In fact I’m also monitoring successful logins. If it looks like a hacker might have guessed your username or password then you might just have time to change it before they guess the other half of the pairing.

However, I’ve now had enough of compiling my “useless passwords list” and so have increased the security on this blog once more, adding in a new plugin to my favourite security plugins list.  Now I’m limiting logins to the admin system to people in the UK only.

They won’t give up and I’ll still be recording the attempts, it’s just another layer of security to protect the blog with. Should they guess the combination, this extra plugin will stop them from actually getting logged on!

Please follow and like us:

The Worst Possible Passwords

Struggling to think of a password to protect your admin system. Well, here’s a list of passwords that you certainly do not want to be using! All of these have been gathered from recording what hackers are using when trying to get access to this blog!

All of these have been attempted using the user id “Admin”, “Administrator” or “13weekchallenge.co”. So, it spells out how vital it is not to use an obvious userid for your signon. Make both of these difficult to guess and you should have made you site far safer. Have a look over my other blog security best practices and if you want to know how I’ve gathered this list, just see the previous post (security plugins).

Some of these listed below have been tried by different hackers on 3 occasions in the last few nights. If my security plugins didn’t block them out then I might just find an even bigger list of attempted break-ins but if your passwords follow any obvious patterns such as the below change them now!

  • website name, with and without the suffix (e.g. 13weekchallenge & 13weekchallenge.co.uk)
  • 111111
  • 111222
  • 121212
  • 123321
  • 1234
  • 1234554321
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 159357
  • 159753 (look at this on a numeric keyboard to see why it might be chosen)
  • 1q2w3e4r5t
  • 1qaz2wsx
  • 55555
  • 654321
  • 666666
  • 7777777
  • 987654321
  • admin
  • admin123
  • adminadmin
  • administrator
  • admadm
  • andrey (no idea on this one!)
  • changeme
  • genius
  • kirill
  • ktutylf
  • maksim
  • nurik
  • password
  • qazwsxedc
  • qwer1234
  • qwert12345
  • qwerty
  • qwerty123456
  • qwertyuiop
  • www
  • ssassa
  • zxcasd
  • zxcvbn
  • zxcvbnm
Please follow and like us:

My 5 Essential WordPress Security Plugins; Why And How I Use Them

No matter how hard anyone tries I think WordPress will never be 100% secure, simply because of it’s popularity and the way it is used. Therefore, we as users need to put some extra security steps in place. Here are my favourite tips that anyone can install and understand.

stolenadmin

WPS Hide Login (WPServeur) An essential first level of security, enforced upon me really after my blog had suffered a 18 hours of brute force hacking attempts. This one ‘confuses’ hackers. It’s safety through obscurity, which some people argue isn’t a good idea. However, to me if it adds another layer of security it must help.

Download and activate this plugin and then click Settings. At the bottom of the settings page is a new box: “Login url”. Change the name in that box to something that you can remember but isn’t obvious. Hackers will use bots to try to find admin systems, so keep the name obscure.

Now, if anyone tries to access your login or admin pages they see your 404 page instead. Certain logins will still get through, but it should reduce the plague of a brute force attack.

Should you forget your new admin URL, then either use FTP to delete / rename the plugin or access your database and the new name is within the options there.

lockoutsLimit Login Attempts (Johan Eenfeldt). First on the list as it is one of my favourites and one I am never without. Hackers will attempt to take control of your blog by brute force – attempting obvious passwords in bulk using robots. However, these attempts will frequently come from the same IP address.

So this marvellous little plugin simple sits there and watches for failed login attempts. If there are 4 failed attempts in 12 hours (defaults, you can change them) then the IP address is prevented from logging in for 20 minutes. Another set of failed attempts will produce another lockout and after four lockouts it’s full 24 hour lockout.

OK, hackers can switch IP address. But if you have a secure password that’s going to take a million guesses to work out (let’s face it, 1,000,000 passwords can normally be tried in a few hours at just 100 per second) if you are blocking IP addresses after 16 failed attempts then to try 1,000,000 passwords they need access to > 60,000 IP addresses.

The plugin can be set to inform you when users are blocked so if you are on the end of a really bad attack then you can do as I have been known to do and move the wp-admin folder until the hacker goes elsewhere.

failedattemptsPlain view Activity Monitor (Edward Plainview). This one is new to my list, but already I’m a fan. But, you need to be careful on how you use it if you are using it the way I do.

You can set this to record all failed logon attempts (Activity Monitor, Logged Hooks, tick wp_login_failed, select Activate then Apply). However, this could be dangerous and give hackers information that they need so do read on!

With the above set all failed logon attempts are recorded in detail – IP address, attempted userid and attempted password. That’s great, but if you fail to logon as Peter using Password and Pete using Password1 then anyone discovering this could well guess that Peter and Password1 and the desired combination.

So it is vital that after any failed logon attempts of your own you delete them immediately you logon – Activity Monitor from the side bar, select your failed logons, change Bulk Actions to Delete and then Apply.

But now you can see when hackers are about and the userid / passwords they are trying. If they are trying random combinations then you are fine. However, if they start to try whatever you have setup as your Admin userid then you have a warning that it’s been discovered and can change it.

Changing a UserId is difficult in WordPress, but not impossible (more information). Go to Users and create a new user with Administrator permissions, giving it a secure userid and using the same nickname as you have previously used. Sign off and back on again as this new id. Then delete the old user id, or downgrade it to Subscriber.

Be careful if deleting your old userid that you don’t delete it’s posts. Either leave them orphaned or move them to the new userid.

If somehow the hackers are starting to attempt to break into the site with passwords that look like they are getting close then you must take that as a huge hint that your password is not strong enough and immediately change it. If it was a reasonably secure password and they are guessing it also ask yourself why. Have you been compromised in some way – virus, spyware or whatever?

WordPress Database Backup (Austin Matzko) – a lesson here for me in watching for similarly named plugins as I initially set this blog up with a different plugin, thinking I was getting this one and it wasn’t quite as good.

If all goes wrong on your blog then you need backups. No matter how well you protect the site, if someone still gets in and litters it with junk posts or deletes posts then your backup is where you will fall back to.

However, some backups store the backup on the server. This is great, unless the server itself is hacked. Then what might happen to the backups? I prefer to have the backups emailed to me. For this purpose I create a standalone email address that receives the various backups. Every few weeks I will logon and check that the backups are arriving and delete the oldest copies.

By using a separate email address you don’t clutter your own email with backup files. You do need to remember to logon regularly, but if they were being sent to your own email you’d still need to check they are arriving.

You can set this plugin up to do backups as often as you like – from hourly to twice a month. Extra tables on the database can be included and you can trigger a backup whenever you want to manually.

The files are quite small and email friendly. Hopefully you’ll never need them, but they are always worth having.

spamcomments2WP Captcha Free (iDope). Looking through similar lists other blogs prefer to go into highly technical plugins that move wp-content and so on. However, I believe that part of the protection of your site is protecting the comments.

Akismet is great, but it lets too many spam comments through for my liking. I know when I’ve only used Akismet I’ve seen a stream of junk arriving in my comments folder. Yes, it’s supposed to learn. But you still have to get rid of all of these junk comments.

I think that junk comments are very dangerous to a blog. If just a few get through to a post then it spoils the whole site. Your reputation for not caring is gone. Sometimes it can also be difficult to see if a simple comment is just a simple, but well meaning, compliment or a lazy link build attempt.

That’s where WP Captcha Free excels. There’s no captcha for the comment leaver to use and they probably won’t even realise there’s protection going on in the background. Instead it uses algorithms to protect your site from spammers.

It can differentiate between people who have arrived on your site and read the post before commenting and automated spam robots that are just trying to fill your comments with junk. Best of all, you don’t see these junk comments!

Well, that’s my 5 essential WordPress security plugins. I’m sure other people have their favourites, so why not let me know or share this post so that more people can be protected? There are also other Security Best Practice tips that you should remember when using WordPress, so don’t forget them.

Please follow and like us:

WordPress Blog Security Best Practices

Whilst WordPress is a brilliant tool for blogging, it’s success is also one of it’s greatest weaknesses. It is used in so many sites that it is a big target for hackers, so if you are using WordPress you must take additional steps to make your site more secure. Here’s a good few security best practices to get you started!

1) Always update to the latest version of WordPress and Plugins

headline5

WordPress frequently release security updates – whenever there’s a problem found they will try to patch it as soon as practical. Likewise, plugins and themes that you use can be found to be vulnerable to hackers and these will be updated when needed.

So if you see that little red box there warning you of updates in need of installation, don take a few minutes to check what needs updating and do the update. It could just be the update that gives you a bit more protection.

2) Delete unused plugins

headline6

If plugins and themes can be vulnerable to attack then don’t leave them hanging around! If you are not using them then delete them. This applies to any plugins that might be installed that are deactivated and also to any that are active but are there just because you haven’t thought about them.

If they once did a job and are not really needed now, get rid of them. Doing so might also speed up your blog a bit!

3) Review what plugins and themes you install

Any developer can distribute plugins and themes and you don’t really know who they are nor if they have any other intentions. Why are so many plugins and themes released for free?

In nearly all cases it’s because there’s an upgrade to a paid version and with some themes they are hoping for a few useful links back to their own sites (not so useful with recent Google updates). But there will always be that minority of people who want something else.

So before downloading a plugin or theme it is good practice to make sure that you read a few reviews, check the download figures and convince yourself it really is a safe product to use. After all, you are potentially allowing the developer access to your entire blog!

4) Protect your login form

If a hacker takes an interest in your blog, and you don’t need to be a popular blog for this to happen (aged just 5 weeks old and with 1 or 2 visitors a day a hacker took a strong interest in this blog) they might try brute force attempts to gain access to your admin system.

This involves them using a robot (computer) to try to login using a variety of passwords. They can try an unbelievable number of passwords in a very short time. However, there is a flaw in this process in that they (usually) always use the same IP address for these attempts.

So I like to protect my logon form with Limit Login Attempts by Johan Eefeldt. If it detects a number of failed attempts in a short time it blocks the IP address. And if after the block there are more attempts it will block the IP address for longer. You can see how many times it has protected my site recently!

limitlogins

5) Don’t use Admin or Administrator

WordPress used to use the default user of Admin all of the time, but has tightened up it’s security by not doing so. If you have been using WordPress for years, or are just feeling a little short on imagination, do not use with of these user names on your blog.

You can see from the small part of the screen grab above that all of the attempts to get into my blog have used one or the other of these 2 user names. So by using something different you are ensuring that any hackers don’t just need to guess your password, they also need to guess your user name.

If you are using an obvious User name then sign on now, go to Users and create a new administrator id that’s more secret (see the tip first though). Then within users select the Admin user and then change its role to subscriber. Better still, if you can delete the Admin id and move the posts to your new user, but downgrading Admin to a subscriber should prevent many problems.

6) Don’t display your login name as post author

Do you display your author name after posts? Do you know if you do? If you are avoiding using ‘Admin’ then don’t give away your real username by displaying it at the end of posts! Click on Users and then your username and you see the screen below.

names

The Username is the one you sign on as. Set something different in the Nickname and then set Display name publicly as the Nickname.

7) Make backups of the database

And if it all goes wrong then you are going to need backups. There are plenty of plugins to choose from that can regularly backup your blog for you. I use one that stores the backups on the server and also emails me a copy of the backup files.

To prevent this from cluttering up my email I’ve created a large standalone email box just to receive the backups. But if you do this keep an eye on the box to ensure backups are arriving and that it’s not become full!

 

Please follow and like us:

Can WordPress Ever Be Secure Enough?

headline6

With headlines such as this frequently in the news, you could be forgiven for thinking that WordPress is a security nightmare. Does it deserve the bad press that it frequently receives? Should be be putting our trust, sometimes our livelihoods behind it?

The above headline How to avoid being one of the “73%” of WordPress sites vulnerable to attack would lead you to believe that there’s a 3 in 4 chance that you are going to be hacked. But, once you open the article and read past the headline, it does, to an extent, show to be a bit of scare mongering.

In this case 73% of WordPress installations had the same potential security flaw. However, server side protection, as provided by many hosts, prevented the potential flaw from becoming an actual security whole and many non-secure hosts were deploying fixes to improve their servers too.

headline2

Millions of sites at risk” claims this site. With approaching 75,000,000 websites using WordPress millions represents quite a low chance in some respects, but where did this bug come from? In this case it was from third party add ons – the themes and plugins that you can freely add to a WordPress blog to customise and improve upon it.

headline3

And this is what we need to remember when we are using WordPress. The core of the code is downloaded from them, however we then install themes and plugins galore. Where are they coming from? I could publish a theme or a plugin today and you could be downloading it tomorrow. But, why should you trust me?

According to the WordPress site there are 40,832 plugins with 1,070,638,954 total downloads are at your fingertips. That’s a lot of plugins and even more downloads. Yet these plugins can change the behaviour of your website. They can, and it is frequently their job to, change the behaviour of your installation. Some actively prevent admin logons from working (e.g. Limit Logon Attempts, which is approaching 1,000,000 installations and yet comes with a large warning that it hasn’t been updated for 2 years.

Presumably that’s because it doesn’t need to be changed. It was written, does what it needs to and that’s the end of the story. But we’re then subjected to a warning that we’re learning to ignore – on a security plugin!

headline5

In all fairness WordPress do work hard themselves to patch security issues. As soon as they are found the team works hard to put out a a fix, even if those fixes are less than a week apart (see April 21 & 27 above).

But, why is WordPress in need of so many security patches? The issue is exactly what WordPress is and the way that we use it. In simple terms, it is known as “Open Source” because the source code is shared and anyone can view the code.

With packages such as Microsoft Windows and Mac OSx all that you receive is the compiled code. There’s no way of looking through the code to see if the programmer has made any mistakes. Because WordPress distributes the raw source code anyone can look through the code and check for omissions and errors that leave hackers ways into the site.

On top of this, we then let anyone and everyone write add ons – “plugins” as they are known, without any possible way of security checking other than finding out too late that something is wrong.

Furthermore, we then distribute the same potentially insecure code to 75,000,000 websites. Half of these are self host (not hosted at WordPress.com). That allows hackers to set up installations themselves to test on and then they have a huge audience of websites to attack. And it only needs 1 hacker to successfully attack 1 website for it to be a successful attack.

headline4

What can we as WordPress users hope to do about it? First, we have to basically cross our fingers and hope ours is not the site attacked when a new vulnerability is found. If it is, then there’s not much we can do about it other than report it to WordPress. Backups should allow us to roll back the site to before the attack, but that’s about as far as we can go.

If we are not the unfortunate few then upgrading is essential. If WordPress have released a security fix then it needs applying ASAP. No excuses – if there’s a fix then someone knows how to hack into your version and you need to be off that version ASAP.

headline1

But it’s the themes and especially the plugins that leave us most exposed. Various publishers have recently found that their products have opened up security holes and been exposed. However, short of some form of policing of both of these I don’t think there is a way to fix this “hole”.

And policing theme writers, with over 40,000 active plugins alone, isn’t a small job. That’s just the number of plugins that you can download from WordPress. Many thousands more are available from other sources and we happily install and use them.

Keeping everything up to date, that’s WordPress, plugins & themes, deleting unused plugins and themes, using secure passwords and logon protection will help us but I don’t think they can ever 100% protect us on such a gigantic open source project.

WordPress is constantly evolving, adding in new features and improvements. It moves with the times so that the dashboard looks modern and uses modern techniques. But changing code always means risk and one of those risks is security.

And I think all that we can do is to take backups and cross our fingers.

Please follow and like us: