3 weeks ago I wrote about my 4 favourite security plugins. It only took about a week for me to discover another plugin that I found so useful that it instantly expanded the list. Now it’s my 5 favourite security plugins!
The attack went on for over a day with the attacker trying different passwords. Eventually I installed the new plugin and stopped their attempts. By stopping them from trying to guess the password there’s a new level of security in place.
Security through obscurity
This one is often hotly debated. Security through obscurity is basically hiding what you need to protect. But that level of security is breached by knowing where the hiding place is.
An example is leaving your front door key and alarm code in a plant pot by the front door. Anyone looking in the plant pot knows how to get in. This is where this type of security is poor.
Another example is the army camouflaging large tanks. Obviously a layer of paint doesn’t physically protect the vehicle and if you know where the vehicle is you can attack it. But the camouflage can make it more difficult to find the vehicle. It is adding a layer of security.
So I installed WPS Hide Login by WPServeur. Now anyone trying to access 13weekchallenge.co.uk/wp-admin (try it if you want) doesn’t see the admin page and can’t try to login. You need to know the URL of where it is moved to in order to try to login.
The other layers
I still maintain other vital layers of security. The next is Limit Login Attempts by Johan Eenfeldt. This detects multiple failed login attempts from the same IP address and blocks access from that IP address after a few failures. However, in the main attack I think they were using infected machines to direct the login attempts from different IP addresses, so getting around this tool.
After that Plainview Activity Monitor by Edward Plainview was setup to record all failed login attempts. I could see the userid and passwords tried on every attempt. Useful to see if the attackers are getting close…
This brings me to the base layer of security. Strong passwords and secret userids. I can’t stress too much how you should not use Admin nor Administrator as your userid (see the previous post for details on how to change your userid). 2 in 3 attempts that day used one of these, the remainder tried the website name. Simply by not using these I had ensured they could not guess the userid & password combination.
After that you are down to passwords. Use a good one. Most attempts to hack this blog have used password, 123456 etc. See the list of useless passwords that I detected hackers trying on this blog before I hide my admin.
Off site layers of security
After that we’re down to best practices. Keep your connection secure and virus free. An unencrypted internet cafe connection could just be being watched and give everything away.
Security isn’t complicated
None of the above security steps are difficult to apply, but together they give your blog a much stronger chance of staying safe and away from the control of hackers.