WordPress Hacks – Keep Your Site Secure
I haven’t posted much here lately, as I’ve had a lot going on with some of my other sites. I also had a problem over the recent holiday weekend when my entire server went down, leaving all of my Websites unavailable for more than 48 hours. What was that all about?
WordPress hacks. Dozens or hundreds of hackers were trying to break into my WordPress installations. On this particular server, I have about a dozen sites, and all but one of them are built with WordPress. It’s a great platform for building sites or blogs, but it does have some well-known security issues, and WordPress hacks is one of the biggest problems facing people who build their sites with the free tool.
Security Against WordPress Hacks
The major vulnerabilities regarding WordPress hacks are the known names and locations of the administrative files. There’s a file called wp-login.php in the root directory of your site and a folder called wp-admin that contains the site’s dashboard.
By default, WordPress calls the primary user “admin” and most users don’t bother to change that. That makes WordPress hacks somewhat easier. When you’re trying to hack into someone’s site, you need both a username and a password to get in. On about 95% of WordPress installations, hackers can correctly guess that the username needed to access the site is “admin.” After that, they’re just trying to guess the password.
WordPress recommends some super-strong passwords so that you aren’t likely to become a victim of WordPress hacks, and you should certainly change the name of the administrator account right away:
- Log in as an administrator
- In the Dashboard, click users and create a new account. Call that account whatever you like, and be sure to give it administrator privileges.
- Log out from the admin account and log in with the new account.
- Click users again and delete the original admin account
There are a number of other recommendations for adjusting your site so that people who aren’t authorized to access it can’t get in, but many of these fixes don’t address the main problem – by the time your visitors are trying to hack your site, they’re already there and consuming system resources. My sites didn’t go down because of people trying to type in passwords; my sites went down because of the load on the system resources that comes from trying to redirect thousands of requests at one time. The best responses to WordPress hacks don’t involve keeping bad people out; they come from keeping bad people away.
That’s why I’ve had to take some additional steps to secure my sites. I’ve already changed my usernames, and I’ve got a script on my server that won’t let anyone with an unauthorized IP address to access the login file or the admin folder. The problem, however, is that the traffic from receiving hundreds or thousands of attempts at WordPress hacks all at once overloaded the server, and it stayed that way for more than 48 hours.
I’ve usually got good tech support from my hosting company, but they really dropped the ball this time.
The secret to avoiding WordPress hacks and ensuring that your site isn’t crippled by useless traffic is to try to intercept that traffic before they reach your site. There are several different ways to do that:
Cloudflare – Cloudflare is a content delivery network that acts as a middleman between your site visitors and your site. You can set up an account with them (for free!) and once you’ve set it up, all traffic to your Website will go through Cloudflare’s servers before it comes to your site. Cloudflare has sophisticated methods of detecting WordPress hacks, and repeated attempts to attack your site are quickly disrupted. You can set the security level, but visitors whom Cloudflare considers a threat will soon find themselves having to respond to a challenge, such as a CAPTCHA code, before visiting the site.
As most of these WordPress hacks are conducted using bots, this challenge is usually enough to stop the attacks. An additional benefit of Cloudflare is that the site also stores a cache of your Website, so in the event that your site does go down, your visitors may not even notice, as Cloudflare will serve cached Website pages to your visitors automatically.
I’ve been testing Cloudflare with several of my sites this week, and so far, the results are good.
Jetpack (formerly BruteProtect) – Jetpack is a WordPress plugin that has more than 30 functions; it’s sort of a toolbox with a bunch of tools that you may or may not want to use. It now contains the software that used to come in a standalone plugin that was called BruteProtect. BruteProtect prevents WordPress hacks by comparing the IP addresses of people trying to access your site with known hackers in their database. If they detect that the IP address is one that’s been associated with WordPress hacks, the visitor will be blocked.
Jetpack is completely free, and you can install it from the plugins section of your WordPress dashboard. After that, you just have to activate it and obtain an API key, which you can get from the dashboard.
Either (or both) of these tools should help protect your site and keep them online in the event of WordPress hacks. If you want even more security, and you have a VPS or a dedicated server, there are methods of blocking hackers by using an addon for your Web server known as ModSecurity. Stopping WordPress hacks with ModSecurity is fairly complex and outside the scope of this article. If you’re really concerned about going this route, you’d be best advised to contact your hosting company’s tech support.
WordPress Hacks Conclusion
WordPress is a great and flexible platform, but the security problems aren’t likely to go away. If you’re going to be using it, and most people involved in Internet marketing will, then you have to be proactive in protecting your sites and your server from malicious attacks. There are many fixes available, and most of them are not too hard to put into use.
Take the time to protect your sites from WordPress hacks. It’s worth it.