For the first few years of my blog’s existence, my WordPress security was mainly security-by-obscurity. I relied on the fact I averaged less than 100 views per day, so why would someone hack my site. Well, my traffic grew considerably and my site started getting attention I didn’t want. Besides, security-by-obscurity isn’t real security since most hackers don’t employ common sense when targeting sites. My site was getting hit with all kinds of attacks but most were iFrame injections that redirected users to another site. |
|
Think of security in layers. The more layers you apply the more secure your site becomes but the more overhead there is for you, the site owner. My suggestions below go 1.5-2 layers deep in the security model. I think it is a good balance between good security and manageability. While not a comprehensive list, it is a good start that will thwart most attempts at hijacking your site. Take my advice and implement these simple steps so you don’t have to learn the hard way like I did.
- First thing is to make it a practice to regularly backup your files and database. The iFrame attacks actually alter the code on various pages and JavaScript files. Finding the altered file can sometimes be difficult, but can easily be fixed if you have a good backup to restore from. A file backup doesn’t need to be complex, you can even manually copy your files to a safe location.
- Change the default Admin user name to something unique. The first hacking attempts are usually targeted at the admin account with a weak password.
- This should be common sense to all, but your password policy needs to multi-facetted to thwart brute force dictionary attacks. Your password needs to meet at least three of the following requirements, more if possible:
- Password length should be 8 characters at a minimum
- Passwords needs to have at least one number
- Passwords need to contain one capital letter — not necessarily at the beginning
- Passwords need to contain one special character such as ~, !, $, &, etc
- Passwords should limit the number of repeating characters
- Passwords should be changed every 90 days
- Keep WordPress and all plugins updated. Many of the minor releases are security related and rarely add new features.
- Many attack vectors are aimed at legacy WordPress code that is left behind after various WordPress upgrades. The free plugins called “WP-Cleanup” and “Look-See Security Scanner” do a great job cleaning up old unused files. Look-See Security Scanner in particular did wonders for me since my WordPress has been updated dozens of times over the past few years. The scanner plugin is updated in-step when new version of WordPress are released.
- Another step I took was to implement two-factor authentication through a plugin called Duo Two-Factor Authentication. This plugin requires you to enter a numeric coded each time you login with your admin username and password. The code changes each login and new ones can be emailed to you or sent via TXT message. It’s free, but you must register in order to associate your site with your email address or phone number.
Like I said above, this is not a comprehensive list but these are simple security fixes that will dramatically improve your site’s security. Take my advice and don’t learn the hardway.