WordPress has no innate lockout feature on a default install. (Yup, you read that right. If not, you might want to read that again.)JCWebI always mention the security setup I offer my clients when they buy a website package from me as the importance of a proper security setup on a WordPress installation is critical. I offer a ‘no hack’ guarantee where if a client does get hacked I will restore their site free of charge.
Clients who buy website packages from us have their security fully managed and needn’t worry about these tasks. If you had your site built by someone else or you created your own website however, you may find this information to be of great use to you.
What should you be watching out for? Attackers with large groups of compromised machines called ‘botnets’ can launch full scale attacks against you and without the proper protection you could find yourself in a bind. While the attackers specific intentions cannot be entirely known for sure, it’s safe to say you want to keep these people out of your admin panel and ideally blocked from accessing your site altogether.
Brute Force Attacks
Brute force attacks are some of the most common attacks against WordPress users. Brute Force is an attack where a machine or group of machines attempt to login as a user (usually with high administrative privilege) over and over using dictionary files in order to guess common passwords. If you think WordPress automatically locks out users with too many bad password attempts you would be wrong. WordPress has no innate lockout feature on a default install. (Did you get that? If not, you might want to read that again.)
Yes, WordPress has absolutely no lockout feature on a default install. I don’t know why this is but needless to say, if you are using WordPress, you need to be using a security plug-in. If you think you are immune to these attacks and are thinking ‘why would anyone target me, I’m just a small ‘___” you would be wrong again. Everyone from small blogs to major corporations have found themselves victim to hackers, so it’s best to play it safe.
This is a method where attackers will scan common WordPress files or plug-ins for vulnerabilities. A sign that an attacker might be doing vulnerability scanning on your site would be excessive 404 errors. Good security plug-ins have 404 error detection. iThemes Security, the plug-in featured in this article (because I have found it to be the best) happens to have great 404 detection. This is how their plug-in describes it:
404 detection looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly.
Perfect; this is exactly what we want. Just make sure you don’t have a lot of broken links on your site or the plug-in could inadvertently mistake them as an attacker scanning for vulnerabilities.
Here are some logs showing what a typical security plug-in might show you when a user has been trying to brute force your WordPress installation.
A host, 18.104.22.168, and a user, admin, have been locked out of the WordPress site at http://www.mysitehere.org due to user tried to login as "admin.".
The host has been locked out until 2014-12-11 19:35:57 and the user has been locked out until 2014-12-11 19:35:57.
To release the lockouts please visit the lockouts page.
These logs would come in the form of e-mails and would come in as many as 10+ times a day. Of course after awhile you will probably get tired of getting e-mailed every time there was a new lockout so you can set the plug-in to only notify once a day. Then at the end of every day what you should do is then look at the log and add every IP address (a unique address assigned to every computer on the internet) to the banned users list so they can no longer access the site at all. The once a day e-mail notifications look something like this:
The following is a summary of security related activity on your site. For details please visit the security logs
Lockouts: There have been 100 lockout(s) including 50 user(s) and 50 host(s) locked out of your site.
I’ve used a few of the most popular security plug-ins for WordPress and my favorite by far is iThemes Security. There are both free and paid versions but the free version offers a ton of protection that you otherwise would not have with a default WordPress installation.
After installing iThemes Security there are a few things I always do on a new site. Here is what they are:
and that is just brushing the surface of the things you can do with this plug-in.
1. I remove the admin user entirely. This is the default login for the administrator account on any new WordPress installation. Pretty obvious step here.
2. I enforce strong passwords for all users.
3. I protect common WordPress files from access
4. I set the WordPress installation to not tell users who cannot update themes about theme updates.
5. I set the WordPress installation to not tell users who cannot update plugins about plugin updates.
6. I set the WordPress installation to not tell users who cannot update WordPress core about WordPress core updates.
7. I set the WordPress installation to not allow users without a user agent to post comments
8. Enable: Users cannot execute PHP from the uploads folder.
9. Enable: User profiles for users without content are not publicly available.
10. Enable: You are blocking known bad hosts and agents with the ban users tool.
11. I disable directory browsing on the site.
12. I set the WordPress installation to not publish the Windows Live Writer header.
13. I set the WordPress installation to not publish the Really Simple Discovery (RSD) header.
14. Enabled: Version information is obscured to all non admin users.
15. Enabled: Your login page is not giving out unnecessary information upon failed login.
16. Enabled: Your login area is protected from brute force attacks.
17. Verified: The front page of your site is using a safe version of jQuery.
18. I make sure the user with id 1 has been removed.
Keeping plug-ins and WordPress up to date is considered a cardinal rule of WordPress security. Make sure you update often.
Your users passwords should be strong. Avoid using words in the english dictionary and always add a combination of lowercase letters, uppercase letters, symbols and numbers. Always keep your passwords at least 10 characters in length.
Content Delivery Networks (CDN)
Content delivery networks help increase the speed of your website by delivering your website to your end users from a location closest to them. Cloudflare for example offer free accounts and have servers at over 18 locations all around the world. Even if your end user was from a remote location like China or Italy, their load time would still be quite good.
The other benefit to using a CDN like Cloudflare is that they distribute the load that would ordinarily go solely through your hosting provider. This means you can have more visitors to your site per month before you have to pay additional fees to your hosting provider for more bandwidth.
We always set up Cloudflare for clients that have their websites built by us in order to get them the best possible performance out of their site.
More Extreme Measures
This plug-in allows you to rename WordPress’ core folders to something different. Folders like wp-content and wp-admin, once renamed, will no longer be able to be found by potential hackers. Unfortunately this is rarely realistic as most themes and plug-ins have, at least somewhere within them, hardcoded these directories and therefore will break when you change WordPress’ default folders. However, if you happen to find a combination of theme and plug-ins that function with these settings enabled, this would be the best way to lock down your site.
Every site I make has at least these security measures set along with additional protection in order to prevent the site from being compromised.
The moral of the story: WordPress is a great CMS platform, but not necessarily a secure one. You need plug-ins to accomplish that. Luckily there is iThemes Security which may be all you need to completely protect yourself from being hacked.
Share this Post