How secure is your website?

When’s the last time you backed up your site files, site database?

Have you tested your site for vulnerabilities, ever? (A good place to start is at Hacker Target.)

These questions, while paranoid in nature, are actually viable and logical.

You’ve heard it many times. “Secure your website…backup your data…you can never be too careful…it’s not a matter of if, but when…eat your vegetables…” and so on. Truth be told, the basic warning is valid. Unfortunately, unlike virus protection or SPAM prevention, website security is not quite that simple, but rather involves a number of steps and precautions, as well as maintenance and vigilance. For the purpose of this discussion (in which I’ll be the only one talking), we’ll focus on WordPress website security.

While a basic recommendation in website security is to use an open source coded platform (like WordPress), thus ensuring the code is tested, implemented, and updated by many well-versed programmers, that same thinking can also put a bull’s eye on your site. Who wouldn’t like to be the genius villain that disrupted thousands of sites in one fell swoop?

The basic security theories and measures are outlined here by WordPress.org. These strong suggestions and guidelines fall into several categories including:¹

• Limiting access: Making smart choices that reduce possible entry points available to a malicious person.
• Containment: Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
• Preparation and knowledge: Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

Furthermore, according to WordPress.org, the most common attacks usually fall into these categories:²

1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software. (Which is akin to poking around for any unlocked doors or open windows.)

2. Attempting to gain access to your blog by using “brute-force” password guessing.

That being said, what can you do to better protect your website?

One of the first and most basic things you can do is to change the name of the admin user from admin to something more secure. You can follow that up by using a very strong password.

Passwords like “123456”, “password”, as well as your birthday, license plate, or common dictionary words are begging for trouble and should be avoided. Here’s an interesting site to help you: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time. Your password ‘s main and only purpose is to prevent unauthorized access, even if it’s a bit of work to remember.

Use a combination of letters, numbers and special characters and make sure they are at least 10 characters long. Online password generation sites like LastPass and KeePass are available to help you generate and keep track of strong passwords.

Security through obscurity (hiding or renaming elements) should not be used solely, but can be a good start for beefing up your site security. Measures in this category include: deleting/renaming the default administrative account (admin) used for installation, changing default WordPress table prefix (wp_) to something else, and keeping your WordPress version up to date (very important and easy to do).

While the list goes on and on, increasing in complexity and thus security, we’ll turn our focus now to some plugins that can enhance security and give you some more peace of mind.

WordPress Plugins

We’ve previously discussed WordPress plugins as a way to take your website to another level, but they’re also great for security.

Here are some WordPress Security Plugins you should check out:

• • Better WP Security – fast, easy, effective, all-in-one WordPress security
  • 6Scan Security – finds vulnerabilities on your WordPress website for free, and plugs them automatically for a small monthly charge (you have the option to remedy the issues yourself, manually)
  • Login Lock – enforces very strong password policies; for all users, provides emergency lockdown features; monitors every login attempt ; block the IP address of the user that failed to login too many times; and logs out idle users
  • Login Lockdown – limits the number of login attempts from a given IP range over a specified period of time
  • Exploit Scanner – searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual file names
  • WordFence Security – scans your site for viruses, malware, trojans, malicious links on a regular basis
  • VIP Scanner – allows you to create checks to inspect themes, plugins, directories, and files

Research and testing will help determine the right plan and tools for you and your site.

The goal of this article is to alert you to the dangers that lurk, and inform you of some potential methods and tools to protect your site and data.

No matter what strategy you choose to implement, the important thing is that you do create and implement a disaster recovery plan.

How important is it? How important is your website and data?

¹http://codex.wordpress.org/
²http://codex.wordpress.org/Hardening_WordPress

About the Author

Shawn Hoagland is the Web Development Manager for PCG.