3 Tips to help you lock down your WordPress website
In the last article, I looked at some pretty basic (but often overlooked) security measures for improving the security of your Content Management System (CMS) based website. In this article, I will be concentrating on some security aspects of the WordPress CMS. WordPress is currently our CMS of choice – mainly because of the vast resource pool of plugins, templates, and other assorted goodies available to web developers. It is estimated that around 20% of the world wide web (wow, haven’t used that phrase for a while…) is now running on WordPress websites, and I think that number is likely to increase.
1. Install a decent suite of security plugins
We highly recommend the brilliant iThemes Security plugin for WordPress. It offers a great basic level of security options for your WordPress website as well as a number of advanced features. Most importantly it blocks brute force attacks, by banning the offending IP address, and also enforces some of our previous suggestions (like strong passwords). It is a free plugin (unless you go for the professional version) and is in our view essential for WordPress websites.
2. Don’t use the default slug for your back-end
The “slug” or URL path is used to access the back-end of your website and go to the dashboard screen. Hackers cottoned onto this early on, and so the simplest of attacks is to look for www.mywordpresssite.com/wp-admin (wp-admin being the default slug for WordPress). It’s very simple to change the default slug using a plugin like iThemes security and it is a simple but effective step for securing websites. Hackers by nature generally take the path of least resistance – if you leave your site setup with all the defaults you are essentially inviting them to try and crack your passwords. If you don’t, they may just move on to someone who has…
3. DDoS attacks and the dreaded XML-RPC Ping-back
Now despite having a name that sounds like something from the annals of science fiction, this is a pretty common attack, as we discovered one weekend. Our automated site monitoring software went crazy one Friday night, telling us that a particular client site had started to bounce up and down like a kangaroo on steroids, and at first we were totally flummoxed. The database kept falling over, and as soon as we brought it back up, down it went. We first thought that perhaps we needed more RAM for our server, so duly added some. This alleviated the problem slightly but it kept occurring. The nagging feeling we were under attack began to permeate our consciousness.
We checked the server logs and we could see one particular process being hammered hundreds of times per second – XML-RPC. XML-RPC is a totally innocent component of WordPress that functions like an API for developers to write neat mobile integration and automatic monitoring apps and the like. It can also be turned against its host by pinging it so frequently the database just gives up – a basic form of Distributed Denial of Service attack can then be easily initiated. Once we had tracked down the source of the crash we were able to secure it. For this, we definitely recommend the WP Bruiser plugin. This plugin lets you completely disable the pingback facility whilst still allowing other plugins that require the XML-RPC functionality to work. As soon as we had it installed, the attack ceased (we also did some other tweaking on the server to doubly make sure it wouldnt happen again).
So why are they attacking my site ?
This is the the $64,000 question – and the answer is never straightforward. In the case of this particular website, we discovered that the owner had engaged in a number of black hat SEO activities with a previous agency, and we believe this had opened him up to revenge attacks etc. We still get notifications daily that people are trying to brute force their way in, but our security measures have rendered them a mere annoyance to my bloated inbox and nothing more.
I can’t emphasise how important it is to get the security setup of your WordPress website correct, and hopefully these simple tips will help you. Drop us a line if you want some help with your website, we’d be more than happy to do a full security audit for you.