10 Step Guide to Better Protect WordPress

My post was original published on the now defunct Melbourne IT Blog that was taken down after it was hacked and defaced twice by The Syrian Electronic Army and hasn’t come back….

On the 11th of April 2013 a large scale brute force attack was staged focused on vulnerable WordPress blogs using 90,000 strong botnet.  The attack was focused on hacking WordPress websites that have not changed “Admin” as their username, the problem is that “Admin” is the default username across a large number of the 64 million WordPress sites globally.

The attack was concerning due to the botnet’s processing power to test around 2,000,000,000 passwords per hour, typical security precautions for blocking the IP was not successful as the hackers were using 90,000 IP addresses but there were a number of steps you can take now to prevent it happening in the future.

Step 1 – It’s always best practice to change your user name from the default “Admin” to something more unique and harder to guess such as “cmssitename” it makes it harder for brute force hackers.
Step 2 – Pick a strong password that is at least 10 characters with a mix of numbers, letters and characters, I suggest using a platform such as LastPass to generate and store your login details.  It’s also important to make the password details unique for your MySQL, FTP and Web hosting account just encase someone manages to guess them such as “CmSP@$$W0rd”. Also consider changing it once in a while and certainly if you provide access to external parties such as contractors, employees or web developers once they finish any projects on your site.
Step 3 – Use services like CloudFlare, Incapsula or ModSecurity to ensure your website loads faster via CDN, offers DDoS and common web exploits along with web analytics to monitor your traffic stats for web crawlers, visitors, threats and bots. These platforms can help reduce the impact of brute force attacks such as the recent Botnet attack we discussed at the start. Most of these providers do offer a free entry level version and you can pay for additional features depending on your requirements.
Step 4 – Make sure your WordPress version is updated regularly to the latest version to reduce the number of known vulnerabilities, the new versions offer a single click upgrade on most hosting platforms. You might want to confirm the update will not break your Theme or cause problems with plugin functionality, this will only usually affect if you are doing a large update in versions or have a highly customised WordPress site, speak with web hosting support staff or your web developer if you are unsure.
Step 5 – It’s very important to make sure your plugins are also updated regularly but if you manage multiple sites consider using a platform like ManageWP that can make updating a number of WordPress plugins & themes scale-able. Most people won’t need the advanced functionality for a single website but they do offer a number of wonderful features such as reliable backups and monitor your website for malware and viruses with Sucuri.net integration.
Step 6 – It’s a good idea to pick a decent web hosting company, I have a strong preference for Australian based StudioCoast as they seem to balance great services, good prices and excellent tech support. I’ve found that even the best hosting companies get hacked but having your site on cheaper hosting services can make it more prone to “issues” so consider upgrading to a VPS or dedicated server which will reduce the chances of issues and they can be resolved far quicker than if you have shared or cloud hosting.
Step 7 – It’s important to keep your WordPress platform neat and tidy, de-activate and uninstall any old plugins if you are no longer using them, there is no benefit clogging up your CMS with old files. Having removed all the unnecessary files will also save you bandwidth when you are backing up your site and memory on your server.
Step 8 – It’s important to monitor your website using a platform such as Jummple Security, Pingdom, Uptime Robot as they will often be the first to flag if there is a major problem with your website.
Step 9 – Lock down your WordPress with security plugins like Better WP Security or BulletProof Security or WP Security Scan these also help fix a number of common vulnerabilities and make it harder for hackers to ruin your day. These can be a bit more complex to setup and not all features are available on all servers so consider looking on youtube as there are several great guides or hire a WordPress expert to help you out!
Step 10 – Backup your database regularly just incase the worst happens, there are plugins like WordFence that allow you to verify and repair your WordPress install. You will find that many web hosting companies offer this service for free or as a small additional monthly fee.

Bonus One – If you are fairly comfortable with WordPress you should consider following Automatic’s official Hardening WordPress guide.

Bonus Two – Be careful with free WordPress templates and never download pirated versions of premium WordPress templates off BitTorrent as you will find they can and do hide all sorts of nasty code in there.  Reward the creators of the themes and buy the official version as you will get all sorts of bonuses such as upgrades, support and a warm fuzzy feeling.

There are a lot of proactive steps you can take to ensure your house is in order before it’s too late, as WordPress becomes one of the dominate CMS platforms there will be an increased number of attacks targeting those who are lax with security.