Website Security: Are You Just Cannon Fodder?
Having installed WordPress and started creating some content, one of the first things you will need to consider is making sure you are protected from unwanted visitors.
Of course, you want visitors to your site who are going to read and comment on your content. But you don’t want the type of visitor who tries to sneak in through the back door and cause damage!
WordPress is the most popular blogging platform and unfortunately that makes it more desirable for hackers to try and destroy. A hacker wants as many targets as possible, and WordPress makes that more achievable.
It's very similar to the PC industry. Windows is the most common Operating System and that’s why hackers target Windows rather than the Apple Mac.
Some people think that WordPress must be full of security holes and that’s why hackers focus on it. But that is not true.
WordPress as a standalone piece of software is quite robust. The security holes start appearing when people start adding poorly coded plugins and themes to customise the look and feel of their website.
What if you don’t protect your website?
If you do nothing, you're just leaving yourself wide open to an attack.
- You are essentially cannon fodder!
Here are some types of attack you could get:
- Redirection – Your site could be redirected to a very unpleasant site
- Defacement – Your site could get a “Hacked by XXX” message on the home page together with a ghostly video playing
- Deindexed – Your site could be temporarily deindexed by Google with the loss of thousands of visitors per month
- Spam – An account on your server could have an email spam script injected into it so it appeared that you were sending out mass spam emails
- Brute force attacks – I’ve had loads of attempts to gain administrator access to my sites from robots using random usernames and passwords
So, how do you protect your website?
It's not possible to eliminate the risk of your website being attacked - you can only reduce it. Here are five 'best practice' steps you should follow as standard:
5-Step Protection Plan
1. Change the default username
When you install WordPress, the default administrator username is 'admin'. Do not, under any circumstances, leave it as 'admin' - change it to something else. If you want to be completely obscure use a password tool to generate a random character string and use that.
Robots will try combinations of the 'admin' username and passwords to try to gain access to your WordPress dashboard by brute force. Don't believe me? Look at this example:
More on the tool that delivers these notifications later on...
2. Use strong passwords
It's absolutely essential that you do not use something obvious like 'password'. Please use a mix of characters like 'r4oYv8rR&$y'.
I use a free password management tool called LastPass. These tools not only store all your passwords, but they have password generators too. No excuses - go and do it now!
3. Keep your software updated
It's important to keep your software updated to the latest version. This includes WordPress itself, your theme, your plugins, and your personal computer. Software vendors release patches to fix potential security loopholes as well as fix product defects.
-> Go and check your WordPress Dashboard now and see if you have any outstanding updates pending.
4. Install a WordPress security plugin
You need to install a WordPress security plugin. If you navigate to WordPress.org/plugins and search for security, you’ll see a list of the available plugins. Here's a small snapshot:
I'll share my experience of WordPress Security Plugins in a moment...
CAUTION: Before installing any of these security plugins, make sure you have a backup of your site. The plugins make significant changes to the configuration files, especially the .htaccess file, so a backup is always your first step.
5. Protect your computer
It's all very well securing your WordPress site with a security plugin, but you need to ensure that your own computer is fully protected, too. If your computer got infected with a ‘password stealing’ malware program then the steps above would be less effective. There are countless anti-virus and malware programs available, so just make sure you get them installed and working.
WordPress Security Plugin Shootout
iThemes Security vs Wordfence Security
This is my experience of using these two WordPress Security Plugins:
- Both offer free versions with an option to upgrade to a premium paid version with additional features and support
- To start with you can safely take the free option
- If your circumstances change in the future and you think you can benefit from the extra features then that is the time to upgrade
The first security plugin I installed was iThemes Security (formerly Better WP Security).
However, I didn’t like it.
It installed quite easily as you would expect with a WordPress plugin. Once installed, the plugin ran a scan of my WordPress installation to check what vulnerabilities existed and produced a list by priority of what should be fixed.
If you look at the example screenshots on WordPress then it shows a couple of items for each priority:
In my experience there were about 10 items per priority. Now I consider myself fairly technical, but by no means a super techie. However this list was daunting. And when I read the description of the problem and the proposed fix I was even more concerned.
To be fair, you don’t have to action these lists of security items, but when someone or something says you have a potential problem I generally like to try and fix it.
There was a strong suggestion that some of these fixes could make my site too secure, so secure in fact, that I would be locked out. I didn’t feel comfortable at all. I was overwhelmed. Naturally I started researching further and trying to find some answers, but nothing was too clear.
If you prefer, you can opt for iThemes Security Pro. You'll get more features and professional security experts to support you.
After a few days of going nowhere fast I decided that I would try another security plugin. I had a chat with a few people and opted for Wordfence Security.
The plugin installed smoothly and I was soon into configuring the options. My immediate reaction was that this was so much more manageable than iThemes - there was no overwhelm factor.
Of course there are options/settings you need to go through and check, but you can choose to leave the default settings in most cases to start off with and come back later to modify. Notice also how there is help tips at each statement/action…
Once you’re set you run a full scan to get your first report. You get:
A Scan Summary…
A Detailed Activity report…
And a list of Issues (or not )…
I haven't tried other security plugins, but I've heard good reports about Securi and Bulletproof.
To date, I have been very satisfied with Wordfence and see no reason to change. The plugin is both easy to manage and intuitive with the help tips.
Most importantly, it keeps the unwanted visitors away!
Here's what you have learned today:
- There is no room for complacency - follow the 5-step protection plan!
- Wordfence offers a great, easy-to-use WordPress security plugin!
Please share your experiences in the comments below:
- What is your experience of website security?
- Have you been hacked?
- Which WordPress security plugin works for you?