Category Archives: Security

Protect Your Website from Hackers (and Spammers) 2

Security, Wordpress

Recently, I mentioned that you should be concerned about hackers (and spammers). I listed a number of items that you can do to increase the security of your website, and I listed reasons you should be concerned about security. However, I didn’t take the time to explain how to perform the protective activities. This article and following articles will give explanations that will help you perform those protective activities listed. Today, I’ll explain how to:

  • Check your site regularly for potential security problems.
  • Keep your website software up-to-date.
  • Monitor your site for unauthorized attempts to login by unauthorized people
  • Hide your login page
  • limit login attempts
  • never use the default administrator name
  • randomize your password

There are several WordPress plugins that will allow you to monitor for potential hackers and spammers. Personally, I find WordFence and Lockdown WP to be two exceptional plugins to help monitoring a WordPress site. Install WordFence and Lockdown WP and you’ll find an incredible set of tools to monitor your site.

Your first steps will be to configure these two plugins.

Configure Lockdown WP

Lockdown WP has only a few configurables, but the configurables are some of the most important items you can configure. Using Lockdown WP, you will make it harder for the hacker to find your administration area. To do this, configure Lockdown WP by:

  • Selecting to hide the administration area from those that are not logged into the site. To do that, check the option box next to ” Yes, please hide WP Admin from the user when they aren’t logged in.” Anyone not logged in attempting to access the administration area will receive a page not found 404 error message.
  • Setting a new WordPress Login URL. Normally, access to administration is accessed at the location www.example.com/wp-login.php. Using lockdown WP, set the access point to ANYTHING other than wp-login.php. Set the access point to an unusual, unique access location with a name that has no bearing on your site purpose or function, such as www.example.com/fish201. If you reconfigure this access point, hackers that attempt to login your site will have trouble guessing where you have “moved” the login access, and therefore will have more trouble attempting to hack your login. Anyone that attempts to access at www.example.com/wp-login.php will clearly be a hacker and you will be informed hackers attempt to access this 404 location.

Configure WordFence

WordFence has a large number of important features to configure. Using WordFence, review all the configurable items. The following list has an “X” beside options that should be checked. When a text string should be entered, suggested answers are provided. Make certain that at minimum you set the following configurable:

Basic Options:

  • X Enable firewall
  • X Enable login security
  • X Enable Live Traffic View
  • X Enable automatic scheduled scans
  • X Update Wordfence automatically when a new version is released
  • Where to email alerts: your@email.com

Advanced Options:

  • X Alert on critical problems
  • X Alert on warnings
  • X Alert when an IP address is blocked
  • X Alert when someone is locked out from login
  • X Alert me when a non-admin user signs in

Scans to include:

  • X Scan for the HeartBleed vulnerability?
  • X Scan theme files against repository versions for changes
  • X Scan plugin files against repository versions for changes
  • X Scan for signatures of known malicious files
  • X Scan file contents for backdoors, trojans and suspicious code
  • X Scan posts for known dangerous URLs and suspicious content
  • X Scan comments for known dangerous URLs and suspicious content
  • X Scan for out of date plugins, themes and WordPress versions
  • X Check the strength of passwords
  • X Scan options table
  • X Monitor disk space
  • X Scan for unauthorized DNS changes
  • X Scan files outside your WordPress installation
  • X Scan image files as if they were executable

Firewall Rules:

  • If a crawler’s pages not found (404s) exceed: 5 per minute then block it
  • If a human’s pages not found (404s) exceed: 5 per minute then block it
  • If 404’s for known vulnerable URL’s exceed: 1 per minute then block it
  • How long is an IP address blocked when it breaks a rule: 30 minutes

Login Security Options:

  • Enforce strong passwords? TRUE
  • Lock out after how many login failures : 3
  • Lock out after how many forgot password attempts: 3
  • Count failures over what time period: 10 minutes
  • Amount of time a user is locked out: 30 minutes
  • X Immediately lock out invalid usernames
  • X Don’t let WordPress reveal valid users in login errors
  • X Prevent users registering ‘admin’ username if it doesn’t exist
  • X Prevent discovery of usernames through ‘?/author=N’ scans

Other Options:

  • X Hide WordPress version
  • X Hold anonymous comments using member emails for moderation
  • X Filter comments for malware and phishing URL’s
  • X Check password strength on profile update
  • X Participate in the Real-Time WordPress Security Network

Your second step will be to use WordFence to monitor for hackers on a regular basis

Assuming your have configured according to the list above, you should be well on the way to a safer website. Given the configuration above, hackers will have trouble seeing your administration login page, you will be using more secure passwords, hackers will be blocked if they attempt to access protected areas of your site and your WordPress site will be continually scanned for viruses.

However you can not walk away from the site and assume it is safe. Daily, you will want to check your site reports in WordFence. Under WordFence Life Traffic, check the reports for Pages Not Found, Login & Logouts, and 404 Errors. Each of these reports will identify the page being accessed, visitors home country, and visitors IP address (among other things).

Examine the Pages Not Found and 404 error list. Unless you have broken links, you should have no pages not found. With the exception of a few people that accidentally attempt to access a page and enter a typo, accesses to pages not found should be reviewd carefullly. If you can not rationalize why a person might have attempted to access a page that can not be found. block that person from further access.

Examine the Login & Logout report. Look at the list, scanning for records of people attempting to access with an invalid user name, or show access from a country or area that is not reasonable. If you have no one that should be accessing your administrative area from Arizona or China and records indicate an attempt to access from those areas, block that IP address.

Wordfence will remind you as new versions of your plugins appear. Be diligent and update those plugins. Wordfence will notify you in the event that WordPress has a newer version available. Update WordPress and modules as they come available.

If you are diligent monitoring your site, you should feel significantly more secure in the area of vulnerability

Protect Your Website from Hackers (and Spammers)

Security

Are you worried about your website and hackers? If you are not worried, you should be worried or at least virulent. There are people out in the cold cruel internet that are looking at your website. Some of these people are comedians (mostly harmless), and some are very vicious. These people are examining your site daily for chinks in your armor, and ways to get into your site without you noticing.

If your attitude is; I’m not worried, I have nothing important on my site … you are a prime target. Some hackers do damage, bring a site down, some simply create a comical behavior in your site, others hack and remain invisible. If you are a lucky person and the hacker does some damage (either vicious or comical), you are lucky because you know you have a problem to resolve. Some hackers do activities that them them invisible to you, but, are causing problems … very bad problems.

In the last year, I have assisted dozens of site recover from hacked states. Some, site owners knew they are hacked, some did not have the slightest idea they were in trouble. Among the sites recovered last year included sites that:

  • Had been taken off-line hackers file.
  • Had cosmetic (artistic) changes done to their pages appearance
  • Were redirecting visitors away from the site by 301 redirect
  • Were hit by usage overloads and ultimately Denial of Access problems
  • Had viruses inserted on the site
  • Had logging software added to there site to catch personal information of visitors
  • Had hidden storefronts setup within the site and alternate business was being perform to the surprise of the site owner.
  • Had been set up to send out spam email

Clearly, the first few problems are visible to the site owner, but, some of the site hacks could potentially go on indefinitely if the site owner is not vigilant. In the case of the last few hacks, the site owners were alerted to the problems on their site by visitors that accidentally feel into the “alternate business pages,” received spam from the site or had problems with personal information distribution. These last few hacks can have a devastation affect on your site, its credibility and your visitors.

On top of the obvious problem that your site is being used in a manner that you do not intend (redirecting people, steals information from visitors, etc), your site can be identified as a blacklisted site … blacklisted as danger. If your site has been blacklisted by Google, virus protect software or any of a hundred other sources, you will find it incredibly hard to dig yourself out of the blacklist.

So, what can you do to help protect your site?>

  • Keep your website software up-to-date, never let a site go on operating with software with a known security risk
  • Keep security permissions correct on your files and directories
  • Check your site regularly for potential security problems, don’t let the site run on autopilot (without your attention)
  • Monitor your site for attempts to login by unauthorized people
  • Hide your administration login page
  • Limit login attempts
  • Never use the default administrator name for a CMS
  • Use thoroughly randomized and secure passwords for administration areas
  • Monitor your site for people attempting to access suspicious areas of your website
  • Monitor you activity log for any strange behavior
  • Find tools to help you block accesses from addresses you determine are suspicious.
  • Assure you use security validation for all form input fields
  • Assure your SSL encryption is functioning if you are sending sensitive data off site.
  • Do security scans of your site for malware
  • Backup your site and database regularly

The next article on this blog will explain how you can follow the recommendations listed above.