Security is a one of the loneliest words in the world. People don’t care about it until they get hackend. And when their site is down or data is compromised, they hate the concept of security in general.
Back in my middle school according To DevriX; I had a T-shirt that determined my online alias for many years on. The T-shirt look like this:
There are thousands of attack vectors out there and no one is 100% safe. It’s all a matter of time and effort spent by a hacker to get access to your resources.
Mass And Targeted Attacks
It’s important to establish the two main groups of hackers that would potentially attack your website.
The first group is conducting “mass attacks“. Those types of attacks are usually automated and target a large percentage of the Internet.
Mass attacks are normally exploiting a common security problem, recently announced security issue or use statistical patterns in order to exploit a number of random websites. For example – a well-known WordPress plugin issue could lead to an automated script browsing the Internet for WordPress websites running this plugin and trying to exploit the popular vulnerability with a simple command or a set of instructions.
Trying to figure out your password can also work if you’re using a common and practically insecure one.
The second group of hackers target your particular website. They are normally less common than the automated bots, but more dangerous since they don’t try the “one size fits all” approach but try to exploit some vectors that are specific to your website.
The profile of those potential attackers could be:
Someone hired from your competitors
A self-employed hacker looking for a challenge to solve
A random hacker trying to prove a point or test his skills
Different Attack Vectors
I can discuss the types of attacks in details and cover the technical analysis, but if you’re really interested, I’d definitely recommend OWASP. On a business level an attack could happen from several places:
An outdated WordPress Core version – each major release comes with a public list of changes and a hacker could reverse engineer a bug and find a way to exploit it in older versions
Insecure PHP code – your theme or a plugin could include an attack vector that unlocks specific access to your hacker – such as arbitrary remote upload to your website, reading some protected files and more
Insecure SQL statements – those may result in stealing sensitive data from your database, corrupting data, reading private user details (including hashed passwords, emails) and more
Non-protected server – due to outdated software, missing firewall or wrong configuration your website may be vulnerable through the hosting vendor or the hardware system that hosts your website insecure WiFi – using an open WiFi (or generally random network) could be used for stealing traffic, including passwords, sensitive URLs and more
Infected computer – a virus on your notebook could certainly cause damage, and accessing your site is one of those
Personal – most of the time the reason for a hack is a simple human mistake or the so called “social engineering”
In order to improve the level security for your website, use the 5-tips guide to keep your site safe.
7 Tips to Keep WordPress Safe
Here there are some practical tips for keeping your WordPress website safe.
1. Protect Your System Internally
There are several plugins that would enhance your security without additional technical work. Keep in mind that this will not keep you 100% safe since there are various attack vectors that hackers use, but it will improve the overall security for your website.
Wordfence is a complete solution dealing with internal protection of some textareas, sanitizing different sections of your site and blocking external attacks. Limit Login Attempts is a single protection plugin that limits the number of failed attempt for a user trying to log in – which will rule out most of the annoying robots and scripts trying to guess your password.
Take a look at Locking Down WordPress – it’s a free ebook focused on security. You won’t regret it.
2. Use Secure Login Accounts
One of the main reasons for websites getting hacked is using simple passwords. According to several research studies, every one out of five online members uses a simple, easy to hack password that is available in most open dictionaries listing the most popular thousand passwords.
Obviously you’ll have to use a password that combines different letter casing, numbers and special symbols.
Longer passwords are better, so even something like MySuperWebsiteIsCool1@ would be incredibly hard to break in comparison to %$!32 which is short and could be iterated with the right software.
3. Beware Of Open WiFi Networks
Another popular vector that has nothing to do with your setup is how you access your website.
Logging in your website from an open WiFi network at a coffee shop or the airport makes it easy for hackers to sniff the network and steal login credentials.
Never trust open WiFis or other networks where hundreds of people can log in and sniff the network traffic. Use your own network at home or at the office, use a VPN provider for secure connections and install an SSL certificate for your site that will protect the traffic on your server.
4. Choose a Secure Hosting Solution
One of the common attack vectors is outdated server setup or insecure hosting configuration. Hiring a system administrator dealing with your custom server would be a good measure against problematic hosting solutions.
Picking a hosting account that specializes in security is another good option. We recommend SiteGround since they have managed WordPress hosting with security in mind, and they deal with various attacks that are limited before reaching your website at all.
5. Carefully Choose Your Setup
Enhancing your website usually involves UI improvements and additional features. Installing random WordPress themes or plugins hides a risk though – there is no guarantee that those solutions are secure.
Recently Revolution Slider was hacked and over a million users were affected, using themes with Revolution Slider integrated. Other popular plugins such as Gravity Forms were also found to be vulnerable.
The top tier clients at WordPress.com VIP and working with top WordPress agencies have dedicated developers reviewing every single line of code added to a website for enhanced security. Even if you are not able to afford that cost, keep in mind that random themes and plugins could open an attack vector for hackers who can take over your website.
6. Keep Your System Up To Date
Keeping the WordPress Core and plugins up to date is also essential. In case of a security breach, most vendors release an update immediately – update your system regularly and close the latest security bugs.
7. Enable Monitoring Services
There are different services and custom solutions monitoring for suspicious activity, reporting downtime and other potentially unwanted changes.
WordPress File Monitor Plus is a great plugin that reports daily when files have been changed. Sometimes there are false positives – when a plugin has been updated, or your contact form captcha image has been regenerated. But monitoring this logs would let you catch some suspicious changes and delete them early enough before an attack has been conducted.
At DevriX we offer security reviews and setup for our high-end customers whenever data is important and customers’ reputation should be protected.
Our next email will cover monitoring options and update services that would help you with your website management.
GODPHRAIM IN DevriX…..