Recently, I mentioned that you should be concerned about hackers (and spammers). I listed a number of items that you can do to increase the security of your website, and I listed reasons you should be concerned about security. However, I didn’t take the time to explain how to perform the protective activities. This article and following articles will give explanations that will help you perform those protective activities listed. Today, I’ll explain how to:
- Check your site regularly for potential security problems.
- Keep your website software up-to-date.
- Monitor your site for unauthorized attempts to login by unauthorized people
- Hide your login page
- limit login attempts
- never use the default administrator name
- randomize your password
There are several WordPress plugins that will allow you to monitor for potential hackers and spammers. Personally, I find WordFence and Lockdown WP to be two exceptional plugins to help monitoring a WordPress site. Install WordFence and Lockdown WP and you’ll find an incredible set of tools to monitor your site.
Your first steps will be to configure these two plugins.
Configure Lockdown WP
Lockdown WP has only a few configurables, but the configurables are some of the most important items you can configure. Using Lockdown WP, you will make it harder for the hacker to find your administration area. To do this, configure Lockdown WP by:
- Selecting to hide the administration area from those that are not logged into the site. To do that, check the option box next to ” Yes, please hide WP Admin from the user when they aren’t logged in.” Anyone not logged in attempting to access the administration area will receive a page not found 404 error message.
- Setting a new WordPress Login URL. Normally, access to administration is accessed at the location www.example.com/wp-login.php. Using lockdown WP, set the access point to ANYTHING other than wp-login.php. Set the access point to an unusual, unique access location with a name that has no bearing on your site purpose or function, such as www.example.com/fish201. If you reconfigure this access point, hackers that attempt to login your site will have trouble guessing where you have “moved” the login access, and therefore will have more trouble attempting to hack your login. Anyone that attempts to access at www.example.com/wp-login.php will clearly be a hacker and you will be informed hackers attempt to access this 404 location.
Configure WordFence
WordFence has a large number of important features to configure. Using WordFence, review all the configurable items. The following list has an “X” beside options that should be checked. When a text string should be entered, suggested answers are provided. Make certain that at minimum you set the following configurable:
Basic Options:
- X Enable firewall
- X Enable login security
- X Enable Live Traffic View
- X Enable automatic scheduled scans
- X Update Wordfence automatically when a new version is released
- Where to email alerts: your@email.com
Advanced Options:
- X Alert on critical problems
- X Alert on warnings
- X Alert when an IP address is blocked
- X Alert when someone is locked out from login
- X Alert me when a non-admin user signs in
Scans to include:
- X Scan for the HeartBleed vulnerability?
- X Scan theme files against repository versions for changes
- X Scan plugin files against repository versions for changes
- X Scan for signatures of known malicious files
- X Scan file contents for backdoors, trojans and suspicious code
- X Scan posts for known dangerous URLs and suspicious content
- X Scan comments for known dangerous URLs and suspicious content
- X Scan for out of date plugins, themes and WordPress versions
- X Check the strength of passwords
- X Scan options table
- X Monitor disk space
- X Scan for unauthorized DNS changes
- X Scan files outside your WordPress installation
- X Scan image files as if they were executable
Firewall Rules:
- If a crawler’s pages not found (404s) exceed: 5 per minute then block it
- If a human’s pages not found (404s) exceed: 5 per minute then block it
- If 404’s for known vulnerable URL’s exceed: 1 per minute then block it
- How long is an IP address blocked when it breaks a rule: 30 minutes
Login Security Options:
- Enforce strong passwords? TRUE
- Lock out after how many login failures : 3
- Lock out after how many forgot password attempts: 3
- Count failures over what time period: 10 minutes
- Amount of time a user is locked out: 30 minutes
- X Immediately lock out invalid usernames
- X Don’t let WordPress reveal valid users in login errors
- X Prevent users registering ‘admin’ username if it doesn’t exist
- X Prevent discovery of usernames through ‘?/author=N’ scans
Other Options:
- X Hide WordPress version
- X Hold anonymous comments using member emails for moderation
- X Filter comments for malware and phishing URL’s
- X Check password strength on profile update
- X Participate in the Real-Time WordPress Security Network
Your second step will be to use WordFence to monitor for hackers on a regular basis
Assuming your have configured according to the list above, you should be well on the way to a safer website. Given the configuration above, hackers will have trouble seeing your administration login page, you will be using more secure passwords, hackers will be blocked if they attempt to access protected areas of your site and your WordPress site will be continually scanned for viruses.
However you can not walk away from the site and assume it is safe. Daily, you will want to check your site reports in WordFence. Under WordFence Life Traffic, check the reports for Pages Not Found, Login & Logouts, and 404 Errors. Each of these reports will identify the page being accessed, visitors home country, and visitors IP address (among other things).
Examine the Pages Not Found and 404 error list. Unless you have broken links, you should have no pages not found. With the exception of a few people that accidentally attempt to access a page and enter a typo, accesses to pages not found should be reviewd carefullly. If you can not rationalize why a person might have attempted to access a page that can not be found. block that person from further access.
Examine the Login & Logout report. Look at the list, scanning for records of people attempting to access with an invalid user name, or show access from a country or area that is not reasonable. If you have no one that should be accessing your administrative area from Arizona or China and records indicate an attempt to access from those areas, block that IP address.
Wordfence will remind you as new versions of your plugins appear. Be diligent and update those plugins. Wordfence will notify you in the event that WordPress has a newer version available. Update WordPress and modules as they come available.
If you are diligent monitoring your site, you should feel significantly more secure in the area of vulnerability