Yesterday I posted about my experience trying to understand the discrepancy between the data from Google Analytics and CloudFlare Analytics. What I eventually found was that CloudFlare was logging visits from hackers, spammers, and bots. After doing some research, I took some extra precautions to secure this blog and thought it would be helpful to write a post about securing your WordPress blog.
I was surprised to see the frequency of hacking attempts, not just on this site, but on all of my WordPress sites. I don’t have any high-traffic sites. I don’t have sites where users log in and keep personal information. My sites are hobby sites and most aren’t active at all. Why then would hackers target them? Well, because they can, I guess.
My Apache visitor logs revealed two main types of hacking attempts:
The brute force login attempt
This is where the hacker just tries random passwords hoping to eventually find yours. All of my WordPress sites had been hit multiple times by this type of hackin attempt. My logs showed small bursts of hits to wp-login.php. Most of the time the user agent was tools.ua.random(), but sometimes it was just a regular browser. It would always be anywhere from 2 – 4 hits in a row, all with different ip addresses. These attempts were coming about once an hour. By limiting the attempts to only a handful at a time from different ip addresses, they are trying to circumvent security plugins that would lock them out for too many failed login attempts.
Vulnerability scanning is where the hacker hits URLs that could indicate a known vulnerability. For instance, this site was recently scanned for CKEditor, which resulted in a lot of 404 not found errors.
There was no evidence that any of my WordPress sites were actually breached, but I still wanted to take some extra steps to secure them. Of course, there is no way to completely secure anything that connects to the internet, but we can take steps to make it less likely. So, here are a few things you can do.
Use a more secure login name
Don’t use “admin” as your login name
In order for a brute force hacking attempt to succeed, the hacker has to guess both your password and your login name. Since most people use admin as their WordPress login name, the hackers use that as default. So, if you’re using “admin” as your login name, change it.
Don’t use your display name as your login name
Your display name is the name that shows up in the byline for your WordPress posts. It’s also the next thing the hacker will use to try to break your password if admin doesn’t work. You can change your display name in your profile in the WordPress dashboard.
Make sure your login name and your author slug are not the same
The author page is the page a visitor gets if they click on your name in the post. For instance, if you click on my name above, it takes you to my author page here. If you have an author page on your WordPress site, by default the slug is probably the same as your login name. For obvious reasons, you don’t want that. You have a couple of options for fixing this. Either disable author pages or use a plugin like Edit Author Slug to change the author slug.
Use a better password
Avoid common passwords
CBS News has published a list of the most common passwords. Not surprisingly, these are the first passwords hackers will try when attacking your site. So, don’t use them.
Avoid dictionary words
The next thing hackers will try is a Dictionary Attack. This is where they will try successive attempts using plain old dictionary words. If you use a common word as your password, the hacker can hack it in less than 3 minutes. So, if you are going to insist on using words as your password, use a multi-word phrase. Or, better yet, don’t use real words.
Make your password complicated as heck
The most secure password is a password you can’t remember. So make one long and crazy, something over 12 characters long with a mixture of letters, numbers and symbols. But, you may wonder, if you can’t remember it, how can you use it? Well, you need a password manager, a good one, like LastPass. Don’t use your browser’s built-in password manager, these are not secure enough. Ideally, use something like LastPass and enable multifactor authentication. This way, you only have to remember one password. LastPass is free for most users. If you want more advanced features, like multifactor authentication or the ability to use it on your mobile devices, you can get the premium version for $12/year. And, it is totally worth it.
The tips above are things you can do whether your blog is on your own domain or hosted by WordPress.com. The tips below are mainly for people hosting WordPress sites on their own domain.
Use a plugin to add even more security
All In One WP Security & Firewall
All In One WP Security & Firewall walks you through over a dozen steps to secure your site. It checks most of the stuff above and give your options to fix any issues that may arise. It’s easy to use and takes only a few minutes to get it set up.
WordFence is similar to All In One WP Security & Firewall, but it also scans your site for viruses and maleware and is completely free. Unfortunately, I have had problems with WordFence causin CPU spikes that resulted in my site being throttled by my web host. So that is something to keep in mind.
Keep it current
Don’t ignore WordPress updates. That includes updates to your theme and plugins. These updates may include fixes to vulnerabilities that could leave your site susceptible if you don’t install them.
Check your visitor logs
You should make a habit of checking your raw visitor logs. Look for repeated hits to wp-login.php and 404 errors. These will indicate hacking attempts. If you see a bunch of 404 errors, also check the logs for that ip address successfully hitting any pages, since it may point to a vulnerability. A great tool for this is CodeLobster. CodeLobster is a free IDE (Integrated Development Environment, i.e. a fancy text editor). Open your raw logs into CodeLobster and if you see suspicious activity highlight the ip address. CodeLobster will highlight any other appearances of that ip address in the log file, so you can check for any other problems.
Blacklist bad ip addresses
When you blacklist an ip address, anyone from that ip address simply cannot get to your site at all. This won’t stop hackers, but it might slow them down. There are a few ways to accomplish this. If you use CloudFlare, you can blacklist any ip address or ip address range in their “threats” panel. You can also implement an .htaccess blacklist. All Things Democrat has a very thorough blacklist and instructions on how to use it. You can also use a plugin like IP Blacklist Cloud.
Move your login page
If you use WordFence or All In One WP Security & Firewall, they have options to rename your login page. If you aren’t using one of those, Rename wp-login.php is a stand alone plugin that can do the same thing. If hackers can’t find it, they can’t use it. This isn’t enough by itself, but it is a good start. Also, when you move/rename your login page, don’t use yoursite.com/login/ as the new page, because that’s where they will check next. My recommendation is to use the LastPass password generator to create a random string of characters to use as your new login page name, then bookmark that page so you can find it when you want to log in. Also, make sure there are no links to the new login page anywhere on the publicly accessible part of your blog. That means getting rid of the “meta” widget that is usually turned on by default.
Well, that’s it for now. Have you had your WordPress blog hacked or has someone attempted to hack it? Do you have any tips for securing your wordpress blog? If so, leave a comment below.