One year ago, my webcomic, LeyLines, was hacked. Believe me when I say there are few things as devastating to a webcomic creator than to sign on to your site and discover all of it has vanished overnight. I learned a lot about website security the hard way that month.
Many, if not most, of us are using WordPress these days. While a WP blog hosted by WordPress is very secure, whenever it is hosted elsewhere, additional holes manifest that a hacker can exploit.
Don’t assume that you are safe because you are small — I had a grand total of 70 readers at the time I was hacked! Hackers will sometimes write code that impacts a blanket of sites, usually attacking the same security weakness in each.
Here are some first steps to minimizing the damage a hacker can do:
First Steps – Security Level Alpha
1) Back up your databases regularly. Most modern hosts have a database back-up option available in a control panel interface. You can also use FTP downloads, or a Back-up plugins. (And while you’re backing up your databases, don’t forget to back up your files too!)
2) Keep WordPress up to date. Much of WordPress’ updates are to patch the holes that hackers exploit, and updating is a fairly simple process. Despite that, it’s easy to let WP updates slide. Especially since sometimes the updates delete themes or have compatibility issues. Trust me, a little inconvenience now is a lot better than no website later.
3) Be original – don’t use “admin” and “password” Many database set-ups automatically make the username with read/write/execute permissions “admin”. Hackers know this, and it’s the first thing they’ll try. Don’t make it easy for them!
4) Beware Plugin Fever Plugins are amazing add-ons to our websites, but they’re also potential gateways into the guts of our systems. Be selective in what you install on your website, and investigate them before you place them in your code.
Plugins – Security Level Beta
Now that I’ve scared you away from ever installing another Plugin ever again, it turns out that not all Plugins are bad things. Below are some more advanced ways to protect your website and some options for Plugins to do the job.
Note of caution: As before, beware Plugin Fever! Even security Plugins can start causing problems if too many are installed. They may interfere with each other or interfere with WP’s overall functionality, so install with care! Try them out one at a time and test your site each time. If something goes wrong, you’ll always have your back-ups to rely on.
1) Limit the Number of times a user can attempt to log in
Brute force hacking is when a hacker bombards your site with thousand of password combination until they crack your code. These Plugins records the number of times an IP address has attempted to access your WordPress admin page with the wrong username/password. After a certain number of tries (you set the limit) that IP is locked out of the account.
Plugin options: Login Security Solution, Login LockDown, Limit Login Attempts
2) Don’t rely on your host to keep their firewalls maintained — install your own!
Your server SHOULD have a firewall implemented, but that doesn’t mean your host is maintaining it. Besides, inserting an extra layer of protection never hurt! There are lots of options here, from the simple to the complex. Each will block different things, including XSS, CSRF, Base 64, and SQL Booster, SQL injection, and directory traversal attacks. The more complex the plugin, the more it will block, but the more likely it is to mess with WP functionality. Evaluate your options carefully and decide which is the best fit for you!
Plugin options: BulletProof Security, OSE Firewall
3) Spam and Viruses aren’t just email concerns
We’ve all learned about the dangers of email-borne viruses and spam, but there is plenty of malicious code that specifically targets WordPress. Akismet is basic, free, and very popular, but there are other options to consider to make your site more secure for you AND your readers!
Plugin options: AntiVirus, Bad Behaviour, Antispam Bee
All-in-One Plugins For those of you that just one a one-stop-shop, there are also some security plugins that slice, dice, and make Julienne fries. These can be particularly helpful because they avoid conflicting plugin issues. Just make sure you understand where the holes are – no plugin is perfect – and take measures to shore up wheat these “all-in-one” plugins miss.
Plugin options: Better WP Security, 6Scan Security, Wordfence Security.
Coding and Services – Level Omega
For the code-savy, there are ways to alter WP’s code directly to improve security. You can also change permissions on certain files to make it harder for them to be tampered with. However, since this can interfere with WP’s functionality, I’d only recommend you fiddle with files if you are VERY comfortable with code! You can read a little more about WordPress’ recommended practices in the article Hardening WordPress!
If everything I’ve said sounds completely overwhelming, there are also several companies that will perform a full security overhaul. However, these services often cost between $100 – $500 to perform! Chances are, by taking basic precautions and installing a few good Plugins, your site will be as secure as it needs to be. However, if you want to make your website iron-clad, but back-ups, Plugins, and coding scares you, there ARE services available for you to use.
Even if you never get beyond those first few steps, you’ll already be in a much better position to prevent and recover from a hacking attack. Don’t wait until it’s too late! Improve your WordPress security today!
Robin Dempsey is addicted to storytelling, despite all logical reasoning against this irrationally glorious pursuit. By day she works as a Mechanical Engineer, and in every spare moment outside of that she is making comics. Including in her sleep, on occasion. Addicted to world-building, character crafting, and language making, you can find the results of her sprawling storytelling pursuits at LeyLinesComic.com! Or drop a line on Twitter at RobinofLeyLines.