WordPress Security

The advantage to WordPress sites is that they are built on open-source software, which allows for all the great plugins and themes that allow you to make your site look and behave the way you want it to. The disadvantage is that is has become so popular that WordPress sites are prime target for hackers. Hackers are typically people trying to target just your site – they write code (software robots or “bots”) that propagate themselves around the internet looking for vulnerable sites. And your WordPress site is such a target.

I spend a lot of time making sure that our customers websites are as secure as possible, but still hackers sometimes get through. Once a site is infected, it may be blacklisted by Google or simply identified with a warning. Removing this blacklisting or warning cantake weeks, even after the threat is removed from your website.

A security compromise can be a very frustrating (and expensive) situation, especially when it is reoccurring. From our experience, a compromise such as this primarily happens because of one of two reasons.

1. The admin user has an extremely poor password like “password1234” which has been guessed by a “bot” or other autonomous password harvesting application. However, occasionally you get a compromise where the passwords are secure, and realistically could not of be guessed by a “bot” without alerting our brute force protection alarms.

2. The more likely cause is that the site owner’s PC is infected with some sort of Malware or Virus. There are many Malware programs out there which
are designed to steal login credentials and send them to a remote servers. Then, this server will inject the victims website’s with malicious application such shell scripts, root kits, password harvesters, JavaScript injections or hidden iframes pointing to malicious websites, or worse.

I recently discovered a plugin for WordPress sites that I recommend you install to keep your better protected. It helps to protect your site against most of these problems. Details about the Wordfence Security plugin follow:

wordpress-attacks

Wordfence starts by checking if your site is already infected. Wordfence does a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.

 

  • Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum.
  • Includes support for other major plugins and themes.
  • Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
  • Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
  • Enforce strong passwords among your administrators, publishers and users. Improve login security.
  • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
  • Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
  • Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall. Report security threats to network owner.
  • See how files have changed. Optionally repair changed files that are security threats.
  • Scans for signatures of over 44,000 known malware variants that are known security threats.
  • Continuously scans for malware and phishing URL’s including all URL’s on the Google Safe Browsing List in all your comments, posts and files that are security threats.
  • Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
  • Checks the strength of all user and admin passwords to enhance login security.

There are a bunch of other features as well, but this is a “must-have” plugin for WordPress users. I have recently installed this on a few sites and I recommend it.

Here is a link to the Wordfence site which includes a video:

http://www.wordfence.com/