Overview
WordPress security is a big issue to my clients. Can you blame them? They put years of their life into a Content Management System like WordPress and in just one day it can all be wiped out. There are several different things that drive a hacker to do such things. Jealousy is probably one of the main ones. Yet there are other hackers out there that do it for the sheer joy to cause someone grief, what pathetic people! Still others have a more sinister motive like retrieving email lists and personal information to exploit people. There are things that you can do to protect yourself and visitors to your site. I hate hackers with a passion and I do take it personal when someone is trying to hack into one of my clients site. This is the reason why I stay up on security measures and how I can protect my clients and subscribers to my blog. Lets talk a little about hacking and spamming so that you may be able to better understand why they do it and how they get away with it. Then lets talk about effective actions that you can take.
Hackers, why do they do it?
I have been approached several times in the past by people who wish to obliterate their competition. They feel threatened because their competition is being indexed for the key words that they need to generate revenue. So basically their motto is if you cannot beat them then destroy them. This happens more that some may think. There are several different ways to try and eliminate competition. One motivation may be to hire a hacker to get into a website and retrieve all the customer or subscriber information from your website so they in turn can spam to try to retrieve more customers. There are also hackers out there that try to hack into sites to retrieve this information and sell it to so called “Marketing Companies” who then send out mass emails. The point is they do it for money, sometimes lots of money.
Why Hackers Target Content Management Systems
So why do hackers target content management systems like WordPress? WordPress is a licensed with GPL which stands for General Public Licence, in other words its free. It is free to download and use for anyone and yes this means hackers too. When you know the structure of a system it is easier to invade it, compromise it or destroy it. Anyone can download WordPress and look at the code and see how it is structured. This has presented many security challenges to WordPress and other content management systems that are freely available for the public to utilize. If you were to custom build something like WordPress and its structure you would be looking at a cost of around $50,000 or more depending on the functionality that you were looking for. Some of the other options are close source CMS systems that start around $15,000 that are usually developed with .ASP Cold Fusion or .NET platforms.
Methods of Hacking into WordPress Security
There are several different methods that hackers will use to hack into the WordPress security infrastructure. Many site owner will see an increase in subscription signups. This will tell you that you are being targeted for spam. Many site owners will make it a requirement that for someone to leave a comment that the person must be a subscriber to their blog. This may sound good but spammers have a way to get around it. They have software that automatically signs up thousands of users on thousands of blogs. Hackers use this method too, sometimes they use what we call java injection. If they are allowed to leave html comments sometimes they can get through and redirect anyone that comes to your site to another website. So if you let people leave comments do yourself a favor and do not let them leave html in the comment box. I wrote this plug in for those of you that wish to block html comments in your WordPress you can download it here block-html-comments.
There is also brute force attempts to guess your password. Think its impossible? Think again, people count cards in gambling casinos and win. Even though its difficult it just might be worth it in the end. I wrote another article in this blog the was called WordPress Under Attack that offers more solutions for WordPress security.
Plug ins are another way in which hackers will try to invade your website. Only install plug ins from trusted sources!
How to tell if you have been hacked!
There are several different scanners out there in which you can scan your site. A good one is in Google Webmaster Tools. You can also scan your site with web based scanners.
Watch out for Plugins in WordPress!
There is also all them old WordPress plug ins that are not updated. Make sure that you keep trusted WordPress plug ins updated. There is a reason why they make it easy to update so make sure that you keep up with this. DO NOT leave a plug in installed if you do not plan on using it. This is a way for hackers to have a back door into your WordPress website.
How to be More Secure
So lets say that you deleted all the old plug ins that you are not using and you took other necessary steps to secure your site like not letting html in your comments. What else can you do? You can restrict access to your wp-admin folder. This is fairly easy but you will need to know the path to your folder. A path is the complete url and it looks something like this. /home/21410/domains/a1websitepro.com/html/wp-admin/. You will create 2 files in that directory. You can do this through your cPanel or an FTP program. Name one of the files .htaccess and the other file name .htpasswd
For the .htaccess put in the following code.
[code]AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd
require valid-user[/code]
Now for the .htpasswd put in the following code, make sure that you change username and password to something that you remember.
[code]username:password[/code]
If you have done it right you will navigate to the log in to your WordPress and see a box like this.
Some more ways for WordPress Security
There is another way for you to block access to your wp-admin folder and restrict log in access to just you. The first thing that you will need is your ip address. To get your ip address just type into Google “What is my ip” and it will show it to you.
After you have your ip address you can proceed with the following solution. NOTE: if you are on Cloud-flare or any type of CDN Content Delivery Network this method will not work.
So lets say that you just want to allow only 1 ip address to the log in screen. This is the process for it. Naviagate to your wp-admin folder and create a .htacess file. Do not forget the “.” right before htaccess. If you are using cPanel to accomplish this task you will have to tick the box so that you can see hidden files. If you are using a ftp program then you can just create it. replace the 123 numbers with your ip address. Make sure that you leave the slashes “/” in there.
[code]<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ – [R=403,L]
<!–<span class="hiddenSpellError" pre=""–>IfModule> [/code]
If you want to allow more than 1 ip address use the following code.
[code]<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>[/code]
If this is all too much
If you find this to be too cumbersome then you can contact me and I will install it for you. Just fill out the form below.
[contact-form-7 id=”2406″ title=”Work Order Form”]
A1WEBSITEPRO Social Media Pages
Here are my social media pages, lets hook up!