Your Site Needs to Be More Secure

I’ve been the admin of a few dozen WordPress installs for over seven years now and if there’s one thing that keeps me up at night it’s the thought of one of my sites getting hacked. As a result I’ve developed a not-too-healthy state of constant paranoia. I subscribe to several security focused blogs, I follow security plugin developers on twitter, and I watch any wordpress.tv episodes on security. I immediately update any security upgrade releases and test, than upgrade any release of plugins, themes and core files. All to keep those sites secure. Like I said, not too healthy but so far it’s working and haven’t had a ton of trouble on my sites (other than of my own devising).

Let’s talk security a bit and what you absolutely SHOULD be doing as additional measures on top of a standard WordPress install. IF you have any suggestions, please let me know, I’ll gladly look into it. Like I say often, this may not be the way it’s done, but it’s how I’m doing it. Teach me to be better if you know how.

Your Password is Crap, Fix it Already

There’s one reason more than any other why sites get hacked – weak passwords, and that is simply user error. Every admin that has admitted to me that their site was hacked was due to users having weak passwords. You, as a site admin, need to fix this situation.

WordPress authentication actually consists of two passwords – your username and your password. If a hacker can figure out your user name they are 50% of the way into your site. Unfortunately the username is generally associated with the author’s name, if not identical, which is bad. So bad. Even if the user has a variant of their real name as a user name it doesn’t take bots long to figure that out. I’ve done it manually in only a few tries when I knew the owner of a design firm who sets up sites for clients. Trouble is, not actually having the knowledge of the real people’s names who are involved in the site barely slows a bot down. Author names are tied to every post and page so the user name can easily be deduced or guessed in a few thousand attempts.

Simple solution: turn on Unique UserNames which forces users to create a username that’s NOT their author name which is an option in iThemes Security. Also while you’re at it creating usernames, add the company name to the user name, make it that much harder to guess but easy for the client to remember. Do your site a favour and turn that feature on every time, right after site creation and you install iThemes Security, (until it becomes part of the core of WordPress, hint, hint). I’m rely on the iThemes team for security information about WordPress site installs. They’re the best, IMO, and you should use them too. While there’s probably other great security plugins out there, I find iThemes the best of the bunch in terms of usability and knowledge.

Turn It On – Strong Passwords

Also in iThemes is the ability to force different user levels to have a strong password.Turn that on for every user level. Yes, I said EVERY user level. I don’t care if you’re a subscriber. Sorry, but if you’re logging into one of my sites you had better have a good password. I’m not letting my sites get hacked because your beloved pet’s name, that you brag about on Facebook, is your easy to remember password. Nope. Not happening.

Want an easy to remember tough password? Take a reasonably long proper name (8+ characters with a capital letter), type it backwards, sprinkle in a few numbers, add a few special characters along the way and suddenly you have a semi-easy to remember password that even the bots will take forever to guess. Type it out a few dozen times and you’ll remember it. Weak passwords are simply users and admins being lazy but you’re better than that, right?

Bot Mentality or Why MY Site?

A little time should be given to explaining what’s going on out there and WHY people and bots are trying to get into your site. Quick word: they’re not.

Bots and hackers want the low hanging fruit when it comes to gaining access to a site. They want lots of fruit, so they’ll try for a bit, see if what they’ve set up works, and tend to move on if not successful. Remember, it’s not personal (usually), they don’t want YOUR site, they want ACCESS to a site and server to run their own code. In fact, this may have happened and you wouldn’t even know it till they require the code they put on your machine to run. So it’s not about you or your site, it’s just a numbers game to a computer program, eventually, they’ll get through the security of any site given forever to try.

Next step: don’t give them forever! IF you don’t have a time delay or a user banning process in place you’re asking for trouble. If a bot can take a few thousand guess a minute at your website it’s only a (short) matter of time before it gets in. Bots don’t get tired. They’ll keep trying and trying and trying. However; if you slow them down they’ll move onto the sites that don’t do this.

Which brings us to the next level of security, malware scanning. If a bot IS successful despite everything you’ve done, you’ll never know it. Yep. You’ll go on your merry website way until it goes horribly, horribly, wrong, and a full restore is required (this is a bad situation to be in: you’ll have to restore from awhile ago BEFORE the bot got in, which you have no idea when that happened, and the further back you go in your restoration process the more data you lose). Unless you’ve put in place some way to scan your site for malicious code and once again, iThemes Security plugin has you covered there. It’s a “signup required” kinda feature, but do it for your peace of mind.

Wrap Up

I’ve just covered a few basics of the additional WordPress security measures in this post and how iThemes can help your site security.  I suggest reading the tutorials for the iThemes plugin as a good place to get started on your path to a rock solid site. And, as always, contact me if you need some help.