Every day we must get at least 5-6 emails from the websites we own. But, these aren’t nice ‘you’ve made a sale emails’ they’re emails from our security system telling us someone is trying to hack into one of our sites.
Why? Because we use WordPress to power many of our sites – just like virtually every other small business going. The problem is that out-of-the-box WordPress has virtually no protection against hackers. It is also open source which means anyone can view the source code and people can, and do, write exploits designed to target this popular website platform.
As a result there are literally millions of bots (for you non-techie people that’s a piece of code which runs automated tasks across the Internet) that actively hunt out WordPress sites and try to find their way in. This happens every second of every day.
In fact, the amount of online attack/hack attempts is rising all of the time. Check out this live attack map to see just a small fraction of all online attack attempts that are happening right now. This is why it is more important than ever before to secure your site.
Why would anyone want to hack my website?
For the most part its very unlikely an actual hacker would be targeting your website (unless you happen to work for Vodafone and are reading this article!).
However, these bots aren’t very smart and they can’t tell if you’re a mom and pop business or a fortune 500 company and, like the Terminator, they are relentless. But instead of hunting Sarah Connor they are hunting ANY WordPress site.
If my site is hacked what could happen?
This depends on what you use your website for.
If you run an e-commerce site it can be disastrous because your customers details could be stolen and sold on. If you are an affiliate marketer you could loose your source of income.
Either way it can take a long time and a lot of expense to sort out a hacked site – especially if you don’t take regular backups.
That will never happen to me!
Don’t be so sure. In the past 6 months I’ve had to disinfect two compromised WordPress sites. One was hijacked and thousands of spammy pages were built all over their site and the second was used to link back to porn sites.
The two ‘companies’ who own these sites are sole traders and neither of their websites hold any information of any value which has not already been published for the world to see. They were just two simple business blog sites. But, they were hacked and compromised by indiscriminate bots all the same. It really can happen to anyone.
In this guide I’ll show you how you can significantly reduce the chances of this ever happening to you.
WordPress can be a fickle beast and installing any plugin that fundamentally alters how it works has some risks and, although minimal, it is possible you could break your site. This is why it is really important you back up your entire site before you begin. This means backing up both your database and website files. The usual disclaimers apply here and we won’t be held responsible if you break your site. If you don’t know how to backup WordPress check out this handy tutorial here.
Now your site has been backed up lets begin…
1. Install the iThemes plugin
Start by logging into your wordpress site and clicking on Plugins → Add New
Next search for using the phrase iThemes Security and install the plugin shown below.
After installing the plugin you’ll notice two messages in your WordPress install. Close these for now to free up some working room.
2. Security check
We’re now ready to start configuring the plugin. Start by navigating to the Security icon in the main WordPress menu and clicking on Settings.
Because this is the first time you have accessed the plugin it will ask you to perform a security check. Click the secure site button to begin the process. The beauty of this feature is that it allows iThemes to essentially configure most of the important settings by itself.
Once the security check has completed you will be asked to enter your email address to activate brute force protection. I’d recommend doing this because it will allow your site to automatically identify and ban bots faster by accessing a shared pool of information, kind of like a database of bad-bots. And the fewer attempts a bot has to compromise your site the more secure it will be.
Not only that but every time your site identifies a bad-bot it will notify other sites running the iThemes plugin helping to protect other small businesses just like yours.
3. Change the default layout
Now that brute force protection is activated we need to make the iThemes dashboard a little easier to work with. Change the view from tiles to a list by clicking the list icon on the top, left hand side of the screen. Viewing the settings as a list makes it much easier to not only see what settings are active but it will also allow you to access and configure each one much more easily.
4. 404 detection
The first setting we need to manually enable is 404 detection. Click the enable button to the right of the setting item marked 404 detection. There is no need to configure any of the settings here because the default ones are more than adequate.
A 404 error happens when a visitor to your site tries to access a file, page or directory which does not exist. Sometimes this happens by accident when a visitor clicks on a link to visit a page on your site which no longer exists or tries to view an image which has been deleted. In most cases this is normal and is nothing to be concerned over.
However, bots can generate lots of 404 errors in a very short space of time because they can send thousands of requests to your site looking for plugins which have known security holes or to access insecure directories or even files left over from the installation of WordPress. When this happens it is a sure sign something bad is going on. With 404 detection active the bot will be automatically added to a blacklist for a short space of time and any more connections it makes to your site during that time are refused. This stops the bot from hogging valuable resources on your server and makes it much harder for it to find a way into your site.
Next we’ll look at enabling away-mode. This nifty little feature locks-down your WordPress dashboard for a set time every day – for example when you are sleeping. This significantly limits the ability of bots to crack your password because during this time all attempts to login will be rejected.
For those of you who may be worried about not being able to access your WordPress dashboard for a certain time every day – don’t be! I’m a known workaholic and on every one of my WordPress installs the away-mode feature is active between 12am and 6am and this has never caused me any problems. Of course, you can set your own away-time to suit your working times and personal preferences.
It is important to be very clear here that your site will still be live and accept visitors during the away-mode times however you, and everyone else, won’t be able to login.
Simply set the start and end times using the drop down boxes and click the save settings button.
6. System tweaks
As a programmer I know a good number of ways a system can be compromised. Quite often it is the littlest of things which can open a system wide open for exploit and cause a great deal of damage. The final two settings I will show you exactly how to protect yourself against these small loopholes.
Click the enable button on the system tweaks settings and scroll down so you can see the first set of options comfortably.
Tick the following options:
Protect System Files. After installing WordPress some files can be left behind which could open your site up to exploits. Also the wp-config.php is housed directly in the public folder for your website, which if compromised, would provide the login credentials to your website database – yikes! Tick this option to ensure these kinds of files can never be accessed publicly.
. This is quite an old exploit now and was much more common in the early noughties. Essentially when you browse to a root URL such as www.website.com or a folder on the website www.website.com/folder the webserver looks for an index file. If the index file is not present it would (on older or more insecure servers) list the contents of that folder. Unfortunately this list could be anything from key the files that power your site to your entire website code.
Most modern websevers prevent directories from being listed if no index file is present. However it has still(!) been known to happen today on some of the cheaper hosting platforms. It is for this reason that I’d recommend activating this option.
. This setting is a must. One of the oldest tricks in the book is injection attacks. This occurs when a hacker attempts to pass or inject code in your system at any point where you process data or input. This is done in order to gain access or simply to cause damage to a system. Activating this setting ensures that anytime anything is passed into the URL of your website which shouldn’t be there, such as www.yoursite.com/somedodgyscript, it is removed.
The following two tick boxes Filter Non-English Characters and Filter Long URL Strings should also be ticked to help further protect your site from similar exploits like the one above.
The last setting you need to tick is Disable PHP in Uploads. When you upload a file to your WordPress site is is stored in the ‘uploads’ folder. This folder needs to be accessible publicly so that visitors to your site can view your images or download any documents you have shared. But, as you will have guessed, the hackers know about this folder because it represents a potential weak point. When compromised hackers will often upload a series of PHP scripts into the folder that will give them access to your site.
Enabling this setting ensures that if they do manage to upload a PHP script into your uploads folder it will refuse to run and, therefore, be harmless.
7. Load the advanced settings
The final setting we need to activate is located in the advanced settings for iThemes, so click on the advanced tab on the top right hand side of the screen.
Next click on the configure settings button for the hide backend feature and then click on the Enable the hide backend feature checkbox.
In the login slug textbox enter a new login url for your website. For example, if you wanted to login using www.yourwebsite.com/bobs-secret-login-page then enter bobs-secret-login-page. Once you’re happy with your new login address click the save settings button.
Don’t forget! when you change this setting you will no longer be able to login using the wp-admin address so make sure you remember your new login URL!
Why change the address I use to login? Doing this makes it just that little bit more difficult for automated bots to break into your site. If they can’t find the login URL then they can’t try to brute force attack your site. Plus, because the default wp-admin slug no longer exists any attempts to access this page will trigger a 404 error and, after 20 attempts, the 404 detection feature we activated above will trigger and lock the bot of your site entirely.
Even though newer versions of WordPress will ban sites after so many failed login attempts, this approach is more elegant because the bot doesn’t get a single change to try to ‘guess’ your password.
That’s it. If you’ve followed the guide above you should now have one pretty secure website.
My site is 100% secure now, right?
Um, not quite… But, that’s only because no system can ever be 100% secure. New exploits, cracks, bots and other nasties are created every day. But, you know what? Your site is now much more secure than 99.99% of all other WordPress sites online right now.
You are also protected against nearly all of the more common bots and hacks available for WordPress which will vastly reduced the chances of your site ever getting hacked.