tekSolution: Protect & Defend against attacks on Wordpress





Recently, we published a support article on our knowledge base regarding how we have implemented security measures on Wordpress websites.  Because we think this information is valuable to everyone, we are elaborating here on the topic.

Security is an increasing concern for Wordpress websites, especially since the rise of bad bots on the internet last year.  These automated bad actors may be doing anything from scanning your website for security holes up to an including performing brute force attacks on your login page.  So, don't let all your marketing efforts to drive traffic to your website by halted by these potential issues and follow some simple steps to improve security on your WordPress website today.



NOTE: This guide is meant for shared hosting accounts.  If you have a VPS (Virtual Private Server), consider other/additional measures that work on the server or network level, specifically related to blocking malicious traffic, so that you can stop it BEFORE it hits your application.




Create a backup


Before making any changes to your website, it is always a good idea to backup your files and database.  How you go about this largely depends on your website host.  If available through your web host, use that (usually).  However, if that option is not available, we recommend using UpdraftPlus. You can even take this a step further and turn on maintenance mode, in order to prevent your users from accessing the website while you are making changes.  Or better yet, use a staging or local development environment.




Install some plugins


Decent security doesn't require a subscription.  The beauty of Wordpress is its large library of community supported plugins.  Sure, there are paid levels and services out there.  However, if you are growing, you might not have hundreds or thousands to spend.  We have found that using a combination of the Wordfence and AIOWPS (All In One WP Security) plugins, offers many of the most important security features available on the market:


  • Scheduled virus scan

  • Monitor file changes

  • Monitor available plugin updates

  • Brute force protection

  • Firewall






Some basic settings


After you install these security plugins on your WordPress website, it is important to make some changes to the configuration.  By default, many of the available features are not turned on and for good reason.  Some security features may lock you out of your website.  So, check to make sure your backup and restore plan is done and available (see above).  When you are ready, download & import our configurations for Wordfence and AIOWPS.

If you do choose to use our default configuration files, please note the following changes to your website that may affect you directly:


  • Your WP login URL is now /knockknock (Ex: http://example.com/knockknock)

  • You will need to log in every 60 minutes (authentication timeouts are enabled)

  • Email alerts are set up, but might need to be altered (Wordfence > All Options > "Where to email alerts" & WP Security > scanner > "Send Email When Change Detected")

  • After 3 failed login attempts within 5 minutes from the same network (public IP), attempts from that network will be locked out for 1 hour (WP Security > User login > Login Lockdown)

  • After 20 consecutive failed login attempts within a 4 hour period, that user will be locked out for 4 hours


If any of these restrictions are too restrictive, please make the desired changes.




Limit your Admin


Last, but not least, it is a good idea to only grant admin access to an account when and if it is needed and no more.  Many times, a breach occurs when no one is watching.  So, the logic here is if you don't currently need admin access to the website, disable it.  The best way to accomplish this is to:


  • Create separate account(s) for editing content (and set the user role to editor, or less if editor is not necessary)

  • Change the role of admin account to subscriber when not in use


The quickest way to change WP account roles is to use the Wordpress Command Line Interface (WP-CLI).  If your web host has a console option available, via cPanel or their website, use that.  If a console is not available, but, SSH access is available, generate an ssh key & add the key to your web host account, using their instructions. If neither is available, you can also manually change the role in the database. However, this is the most complicated of all options available and is prone to human error.  Ideally, if you can access WP-CLI via a web console or SSH, use the following command:

wp user set-role {username} {role}

For example, to change the admin user's role to subscriber (disable admin access), run:

wp user set-role admin subscriber




Last, but not least


Ask for help.  If you get stuck, look to your available resources.  Your web hosting provider and keyword searches can be great resources.  And if you would like some personal assistance, please don't hesitate to contact us.  Let's make the world a safer place to do business.

Comments

  1. Alex HalesApril 9, 2019 at 2:10 PM

    After you've gotten your files onto your site, you now need to configure your WordPress installation. And when I say configure, I mean WordPress will do almost all of the work for you.managed wordpress services

    ReplyDelete
  2. Tanika Co ValdaOctober 20, 2019 at 11:17 PM

    Great Article
    Cyber Security Projects for CSE Students


    JavaScript Training in Chennai



    Project Centers in Chennai




    JavaScript Training in Chennai


    ReplyDelete
  3. JamesJanuary 5, 2020 at 3:30 AM

    Just as the new highlights for WordPress designers, there are heaps of upgrades to profit the normal blogger or site proprietor:
    premium wordpress blog themes

    ReplyDelete
  4. LewisApril 20, 2020 at 2:54 PM

    Simply put WordPress is a publishing platform used for building websites and blogs. It allows for a highly customizable user interface. wordpress vs clickfunnels

    ReplyDelete
  5. saimApril 27, 2020 at 12:11 AM

    Are not they in a hurry? Do not they want to find the outpost? Need not Kirk get back to the ship? Yet they sit there, having a talk and barbecue around a log fire. https://royalcbd.com/product/cbd-oil-250mg/

    ReplyDelete
  6. jackson seoMay 25, 2020 at 7:36 AM

    Yoast's SEO Plugin for WordPress gives a straightforward method to impair creator files, which helps cover up usernames. I generally suggest Limit Login Attempts also, just on the off chance that somebody attempts animal constraining your wp-administrator. hide my wordpress plugin

    ReplyDelete
  7. albina N muroJune 16, 2020 at 4:25 AM

    This is very interesting content! I have thoroughly enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great. buy ig likes

    ReplyDelete
  8. jackson seoJune 16, 2020 at 5:35 AM

    This is really a nice and informative, containing all information and also has a great impact on the new technology. Thanks for sharing it, It's a GPL Plugins selling website

    ReplyDelete
  9. Jeff L. VenturaSeptember 26, 2020 at 11:24 PM

    I think that thanks for the valuabe information and insights you have so provided here. fiver seo

    ReplyDelete
  10. M.aniqOctober 24, 2020 at 1:04 AM

    I value the blog article. Really looking forward to read more. Will read on...wordpress website not loading

    ReplyDelete

Post a Comment

Popular Posts

4 Things I Learned About Direct Message Marketing

Image
Direct Message Marketing is all the rage , these days. Everyone has a phone in their pocket. So, naturally, the guaranteed delivery of your campaign through DMM means you spend less money on mass marketing efforts and have the opportunity of immediately opening a dialog. The Path to Success is Paved with Naysayers Anyone that owns a business has experienced resistance to DMM at one time or another.  Now, I'm not talking about the attempts that are simply ignored, I'm talking about the nasty, rude responders that cuss and block you.  A common immediate reaction to these tantrums is to consider it an exercise in scrubbing your friends list of negativity.  However, it can be easily turned into an opportunity.  Consider your target market.  Did the "friend" fall into yours?  Could you have changed the messaging in any way to appeal to this individual?  Even if the answer is a resounding "NO!", you can still discover some areas of improvement that may ...
Read more

WordPress 5.2 Jaco (Update): Debugging and Fixing Tools

Image
With the latest version of WordPress comes with some pretty awesome sounding tools . The number of community and third-party plugins have continued to grow over the years and with that growth and WordPress core continues to change dramatically (*harum* Gutenberg *cough*). To keep up with changes, the WP Core devs have introduced a few new features that you may find helpful. Site Health Check Site Health Status Performance Checks Security Checks Site Health Info PHP Error Protection Additional Developer Updates Site Health Check (improved) The Site Health Check tool was first...
Read more

7 Tips to Reduce Stress & Get More Done

Image
I don't know about you, but I definitely get exhausted after a day filled with reactive vs proactive work.  There is no doubt that self-management is a challenge and I am always looking for new mental tricks to be as productive as possible.  If any of you are having similar issues, try some of these simple steps: 1. Write down requests (so they out of your head) Many people get caught up trying to use their email communications as a task tracking tool.  However, sooner than later, you will "loose" an email and spend the better part of an afternoon searching for it only to discover that the subject was unrelated to the request and/or expected keywords are missing.  I think everyone has run across one of these cryptic emails once or twice. Instead, try to pivot from reactive to proactive work style by logging requests into a PM tool.  Some awesome existing web tools are Trello , Teamwork , Asana and for the more daring, Podio . 2. Itemize major steps (as...
Read more