tekSolution: Protect & Defend against attacks on Wordpress | tekAura | We squash Bugz

We squash Bugz

Wordpress & Drupal, Integrations & Migrations, Admin & Software Dev

tekSolution: Protect & Defend against attacks on Wordpress

Recently, we published a support article on our knowledge base regarding how we have implemented security measures on Wordpress websites.  Because we think this information is valuable to everyone, we are elaborating here on the topic.
Security is an increasing concern for Wordpress websites, especially since the rise of bad bots on the internet last year.  These automated bad actors may be doing anything from scanning your website for security holes up to an including performing brute force attacks on your login page.  So, don't let all your marketing efforts to drive traffic to your website by halted by these potential issues and follow some simple steps to improve security on your WordPress website today.

NOTE: This guide is meant for shared hosting accounts.  If you have a VPS (Virtual Private Server), consider other/additional measures that work on the server or network level, specifically related to blocking malicious traffic, so that you can stop it BEFORE it hits your application.

Create a backup

Before making any changes to your website, it is always a good idea to backup your files and database.  How you go about this largely depends on your website host.  If available through your web host, use that (usually).  However, if that option is not available, we recommend using UpdraftPlus. You can even take this a step further and turn on maintenance mode, in order to prevent your users from accessing the website while you are making changes.  Or better yet, use a staging or local development environment.

Install some plugins

Decent security doesn't require a subscription.  The beauty of Wordpress is its large library of community supported plugins.  Sure, there are paid levels and services out there.  However, if you are growing, you might not have hundreds or thousands to spend.  We have found that using a combination of the Wordfence and AIOWPS (All In One WP Security) plugins, offers many of the most important security features available on the market:
  • Scheduled virus scan
  • Monitor file changes
  • Monitor available plugin updates
  • Brute force protection
  • Firewall

Some basic settings

After you install these security plugins on your WordPress website, it is important to make some changes to the configuration.  By default, many of the available features are not turned on and for good reason.  Some security features may lock you out of your website.  So, check to make sure your backup and restore plan is done and available (see above).  When you are ready, download & import our configurations for Wordfence and AIOWPS.
If you do choose to use our default configuration files, please note the following changes to your website that may affect you directly:
  • Your WP login URL is now /knockknock (Ex: http://example.com/knockknock)
  • You will need to log in every 60 minutes (authentication timeouts are enabled)
  • Email alerts are set up, but might need to be altered (Wordfence > All Options > "Where to email alerts" & WP Security > scanner > "Send Email When Change Detected")
  • After 3 failed login attempts within 5 minutes from the same network (public IP), attempts from that network will be locked out for 1 hour (WP Security > User login > Login Lockdown)
  • After 20 consecutive failed login attempts within a 4 hour period, that user will be locked out for 4 hours
If any of these restrictions are too restrictive, please make the desired changes.

Limit your Admin

Last, but not least, it is a good idea to only grant admin access to an account when and if it is needed and no more.  Many times, a breach occurs when no one is watching.  So, the logic here is if you don't currently need admin access to the website, disable it.  The best way to accomplish this is to:
  • Create separate account(s) for editing content (and set the user role to editor, or less if editor is not necessary)
  • Change the role of admin account to subscriber when not in use
The quickest way to change WP account roles is to use the Wordpress Command Line Interface (WP-CLI).  If your web host has a console option available, via cPanel or their website, use that.  If a console is not available, but, SSH access is available, generate an ssh key & add the key to your web host account, using their instructions. If neither is available, you can also manually change the role in the database. However, this is the most complicated of all options available and is prone to human error.  Ideally, if you can access WP-CLI via a web console or SSH, use the following command:
wp user set-role {username} {role}
For example, to change the admin user's role to subscriber (disable admin access), run:
wp user set-role admin subscriber

Last, but not least

Ask for help.  If you get stuck, look to your available resources.  Your web hosting provider and keyword searches can be great resources.  And if you would like some personal assistance, please don't hesitate to contact us.  Let's make the world a safer place to do business.

Share this:

ABOUTME

I was hippie-born, raised on Science and Invention on a nuclear mesa, SCAdian before I knew the Society, Technomancer before I played the game, creative genius breaking the shackles of Corporate America.

Owner of tekAura, an Information Technology & Design Consultancy involved in projects concerning Human Dynamics & Sustainability in relation to Computing and Technology, Collective creativity & Hackerspaces, SaaS & Cloud Computing, Home & Manufacturing Automation.

Artfully applies Sustainability, Disaster Recovery, Open Source and Agile Industry Best Practices to boost innovation and facilitate Organic Collaboration and Continuous Process Improvement.

    Blogger Comment
    Facebook Comment

4 comments:

  1. After you've gotten your files onto your site, you now need to configure your WordPress installation. And when I say configure, I mean WordPress will do almost all of the work for you.managed wordpress services

    ReplyDelete
  2. That is really nice to hear. thank you for the update and good luck. Brizy review

    ReplyDelete
  3. This article gives the light in which we can observe the reality. This is very nice one and gives indepth information. Thanks for this nice article. clean wordpress site

    ReplyDelete