This week we had to come to the aid of someone who had fallen victim to some hackers who has maliciously injected some malware code into a number of the web pages on their site. The malware had gone undetected for a number of days until Google blocked the site with a big red warning screen. Luckily thanks to a regular back up strategy we were able to rectify the situation without losing too much data but it could have been so much worse.
WordPress is a very popular web content management platform, approx 22% of the worlds sites are powered by it and although later versions have introduced new features to help make security more robust there are still some additional steps you can take to protect yourself.
Your Local Computer
As a bare minimum you should ensure that you have good anti-virus and malware protection installed on any machines you use to access your WordPress admin area. Make sure that you keep the definitions up to date and run regular scans of your hard drive. Avoid accessing your admin area from other PCs and devices especially when connected to insecure networks such as public wi-fi hotspots. If you must use another computer open a browser tab in incognito mode to make it difficult for anyone to follow your tracks. this won’t protect you from key logging programs but it will ensure you leave no history behind.
According to Splash Data’s Annual “Worst Passwords” list 123456 maintains it’s place in the top spot for the 4th consecutive year closely followed by password. Others include keyboard sequences like qwerty as well as access and letmein
Another survey conducted by Ofcom in 2013 found that 55% of respondents used the same password for all if not most of their internet accounts placing them at even greater risk should the hackers be able to guess it. The sheer number of different online accounts that we need to keep log-in information for makes keeping track of this information a herculean task and with 8% of all WordPress attacks in 2013 attributed to weak passwords it remains a serious risk.
Always choose strong passwords for your WordPress admin area. Strong means:
- 12 characters or more
- includes numbers, punctuation and a mix of upper and lower case
- not choosing a common or obvious word
- avoid obvious substitutions such as replacing i with 1 and o with 0
If you are struggling for inspiration there are numerous internet sites that can help you create strong passwords such as Strong Password Generator and there are some very good password management programs and apps such as 1Password, Dashlane , Lastpass and Keepass. These store all your passwords in an encrypted database and require you to remember only 1 master password to access it. Obviously it goes without saying that the master password needs to be strong too!
WordPress Admin Username
Make sure that the username for the site administrator is something that is difficult to guess. It should most definitely not be Admin, if it is you should change this immediately. The easiest way to do this is to create a new admin user with a unique username, then delete the old admin user and attribute all their existing posts to the new one. The wordPress installation creates a username (which is how you log into your WordPress admin area) and a nicename which is just a user friendly version of your user name. It can be seen in the url of a users archive page such as www.mywordpressite.com/author/my-user-name. By default the username and nicename are the same which means that a hacker can guess your username by looking at the archive page for an author on the site. With that information they are half way to breaking in. However. the nicename can be changed so that it is different from the username and although this requires you to access the MYSQL database it isn’t particularly complicated and is a highly recommended step to take. After you have done this you might log-in with a username of gJy8654! but display a nice name as www.mywordpressite.com/author/john-smith. You can find many tutorials on the net that explain how to change your WordPress nicename such as this one from a site called WordPress Cub
WordPress Database Table Prefix
The WordPress installation asks you to choose a prefix that will be applied to all the database tables. If you choose not to change the default it will be set as wp_ so tables will be named wp_posts, wp_users etc. To change the default prefix there are two steps you need to take:
- Edit the wp-config.php file using your preferred ftp client and change the line $table_prefix = ‘wp_’; to $table_prefix = ‘x!*hjtd_’; or something equally unique
- Edit the MYSQL database by using an SQL query such as RENAME table `wp_links` TO `newprefix_links`; You will need to use this to rename each and every table including those added by plug-ins.
There are also plug-ins available that can automate this process for you – thereby avoiding any typos etc.
Keeping your WordPress Installation Updated
From WordPress version 3.7 onwards it is possible to have minor updates applied to your site automatically i.e 3.71 to 3.72 and so on. This does not automatically apply major updates such as 3.7 to 3.8 etc ensuring that you should not have to worry too much about any compatibility problems. However, these are rare and are usually as a result of out of date plug-ins. On that note you should ensure that all your plug-ins are kept up to date to prevent hackers from exploiting any known vulnerabilities that have not been patched.
There are numerous other steps you could take to further secure your WordPress site from setting your file and directory permissions correctly to protecting the .htaccess file. How far you go with this will depend on a number of factors including you back up strategy, how sensitive the data is on your site and how business critical it is. The purpose of this post is to help you get started, feel free to check out other resources that may help you extend this further.