elhombredenegro via Compfight cc
Website security is an important part of any business. Having your website taken over by a hacker is not something you want to have happen. And it happens more often than you think. Having your links redirected, data stolen, perhaps even a complete rewrite of your site.
What’s that? You say you haven’t even looked at your company’s website in months? Years? Best take a look at it. Some company from China may have co-opted your entire domain to get an edge over the competition having replaced your hard work (or expensive work if you paid to have your website created) with their own.
Today I want to talk about website security. Specifically WordPress security since WordPress has become, thanks to its flexibility and wide variety of plugins available, a platform of choice for so many businesses.
The first thing you should do, or have whoever maintains your website do, is to change the log-in username to something besides “admin”. As a matter of fact, do not allow them to create a username which is any of the following –
admin, admin1, aaa, adm, sysadmin, administrator, user, root, support, test, qwerty, manager, guest, apache, info, operator, webmaster, backup, demo, member, private, or password.
Does your site offer a download? Paid or free it doesn’t matter. What did you name it? Hackers will use a simple technique where they will type your URL into the address bar and append the following to the address –
This forces WordPress to search and list all posts which contain the word download, and in all likelihood the very file you were trying to protect.
A second avenue of attack for those seeking files to download is the robots.txt file. The robots.txt file is a file which tells search engine spiders and webcrawlers not to look at certain pages and directories.
What the hacker will do is once again type in the URL and append the following to it –
This will allow them access to the text file which will contain some code such as the following –
That line basically means – don’t see the subdirectory “NothingHere”.
So…why wouldn’t someone want a spider to see that subdirectory? Probably because there is stuff there. A lot of the time it’s the download page.
Don’t name your files conspicuously. Don’t put your download pages on your sitemap.
Wordfence is a WordPress plugin that can be installed free of charge. There is a paid upgrade if you would like to enable Cellphone Sign-in verification.
Log in to your WordPress site Admin Log-in.
Looking down the left hand sidebar, click on Plugins/Add new.
Type ‘Wordfence’ into the search box and hit return.
Choose Install from the plugin page.
One you have been notified that the plugin has been installed, activate it. You will need to go to the plugin website for a free API key. Copy it and paste it in the appropriate box at setup. Then fill out the general info.
Now on the left sidebar you should see Wordfence listed. The first thing to do is to choose ‘Options’.
Make sure all of the Alerts checkboxes are checked.
Under Live Traffic View, check the box for Don’t log signed in users with publishing access.
Under Scans to include, check all boxes except for the paid box that is at the top, and the scan files outside WordPress at the bottom of the list.
Under Firewall rules check the box to immediately block fake Google crawlers.
Under How long is an IP address blocked when it breaks a rule choose 1 month.
Under Login Security Options choose – Force admins and publishers to use strong passwords.
Lock out after 1 failure.
Lock out after 1 forgotten password attempt.
Count failures over the period of 1 day.
Amount of time a user is locked out – 60 days.
Check the final three boxes.
Under Other Options input your own IP address.
Check all the boxes.
Don’t worry about setting the lockout tries to only 1 try. If you forget and lock yourself out, you can change both your username and password in cPanel for another go.
Hackers will try to spoof your log-in info. That’s why we had you change your username and passwords. But you can check to see how many people are trying to log in as you by going to the Wordfence plugin, and choosing “Live Traffic”. Now look at the tabs across the top of the workpage that comes up and click on Logins and Logouts.
Any of these that are not you should be blocked. Click on block.
Now look to the left sidebar again and click on Blocked IPs.
You will see a list of all the IPs that you have blocked.
Click to block permanently.
Depending on how many people are trying to hack your website the notifications for these attempts should die down within a few weeks of blocking most of the active hackers.
This is a good start for safeguarding your website so you can concentrate on doing business. Not wondering where your website has gone.