WordPress Security

Things that go bump in the night – WordPress Security

WordPress Security

We try to keep our WordPress users up to date on what’s happening with regards to new releases of WordPress and we even mention the odd plugin. So this is another one of those “keep your website up to date” posts with a look at a rather useful plugin.

Of course the stats are pretty amazing for WordPress. Over 20% of the websites in the world use it as their CMS of choice. (Numbers will vary depending on who you ask of course, but simply put the number is rather high)

What does this mean for the likes of you and me who host WordPress websites? It means there are a lot of people attempting to find loopholes and hacks so they can exploit your website. Maybe it’ll be so they can spam, maybe it’ll be so they can host bad files on your website or do other nasty stuff. Recently Stephen posted about an exploit of XML RPC pingbacks within WordPress and how to prevent it affecting your website. So what more can you do?

You can keep your website up to date.

I’ve mentioned a plugin in the past multiple times WP Updates Notifier and I run you through it on this blog post.

This will keep you notified when you’ll need to upgrade your plugins / themes and core with a nice little email reminder to update things.

In the fight against comment spam you can use the likes of Akismet which ships with WordPress and which monitors all new comments and removes the vast majority of spam.

So what else can you do to help keep your website secure?

Well there’s a plugin called WordFence and it does a multitude of things to improve your WordPress Security.

Wordfence

You can see a sample scan below

Wordfence Scan

As you can hopefully see it’ll scan through your files for differences between plugins / themes and the core files. It will also do a host of other things such as scanning for weak passwords.

Now onto the stuff I really like about Wordfence.

You may or may not know it, but it’s a really bad idea to have admin as your username. Why you might ask? Because a lot of automated scripts out there try to log in to your website as the admin user. So they’ll probably take the most popular passwords from a list out there and try these against the admin username. Won’t you notice this though? Probably not.

Wordfence security Login preferences

If you’re pretty sure you know your password and don’t generally make mistakes drop the number of failures to something rather low not to mention forgotten password attempts, then decide how long to lock that person who tried to login for. I chose 1 day by default. I know my username and password when I’m logging in. So what effect does this have you might wonder?

Wordfence Locked IP addresses

Key things to take away from this screenshot? There have been 9303 attempts to login. It’s probably safe to assume this is an automated script going through variations of passwords.

I set this up last week on one of my sites and was shocked to see the number of login attempts that go on while I’m sleeping.

Using Google Analytics or similar services on your website to track traffic? You probably won’t see any of these login attempts that are occurring.

There are lots of options in Wordfence and of course as with many plugins there is also the commercial side to the plugin with extra options.

Wordfence Options

What’s more if you’re not using caching on your website it also has a basic caching as well as a more advanced caching depending on your needs which you’ll find in the Performance Setup section.

Are you using anything else for WordPress security?

 

, , , , ,