Attacks on WP, what security to put on?

Community Forums Forums General Discussion Attacks on WP, what security to put on?

This topic is: not resolved

Tagged: ,

This topic contains 7 replies, has 4 voices, and was last updated by  Bill Murray 1 year, 6 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #35914

    Dragonfly
    Participant
    Post count: 7

    I’ve heard about some pretty big attacks going on right now targeting WP websites. I was told attackers are  using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, the attackers have some 90,000 unique IP addresses at their disposal.I have read to check out a plugin called bulletproof security and consider buying an SSL.

    Any advice? I’m a real newby, how do I buy these plug ins and an SSL?

    Also, how do I get my site backed up outside of WP?

    http://
    #35943

    Bill Murray
    Participant
    Post count: 575

    Unless you have another need, save your money on an SSL certificate and save your money on security plugins.

    The 4 best things you can do are to not use a series of usernames, including:

    admin
    admin1
    administrator
    root
    manager
    support
    qwerty

    Next, use strong passwords.

    Third, whatever username you use, be sure to not publicly display it and if possible, turn off author archives.

    Fourth, be sure the devices you access your server are secure. Compromised local machines are an easy way to steal server credentials.

    A successful brute force attack, just like any successful login, requires both the username and a correct password. If you don’t use the username that the attackers are using, you’ve stopped the attack in its tracks.

    There’s another aspect to brute force attacks, and that’s how they can become a denial of service (DoS) attack when repeated a large # of times in a short time frame. There’s no easy way for a “newby” to deal with this, because it involves doing things at the server level. If you’re on a shared server and don’t have server admin skills, you have to hope that your host is doing its job and monitoring the traffic on its network.


    Web: https://wpperform.com or Twitter: @wpperform

    We do managed WordPress hosting.

    #35992

    ChrissyMorin
    Participant
    Post count: 35

    WPFence was just recommended to me… and I’m switching all my “admin” to NOT admin. When you say “Don’t display user name publicly”… is there a spot to do that??


    Chrissy Morin – Your Web Chick – Denver CO

    #35995

    Bill Murray
    Participant
    Post count: 575

    When you edit a user, you’ll see a setting for Display name publicly as. If your Username is ChrissyMorin, you want to display something else (by filling in the first/lastname or nickname) and then using the dropdown on that setting, so attackers can’t easily learn your username. Of course, if your author archive is on a link with your username, one can figure out the username, so that’s why you need to avoid using author archives, which is harder to do on a multi-author blog.

    Most security plugins come too late to do much help. If it’s a plugin, it’s PHP-based, and that means a potential attacker is already reaching your WP system. Because they have to examine each visitor, they also slow down your site.

    If your site is set up with good security practices from the outset, almost all security plugins running under PHP aren’t going to help you much.


    Web: https://wpperform.com or Twitter: @wpperform

    We do managed WordPress hosting.

    #35996

    ChrissyMorin
    Participant
    Post count: 35

    Ah ok, gotchat.. I use Yoast SEO plugin and it lets you “Turn off” Author archives.. guess I’ll put that on the to do list too.

    No problems “SO FAR” but got a scary letter from my hosting company so I figured I should go through things.. on many old sites I have “admin” so I figure that’s the first thing to change..


    Chrissy Morin – Your Web Chick – Denver CO

    #35997

    Bill Murray
    Participant
    Post count: 575

    Absolutely, drop admin accounts at once, and check all other accounts against the list I posted. The brute force attacks are using a narrow set of names and re-trying them over and over, so if your install doesn’t include those usernames, there’s no chance that this particular attack will succeed.

    However, an attacker can still try to learn valid usernames on your WP installation and attempt to brute force those, so that’s why you want to keep those usernames private.


    Web: https://wpperform.com or Twitter: @wpperform

    We do managed WordPress hosting.

    #36101

    yellowdog
    Participant
    Post count: 36

    I have started using http://www.securescanpro.com/ on my sites this week,

    #36152

    Bill Murray
    Participant
    Post count: 575

    While I don’t intend to criticize any particular plugin, almost all security plugins in WP aren’t worth the time and the premium ones aren’t worth the money.

    For example, plugins that scan WP installs for modified files imagine a WP setup where a web visitor CAN modify files in your WP install. If you set up your WP install so that a web user can’t write to folders with code and you access your server securely (via SFTP or SSH), scanning files isn’t necessary and ends up wasting resources that could be used to serve site visitors.

    It’s the same with brute force attacks. If your site doesn’t have users with the usernames that attackers use to attack – and almost all attackers use a very, very narrow set of usernames – a brute force attack is never going to work.

    It’s true that WP sites are successfully attacked every day, but the successful attacks are not because the site wasn’t running a security plugin. Attacks are successful because a) people run out of date WP or out of date plugins that have had identified security holes identified and patched, b) server credentials are compromised, sometimes because the PC that a user accesses the server is compromised, c) the WP install was set up insecurely from the start, or d) a user is tricked into installing a plugin from a bad source.

    If you avoid those common problems, you don’t have to worry about WP security plugins.


    Web: https://wpperform.com or Twitter: @wpperform

    We do managed WordPress hosting.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.