What You Can Do to Secure Your WordPress Site
As we mentioned in a previous post on WordPress security, unless you're a computer security expert, you'll probably need some help with securing your site. In this post, we are going to talk about some of that help.
First, you should install a good WordPress security plugin. There are several good such plugins out there: at the IMC we currently like to use one of two different plugins, depending upon what we consider to be the value of the site. Those are "LoginLockdown" and "All-In-One WP Security and Firewall." There are many others, some of which we have used in the past, such as "Better WP Security," "BulletProof Security," and "Ultimate Security Checker." Eventually, which one you use will come down to two questions: "how secure do I need this site to be?" and "how much effort do I want to expend to make it secure?"
There are other security aspects to consider that often can't be addressed by a plugin, such as the configuration of your webserver itself, the file permissions on your PHP code files, how PHP is configured to behave, and system-level security, just to name a few. Most of these things will be outside your control unless you do your own hosting. However, if you are getting your hosting through a reputable, professional provider like Bluehost or HostGator, you can be reasonably sure that those issues are being handled.
That said, there are plenty of things you can do to secure your site on your own. Let's talk now about the two security plugins we use here at The IMC...
The first plugin has a narrower focus and is much simpler to configure and use. Its primary function is to monitor the number of failed logins that come from a specific IP address. You set a threshold number of attempts and time period for the plugin, and if there are more than that many failed attempts within that time period, the entire Class-C subnet is banned from even trying to log in for a period of time you also select.
In case you aren't aware, a "Class-C" subnet is all the IP addresses that start with the same three numbers; they only differ in the fourth. So, for example, the addresses 192.168.101.31 and 192.168.101.87 are in the same Class C subnet, but the addresses 192.168.101.31 and 192.168.202.87 are not. Why ban an entire subnet? Because dedicated site crackers often connect via proxies, and can easily switch their IP address, but usually only within a small subnet owned by the proxy provider.
It is important to have some sort of timeout in case the failures are just legitimate mistakes by a valid user. You don't want to lock yourself out of you own site permanently just because you didn't realize your Caps Lock key was on by mistake, right? LoginLockdown lets you set this value; the default is to lock out for one hour; we like to bump it to two or four hours.
Since brute force attacks on your passwords are one of the most common methods used by crackers to get into your website, you can improve your site's security a lot by just locking down the login page with this plugin, and it takes almost no effort to use it because the configuration is so simple. Just take a quick look at the configuration page for Login Lockdown:
This is the plugin we use for our non-critical websites, or single-purpose sites that don't have a lot of bells and whistles. As you can see, there are really only three critical settings:
- Maximum login attempts
- Period of time for the attempts
- How long they will be locked out
The default values for the plugin are 3 attempts within 5 minutes and the lockout period is one hour. You can see that we have configured our copy here to lock the bad guys out for two hours. If you want to change these to be more security-conscious, we suggest that you increase the lockout time. On most of our sites where we use this plugin, we leave the number of attempts on the default or possibly bump it to 4, bump the time period up to 10 or 15 minutes, and set the lockout time to four hours, which means a cracker can make no more than 18 attempts in any given day if they can't "throttle" their cracking bot.
Note, however, that well-equipped crackers might have a bot that they can configure to slow down its attempts, to pace itself. If they were able to work out these settings through trial and error, they could configure their bot to make no more than 2 attempts every 10 minutes, which would give them a maximum number of retries per day of less than 300. If you have changed your default administrator username and you use good passwords, you could probably repel that number of attacks per day for years. Keep an eye on your traffic logs, and if you see repeated attempts from one IP that seem to be "timed" in this way, you might want to blacklist that IP completely. LoginLockdown doesn't provide this capability, however. If you want to be able to do blacklisting, you need to look at our other security plugin, which we will discuss below.
To give you some additional information on LoginLockdown, we've put together this simple training video:
All-In-One WP Security and Firewall
The AIO plugin does a really great job at securing our high-value websites; it's the one we use here at the IMC. It has a lot of configuration options and can be a little daunting to use, but it provides a really nice feedback mechanism to let you know what you are doing and how it will affect your site's security.
The dashboard display for AIO generates a few graphics that give you an at-a-glance picture of what you've done and how secure your site is. The plugin basically provides a checklist of actions and settings you can take, each of which can add to the security of your site, but it allows you to deactivate any of them you wish if they interfere with other functionality on your site.
The feedback consists of a "speedometer" like graphic that shows you, on a scale of 0 to 477, how many "security points" you have added to your site with the settings you have entered. The objective is to increase you score until the speedometer is safely in the "green" section. It also gives you a pie-chart breakdown of the different types of security settings you have entered and how much of your point score comes from each type.
Most of the security fixes you can do with this plugin should have no effect whatsoever on the functionality of your site, including other plugins. We make use of most of them ourselves on our high-value sites. On the other hand, some of the settings involve things like ownership and permissions on files and changes to your .htaccess files, and due to some of the custom functionality that we have coded up here, we may not use those. But even with that limitation, it is very easy to get our sites well into the green without breaking anything. We are sure that you can do the same.
We know that all of this can be a little confusing, so we've put together a detailed demonstration video that shows you the plugin in action:
Thanks for your time reading this; if you have any questions or suggestions, please feel free to drop a comment on the article. We understand that this plugin is complex, and we might do an entire post dedicated to it in the future if that is something our users would like to see. Let us know!
More posts filed under category: General Information
Like this post? Subscribe to our RSS feed and get loads more!