Some Thoughts on WordPress Site Security

WordPress Site Security

What I’ve learned in a week of running WordFence Security Plug In

With thoughts of DDoS, identity theft, and newfound WordPress vulnerabilities seemingly daily, owning a website can sometimes be a stressful thing.  WordPress site security is one of those things that most of us just don’t want to think about.   I have to admit that it is something that I certainly never thought my own site had much concern about.

Let’s logically examine my site.  It doesn’t have ecommerce.  It once had a woocommerce plugin installed, but it was not even activated.  This site has no membership levels and a small subscribership- so you would think email spam possibilities are limited.  It’s not a super high traffice site, so the amount of people affected would be low with a DNS hijack.  I suppose there is always the  possibility then that a hacker might be able to get their code/files onto this site and keep it there for awhile without detection and therefore spread it because it is a WordPress site and they might just be throwing their net wide, but overall it doesn’t feel like an ideal target to me.  At least, that’s how it has always seemed to me.  Then I installed WordFence and got a true picture of what is really happening on most WordPress sites.

In one week of WordFence activity, I have had three different IPs logged from three different countries trying to break into my site.  For the interests of education, they were trying with the usernames “admin” “wpadmin” and “useradmin”.  When a web professional tells you as a user not to use or keep that as a login, listen to them- there is a good reason.  It is not a robust username, and there are those people out there trying to gain administrator access by using those defaults.  One of these individuals tried to log in 20 times before WordFence locked them out and notified me.  (they never would have got in, but I did actually like knowing how many times they tried).

In that same week, through a security vulnerability, a malicious file was uploaded to my server.  This vulnerability also ended up injecting a bit of code into another file.   WordFence also notified me about the malicious file and I found the extra bit of code after some extra bit of work (it is what I do after all).  What would this file have done if I hadn’t caught it and corrected the issue?  Every time someone googled me or my company and followed that link from google, they would have been redirected not to my homepage, but to the php file that was uploaded to my server.  I have to admit that I had WordFence delete it before I investigated what the file was- but they are typically embedded advertising, malware, or viruses.  The injected code I had to hunt down and delete was the redirect from the search page.  If someone was to put the webpage in directly, they would have never seen the issue at all.  Pretty slick, since most of us who work on our own sites don’t search ourselves first to head there.  This appeared to be a variation on the DNS hijack that I mentioned above.

The final thing that WordFence has alerted me to is that in that same week my plug ins have needed 10 separate updates (and WordPress has had one update as well- but I have that on automatic update).  Quite often the updates are in response to the vulnerabilities becoming known to the developers community- so think of the updates as a way to keep your site running healthy and secure.

It may sound like I’m advertising WordFence- I’m not actually- I’m advocating taking the security of your WordPress site seriously, no matter what direction you chose.  WordPress is a wonderful platform with a lot of great benefits.  However, those benefits do unfortunately lead to some potential risks.  There are quite a few plug ins out there that offer dependable reminders, scans, and tools to keep your site running smoothly and securely.  (Sucuri is another great one). At the very minimum you need something that 1. does regular scans for viruses and malware, 2.  protects against brute force log in attacks, 3. alerts you if plug ins or themes are out of date and need to be updated, 4.  Offer a firewall for your site.

If you find you don’t have the time yourself to make sure these tasks get done regularly, please know that Brilliant Blue Designs not only offers WordPress setup and design services through a partnership with Digidonkey Web Design but I also do regular WordPress maintenance contracts. Want more information on that?  Call me at 321-474-4830 or email me at [email protected]

A good article for additional information on WordPress site “hardening” or tightening of site security can be found here.