The final instalment of our Security Rules series comes from Jesse Friedman. He’s the Director of Innovation at BruteProtect. They provide a WordPress plugin which will protect you against brute force and botnet attacks.
If you missed the first post in this series, you can catch up here.
WordPress core out of the box is very secure and an extremely reliable CMS. Everything you do after you install WordPress is an opportunity to harden that security, or soften it. And I’ll tell you right now, it doesn’t matter if you’re hosting your Mom’s quilting website (I actually do this) or a government website, you’re going to get attacked.
Nearly all attacks come from crackers who have no idea who you are. They want to infiltrate as many websites as possible. Their goals could be to hijack your server, inject malicious code, steal your users’ information, or insert ads all over your site. The good news is the six steps outlined in this two-part series will help prevent those attacks from being successful, while saving you time and money.
4. Don’t publish under your administrative account
Most WordPress users don’t realize that their usernames are public. This is not an uncommon practice for the Internet. A hacker will know your Twitter username before they attempt to crack your password because it’s public. Keep two accounts so your administrator account can remain private.
Unless you’re currently building or developing on your WordPress site, you probably don’t need administrator access every time you log in. Limit exposure to your site’s backend by giving yourself a public facing editor-level account. Editor privileges will allow you to perform 90% of your daily activities.
Your admin-level account should have a username that is really difficult to guess and should follow password creation best practices. A good username for me would be jFriedman23432. This will ensure that your username will remain unpredictable and that is a good first line of defense against attacks.
5. With great power comes great responsibility
Administrators have great power and the ability to do a lot of damage in WordPress. Even if you trust the person you’re giving administrative access to, it still isn’t their site. Frankly, most people don’t need admin privileges. Give users of your WordPress backend the appropriate access.
If you’re having someone write a guest post for you, give them author-level access. If you have an SEO professional editing content and links, give them editor access. Reserve administrator access for individuals who really need that level of access; your web developer or an IT technician at your company would be good examples.
Make sure to revoke access when that person no longer needs access to your system. Change the password and email address associated with the account, you can always reinstate access if needed. Keeping a tidy and organized user list is a great way to limit the possibility of a successful attack.
At the end of the day, no matter how well you harden the security for your WordPress infrastructure, there is always the possibility of a successful attack occurring. Even corporations who spend hundreds of thousands, or even millions, of dollars a year on security still fall victim to attack. What’s the best way to recover? BACKUP!
Sorry for the caps lock, I’m not yelling, I’m just trying to emphasize the importance of backing up. Most people think they are immune to attack because they are off the radar. Most people think it can’t happen to them. I promise you, you’re not immune, botnet attacks are growing and getting stronger every week. Our product BruteProtect will stop these botnets, and I highly recommend it. We see an average of 3 attacks per day on even the most obscure websites.
However, security isn’t just about stopping attackers, it’s about protecting your data. Even with BruteProtect, Clef, and all these best practices in place, someone can still make a mistake. Someone could accidentally delete a database table, overwrite theme files, or make some other ignorant or unwitting mistake.
There are a dozen tools out there for backing up. I would combine a plugin level tool like VaultPress, BackupBuddy or BackWPup with a server-level backup solution. Most hosting providers provide either free or premium backups. If you’re not backing up today, it should be your number one priority for this week. Don’t let any more time go by, it’s very easy to implement a backup solution, so get on it!
In conclusion, there’s a ton more that can be done to prevent a successful attack, but these six tips will safeguard you from the majority of vulnerabilities. Depending on your website, you might want to invest more time in security, and even hire a consultant. If you run an e-commerce store, though you’re just as vulnerable, you have far more at stake than my mother’s quilting website. Don’t take anything for granted and don’t assume you’re safe. Be cautious and cognizant, and happy WordPressing!