Shellacking The Hacking A Wordpress Security Scoop
Wordpress security isn’t always the first thing that comes to mind when you think of the Wordpress platform is it ?
Let’s face it, Wordpress is pegged to be “the place” to start if you want to create a blog which means that there are different levels of knowledge that come to this platform as people begin to develop their blogs. That sounds pretty reasonable when you consider that of all the millions of blogs online that have been constructed.. nearly 25% of them exist through Wordpress.
Beyond that staggering fact.. there are the newbies, the intermediate crowd and the advanced Wordpress operators.
In reflecting on that for a moment.. which were you when you started a blog or even better yet, which are you now if you haven’t started a website just yet, but are still considering it ?
With that said, there is something very startling to me as I put together this post about Wordpress security. There are more than 60 million sites that use Wordpress yet there are only a few thousand searches on a monthly basis regarding the security of this platform.
Regardless of what the install stats may be, the search data still represents a huge disparity between those who operate a Wordpress website and those who want to understand hardening Wordpress to better secure it.
According to BBC News in a news post back in February 2017, one of the worst attacks in recent times for Wordpress affected more than a million pages including a massive 800,000 attacks in the same timeframe where this event occurred.
Security affects us all but how many of us intentionally think about that in the excitement of getting a domain name and using Wordpress as our CMS platform ? I can tell you that it’s not nearly as many as it should be.
It’s a scary thought to know that all the hard work you invest into putting together meaningful, substantive and helpful content can be taken away in an instant simply because the attention to implementing a Wordpress firewall or not possessing the knowledge of how to improve Wordpress security on your blog has not turned into actionable behavior by the respective owner.
And I’ve been guilty of it myself.
One of the websites that I own uses the Wordpress CMS platform and I did what most people do.
I got online and thought of a decent name for my domain and found a host and installed Wordpress. It was great.
I had my plan, I was up and running after making some tweaks once I accessed my Wordpress control panel and I started adding content right away.
I’d bet 10 to 1 that this is how most people get started with Wordpress.
Everything is in it’s neat little box ready to go for you and it’s plug & play. You don’t have to have any technical knowledge, you don’t have to know a thing about Wordpress because that’s the way it’s designed. It’s designed so that it’s easy. So easy in fact that anyone can start a blog on their platform and true to it’s name and mission, Wordpress lives up to that.
Beyond changing some minor things like how my posts would look, the theme, the look and feel of my dashboard and adding a couple plugins I didn’t do much more in the way of customization.
After more than a 100 posts, I started getting warnings and warnings from my hosting provider that there were multiple attacks being made on my Wordpress website.
Of course, I wasn’t sure what prompted this out of nowhere and I didn’t have a clue as to how I got so lucky as to warrant the attention of hackers ? (just being sarcastic folks).
However, what I came to quickly realize was that in terms of Wordpress security best practices, I was doing it all wrong and was literally raising red flags all over my website that said, hey ! hack me.. I’m vulnerable.
Before this, as foolish as I feel about the admission, I really didn’t know anything about how to improve Wordpress security on my blog on the Wordpress platform. I hadn’t even heard of a Wordpress firewall before or had any familiarity with Wordpress security plugins either.
However, was there really a need for me to know ?
I already knew that Wordpress had it’s own basic security so I hadn’t put much thought into beefing it up beyond what it was already equipped with. I could venture to say arbitrarily that maybe 1/16th of Wordpress owners think.. hmmm… what do I need to do to harden Wordpress so I can keep hackers out. It’s just not a common thought that crosses most owners minds with respect to this particular CMS platform and I was surely no exception.
Needless to say I discovered that even beyond my own mistakes, there are definitive Wordpress security issues right out of the box that make you an easy target for hackers if you aren’t aware of what needs to be changed and what you need to do to send a definitive message of, hey.. messing with me is like trying to walk through a brick wall.. it’s not happening here !
I ended up getting attacked several times for several reasons:
- username was in my url slug (Wordpress uses this as the author url slug by default)
- no Wordpress firewall
- no Wordpress security plugin
- same names used across the site
- no Wordpress security lockdown
- no captcha system in place
- too many settings left the same that were automatically set by Wordpress
- no bruteforce protections
- no spam protection
- no malware protection
Considering everything I was missing that contributed to the constant attacks, it goes without saying that Wordpress security is a very big deal and I was in a heap of trouble if I didn’t do something about this quick.
As I mentioned in one of the bulletpoints above about the username being in my url, let me clarify that further as to why that was such a problem.
Here’s why this is so significant. Wordpress does publish the username in the author slug by default when you start to use the platform and for hackers this is golden.
Your username in your url slug gives hackers HALF of your login credentials. The only thing left for hackers to do from there is guess your password. This can be achieved by a brute force login attack which means they are just going to keep guessing your password until they guess correctly and eventually get access to your website and ultimately take it over.
Once I discovered I was getting attacked, I did some research and found some great tools (e.g. Wordpress security plugins) to put a dramatic halt to this nonsense.
For the website that I own that I referenced in this post, I went from a thin sheet of paper like protection to a deep brick wall of protection. It was very enlightening to know just how poor my protection was and what it takes to drastically improve it so that I could safeguard my content and hard work from the dangerous attacks from hackers.
Securing Wordpress secures your work and your livelihood. Understanding Wordpress hacker protection is probably the best thing that you can do for your website once you’ve become a Wordpress website owner.
My mistakes may be embarrassing, but the lesson learned was invaluable and hopefully it will also steer you in a direction to employ Wordpress hacker protection for your own Wordpress properties. As I mentioned before, you can read here about my Wordpress security plugin recommendations that I used and found to be extremely helpful in securing Wordpress in a way that I hadn’t thought was possible before.
Thanks for reading. If you liked the post, please use the share buttons below.
#candidwriter #wordpress #security