WordPress under attack: Managed WordPress Hosting or DIY WordPress security…
WordPress has set a target of being used by 50% of the websites in the world, and current estimates are that it powers between 17 and 24% of the sites at the moment (so they have a way to go in order to hit 50%) – but the target is big – the number of WP sites makes for a large number with old, default and insecure settings. WordPress core itself does NOT have brute-force detection, and site owners often setup REALLY easy to guess passwords. Couple that with a system where it is possible to either:
- guess username as ‘admin’ or ‘mysiteadmin’ (large number of site owners use the name of the site and put admin on the end).
- attack vectors against users by ID are possible – and discoverable rather trivially
- passwords tend to be easy to attack using brute force – myname123 or password123 are common
- no default lockout of failed logins via IP or username are built into the system (yet).
This makes for a large number (millions) of websites which are ‘easy targets’; so the malware + ID theft scumbags program ‘botnets’ to probe continually WordPress installations and hammer them day + night trying to break-in. Without installing security + configuring your site “properly” – you can expect the attacks to continue unabated. We have seen unprotected WordPress sites attract 30,000 probes in a few hours – this level of “attention” from the botnets will cause the entire server to be impacted – slowing down all users on the same server. Yes – we noticed this and locked out the botnet by installing protection systems for the user – then we told them they needed to get serious about their security!
One of the biggest problems is having a user login account which is easily guessable – possibly an old WP installation with the admin username of ‘admin’. The default of ‘admin’ should never be used – and it should be changed immediately. Couple that with a weak password, and it becomes a matter of *when* you get hacked, not *IF*.
Things to remember – the nice-username you see in the edit-user page, if it is the same as the username – change it! Because, again, this makes it easy to find and the botnets have half the key if they can discover your username. Do NOT use login names of your first name – a dictionary attack of first names makes these easy to find.
You should also remove user 1 – create a new admin user (with a strong username + password’ – and delete user 1 (because user_id = 1) is an easy attack vector.
You can install iThemes Security free edition and change the existing user ID and name from admin (make sure you have a backup of the database in-case it breaks something) – I have never seen this plugin break things (well – not in a very long time – and many versions ago).
WordPress security is a big undertaking, but you can get yourself a good solid base by:
- never using admin as a username
- change nice usernames to not be the login ID
- never use administrative user ID 1
- never install untrusted plugins – or those plugins which have not been updated in 2+ years
- making sure your core files + plugins are up to date – ALWAYS
- setup .htpasswd protection of wp-admin (requires by-pass of .htpassword for admin-ajax.php)
- installing iThemes Security / Wordfence / login lockdown – and configuring them PROPERLY.
- monitoring the attacks + wordpress threat blogs
- keeping regular off-server backups of both files+database
Optional but highly advisable steps to add are:
- Cloudflare – just do it!
- Host with a provider that will help you – not some blue-monster-daddy thing – you’re just a number to them.
Or – you can host with a provider who does all this for you (we offer Managed WordPress hosting) – but accepting that this with either cost you time – or money. Managed WordPress Hosting will cost *at LEAST* $25/month or 4-5 hours of your time a month to do all the steps yourself.
Of course, we are a web host and our specialty is WordPress. We attend a lot of WordPress meetups (as many as 3 a week) and we talk with the team at WordPress.com & Automattic and many other security players. If you haven’t come to realize by now that WordPress is under attack – you probably will soon.
Several of our meetings at a recent web hosting convention were with vendors and were specifically slanted towards protecting WordPress – for instance, there needs to be a collaboration between the blocklist plugins + the Cloudflare API – ie, when someone gets to the point they’re added to the permanent blocklist of iThemes Security or WordFence, they should be added to the Cloudflare ban list (so they cannot actually get to the site itself – it would save server CPU cycles, Apache / nginx / lightspeed resources, etc, etc).
These improvements are coming – but slowly. Our recommendation is to host with a company that understands all of this.