13 Super WordPress Security Strategies

/0 Comments/in /by

Web Security as a Whole

Security is one of those boring topics. One of those things nobody really wants to hear about, until something dramatic happens. It’s on our minds, but not on the front of our minds. It is an afterthought if anything. However, web-security is more than an afterthought before, during and after a website build. Security is the foundation for a healthy website and allows you to be worry free about potential vulnerabilities. Let’s face it, any content management system (CMS) that you or your company implement, be it proprietary or open source, will have some security vulnerabilities. This goes for WordPress as well. That’s why we have updates to software. Updates are essentially security and usability patches that help (hopefully) improve the CMS as a whole.

What are some effects of poorly managed web and IT securities?

  • DDoS Attacks
  • Brute force attacks
  • Data Loss
  • Data Leakage
  • Stolen Data
  • Server overage charges
  • Hardware malfunction
  • Software malfunction
  • Destruction of Property
  • World Hunger
  • Loss of Money

That’s right, the bottom line for all these security flaws is that it will COST YOUR MONEY. However, it does not cause world hunger, but this still should be in the back of your mind because somewhere someone is starving because of your IT negligence. By ignoring security vulnerabilities, you are exposing yourself and your company to potential attackers that can decimate your online business. Heck, they can take the entire company down and shut you off for months. Just search website hack in Google News and you’ll find hundreds of articles talking about companies and sites getting hacked.

Don’t think it’s a serious matter? That’s fine, I’m not trying to convince you. You’re probably the same person who can waddle through life without having any identity theft protection saying “oh it won’t happen to me”. Meanwhile your credit information is being used to apply for a business loan by a would-be thief. Security is not just an essential consideration, it’s the lifeblood of a successful company.

WordPressLogo_WordPress_SecurityNow, many companies now have turned their heads to a platform called WordPress. It’s a great open-source CMS that has unlimited versatility and flexibility. With that said, it’s open-source. This means that the source code for all the files are available to everybody, not just you and I. This includes hackers. Since hackers and the lay-person have the same opportunity to know and use the source code, this leaves WordPress very vulnerable. Each and every day, hackers are attempting to find loopholes and security vulnerabilities in the system. When one is found, it has to be patched with an update. This is an ongoing battle.

Fortunately for you, WordPress is constantly updated and has a huge community of support. This means that for every breach, there is someone looking for a solution. However, despite the WordPress security vulnerabilities, there is quite a lot you can do to protect your site and your business from would-be hackers. You must remain vigilant and learn to embrace the potential hack attempts.

There are tons of measures you can take to protect your site and notify your developer to take in order to prevent break ins. Let’s go over them.

13 Super WordPress Security Strategies

1. Use Strong Passwords for all users.

What’s a strong password you ask? Well, it’s a password that contains an uppercase letter, a lowercase letter, a number, and a symbol in varying combinations, typically with a minimum length of 6 characters. Passwords is an obvious one, but I still see many web admins with very weak passwords. I have conveniently placed a password generator on the right hand side of this page that you can use to generate unique, complex passwords at any length you choose. Give it a go!

2. Hide your WordPress version.

This is something the Sucuri plugin can help you with. I went over how to do this in a previous post.

Wordpress_security_strategies_admin_username_LoDoWeb3. NEVER EVER name your user as “admin”.

This is especially the case when the user ID 1 (first user registered) is also named admin. Hello? This is the most obvious security vulnerability out there. I still see developers and amateur web-admins use admin for their username and their password that is something weak. This is a very quick way to get yourself in trouble and hacked. Ask yourself, if you were a hacker, what would be the first username you would try to use? Could it be admin? hmmmm. Let’s just ponder that one for a bit.

What do you do? Create your first username as a throwaway when developing your new site. This throwaway username has the ID 1 (first user created) and should be deprecated immediately. Then, followup by creating a new user, the true user you’ll be using, after that.

WordPress_Security_Strategies_LoDoWeb_Add_UserAdd New User LoDo Web WordPress Security Strategies

 

4. Change your WP Prefix.

C’mon now. This is getting easy. When you developed your site, did you set your wp-config file to have different prefix? Probably not. What’s a prefix anyway? Well, standard WordPress prefixes start with “wp_”. This is the prefix for the database, so anything database related will start with wp_[something]. This is a clear indication that you haven’t hardened your site. So how do you change your prefix on an existing site? One of my favorite and simplest ways to do this is to use a tool called Backupbuddy. All you have to do is create a database backup of your site and then reupload that database onto the same exact database and server. It will override the old site, but not any of the content, comments or settings. The important stuff will still be there, but it will just have a different database table.

5. With that said, regular backups are a must.

Backup the heck out of your site with a minimum schedule of once a week. Too lazy to do that? Fine, we have a Premium WordPress Support that will do that for you. Oh and we’ll also set up the security so you don’t have to. The tool I like to use has already been mentioned above.

6. Set up Wordfence and establish minimum security protocols.

Again, this was gone over in one of the previous posts about DDoS attacks. This is an essential plugin that has the ability to block IPs to the admin pane. It’s essential that you set up some way of blocking would-be hackers’ IP address. You can block an entire pool of IP addresses at that rate. The way I set mine up is to block any incorrect usernames immediately. After you whitelist your own IP, you can bypass all the rules, but anybody who tries to login with an incorrect username get blocked immediately. This includes you, if you are accessing the site from a remote location that is not your home-base. So be careful with this one.

7. Backup and secure your .htaccess file.


 This is the file located in your ROOT directory and contains the necessary information about who gets to log in and who does not. Who gets blocked and who does not. Which types of accesses are allowed, and which ones aren’t.

8. Update your WordPress instance regularly.

Along with all your plugins. I already explained why this important and frankly, just do it. Be vigilant and don’t let your site get outdated.

Envato_Logo_WordPress_Security_LoDoWeb9. Minimize the usage of plugins, and always ensure they have the proper reviews and community.

Imagine each plugin as an additional security vulnearbility. Each plugin has its own code and its own potential to be vulnerable to attacks. Minimizing plugin usage will help you contain most of your instance in just a few plugins. No need for any complexities and more vulnerabilities. Minimizing plugin usage and using only good plugins from reputable authors, like those on the Envato Marketplace, are usually a good choice. I’m always weary of plugins found randomly on the web, that aren’t listed in the official WordPress plugin repository.

Blackhat_plugins_Google_Results_WordPress_Security10. Avoid blackhat plugins or themes

I mean, completely. Those found on blackhat sites are no good. Just avoid them at all costs. Nobody has time to go through each and every PHP file, so there is a high chance that if someone is offering a paid plugin for free, that it may be infected with some sort of malicious software. Who knows what it could be, but if you are “hacking” a plugin or theme, or got one for free, just avoid it. Don’t even let it touch your server. Never even attempt to install it because it can ping the author of the malicious file that you have activated their virus. This could line you up for a brute force or DDoS attack after you are on the radar. Just avoid any 3rd party plugins or themes not found on the official WordPress plugin repository, or other reputable vendors. Generally, if you gotta pay for it, it’s worth it.

change_wordpress_destination_folder_LoDoWeb_WordPress_Security11. Change the installed location of your WordPress instance.

Everybody who knows anything about WordPress knows the file structure. Sometimes people fail to remove the “/wordpress” folder in their instance. C’mon now. I said be vigilant, not lazy. In either case, at the very least remove the “/wordpress” directory and add it to your root directory. An even better, albeit, more complex approach to this would be to change the path of your WordPress install entirely. Something like “wp/wp-admin”  The rest of the less important files can be nested in the root directory. Just something different than the normal install path would do. This is a bit more complex to handle and can be handled by the right wp-config file.

12. Use a child theme for all themes. 

Using a child theme prevents most users from knowing what theme you are using, hence limiting the amount of research they can do to attack you. The less they know about your site, the better.

13. Don’t share your login information with anybody, but trusted sources like your developer.

Don’t email passwords, or share them via text. Try to avoid sharing the passwords entirely. Create new users instead. Avoid emailing the new user information to anybody. Simply put, don’t share your passwords with anybody. If you do have to share, which you shouldn’t, but if you do have to share your passwords, make sure you change them once you’re done doing whatever you’re doing.

Security is a constant battle of good vs. evil. It’s the most raw examples of hackers and security experts playing a game of chess on the web. Of course, besides actually playing chess. They are always trying to outsmart each other, and a lot of the time the hackers do win. In fact, most of the time they win. However, if you do the above mentioned steps for your own protection, you’ll ward off most, if not all attackers. The reason is, if you have hardened your site, and made it very apparent that your site is locked down like a fortress compared to your neighbors, the hacker will most likely move on to an easier target.

What do you do for your WordPress security? What measures have you taken to protect your site?

How to Stop and Prevent DDoS Attacks a Case Study About DDoS Protection

/2 Comments/in /by

LoDo_Web_DDoS_Prevention_This_Summer_Movie_Poster

It happens without warning. Without reason. Without judgement. The attacks were relentless and many before have tried to save the business. Many have tried their best to stop the attack. None were successful. Hosting companies were called. Security and IT professionals ultimately were defeated without any result. The attacks continue…until….

This summer…

One man. One goal. One victory. Against all odds, he was able to mitigate the server breach within 24 hours of receiving the job. With simple, but effective, preventative measures and persistence, the attacks finally stopped. No more bombardment from the opposition. No more bandwidth overage charges. Just results.

What a week. So we have a client who was under some serious attacks this week. Here’s the situation.

Case Study DDoS Attack Prevention

First off let’s define what a classic DDoS attack is and what it can do to a company. DDoS stands for Distributed Denial of Service.

Stachledraht_DDos_Attack_svg

“Stachledraht DDos Attack” by Everaldo Coelho and YellowIcon – All Crystal icons were posted by the author as LGPL on kde-look. Licensed under LGPL via Wikimedia Commons

This type of an attack can squander server resources and essentially sends a very large volume of traffic to a particular server until that server is overloaded, and cannot handle any more traffic. Any new traffic, even legitimate traffic, will be denied the service as there are no more resources for said service. Hence, Denial of Service. Now, a Distributed Denial of Service attack is one in which the attack does not come from a singular source. It’s coming from multiple sources in an attempt to shut the server down without any way to stop it. Because it happens from many different angles, it is very difficult to track and prevent. The attack is extremely diversified and resembles true human traffic. Even large companies, like Sony, have to deal with these types of attacks.

Typically, there isn’t much you can do once the attack is initiated. The best case scenario, even after the steps I go over below, is to just wait it out. Eventually, the attacker will stop because it costs money to keep these alive. If they persist, like in this case study, then there are some steps you can take to prevent this and mitigate the damage. You must act quickly and be vigilant about the attack.

So here’s the situation and the case study.

He owns a small shop in Golden, Colorado and contacted LoDo Web because of a breach in his server. This server breach looks like something out of a bad tech movie. With every 9-15 seconds or so there was another visitor attempting to access the site. Some facts about the client:

  1. Client runs a small tangible-goods store
  2. Website is inherited
  3. Running on WordPress
  4. No malicious plugins or themes installed, to his knowledge
  5. No active security
  6. Server host billed over $400.00/month for overage charges
  7. No WordPress Support
  8. Hosting at Media Temple
  9. No identifiable trigger for the event

Some facts about the attack:

  1. Attackers looked like they were legitimate human traffic
  2. No pattern deciphered with country of origin, IP, browser, etc.
  3. Attacks coming from all over world
  4. No central location
  5. Scattered IPs

With no pattern in place, and about 7-8 visitors a minute this particular attack looked like it had no end in sight. Hordes of visitors from all over the world were pouring in dismantling server resources and costing the client hundreds in server hosting bills every month.

When we took the job, we did not know that the attack has been happening for over 2 months and about 5 other people have taken a look at the site. From IT Experts to Security Experts specializing in web design and development. Nobody was able to mitigate the problem. When we got to him, his server was getting inundated by hundreds of requests every hour.

The client was at a desperate spot and willing to do anything to stop these persistent attacks. After chatting on the phone and learning what we needed to learn, we finally had a chance to take a crack at the site.

Here’s how we fixed this particular DDoS attack on WordPress.

What you’ll need:

Take a deep breath. Don’t panic. This will do nothing for the prevention and protection against DDoS attacks. Just take a deep breath and we’ll begin the mitigation process.

First things first. Install the Wordfence Plugin onto your WordPress instance. This will be the first step in prevention of future attacks. Once installed, navigate over to Wordfence–>Options

Scroll down to Firewall Rules and start the lock down process. The goal here is to set up VERY strict protocols for your users and bots to prevent further intrusion on the servers. This will effectively block any IP that breaks these rules and prevent the same IP from attempting to access the site more than once. The point of this is to prevent multiple attempts from the same IP to access your site. Soon, you’ll create a list of those IPs who violated your rules and you can choose to permanently block them. Wordfence_firewall_options-lockdown

Set up your login security by blocking unknown usernames and the “admin” username. Yes, the admin username is the worst username to use for logging in. It’s easily guessed and is just inviting hackers. Set up your whitelisted IP address to prevent yourself from getting locked out:

Cursor_and_Options_wordfence_login_security_and_whitelist

To check your IP address go to this site.

The next step is to go to Wordfence–> Advanced blocking and set up some mass IP block lists. These block lists are primarily from outside of the United States designed to block out non-targeted traffic to your site. Including all bots.

Below is a partial list of blocked IP ranges generated from the actual attack attempt. These ranges are not all inclusive, and I recommend you learn the patterns of your attackers and block the ranges that they are using in particular. These are just some of the examples that I blocked as they were attempting to access the site.

Cursor_and_IP_Range_ Block_visitors_with_IP_addresses_in_the_range__151_80_16_0_-_151_80_31_255
You can block mass network IPs by simply clicking on the “block network” option in Wordfence Live traffic. This should be done as soon as you suspect a hacker. Be careful blocking IPs that represent your target market. For example, in this particular case, there is no need to have Chinese or Russian traffic as this is not the client’s target market. Therefore, you should only block those who are outside of your target market. If you’re target market is the US, just be careful you aren’t blocking legitimate traffic IPs as well. Live_Traffic_‹_Wordfence_LoDo_Web_DDoS_Prevention

Now that Wordfence is set up we need to go over to our plugin, Sucuri. This plugin is designed by security experts for the WordPress platform specifically. The setup with this one is really fast, so no need to dwell on it. Just do it.

This is sort of a secondary preventative measure. In fact, there is a whole slew of security implementations that should take place for your site, I’m only giving you a couple of examples here.

Go to Sucuri–>Hardening. Go ahead and “Harden” all of the security features here. Everything that you feel comfortable doing.Cursor_and_Hardening_Sucuri_WordPress_Hardening

Here’s what we hardened during this DDoS attack:

  • Remove WordPress version
  • Protect uploads directory
  • Restrict wp-content access
  • Restrict wp-includes access
  • Verify PHP version
  • Security keys
  • Information leakage

These are fairly simple steps, but is an added bonus to prevent DDoS attacks.

Cloudflare DDoS Prevention

Moving forward we enter the “meat” of the security implementation. This is a platform called Cloudflare and is exceptional at preventing security vulnerabilities. Cloudflare should be implemented at all times on your site, not just when you are under a DDoS attack. To begin, you must have access to your domain Registrar backend to be able to point the DNS to the right Cloudflare domain. The steps are outlined in detail on their website. You really just need to register with Cloudflare and they will walk you through a step-by-step process.

To mitigate an attack, point your DNS to Cloudflare’s servers and then wait approximately 24 hours. At that point you can set your site to “I’m Under Attack” by navigating to Firewall–>Security Level:

 

Cursor_and_IP_Firewall___Firewall__pedalpusherscyclery_com___CloudFlare_-_Web_Performance___Security

It should look like this when you have successfully activated the DDoS prevention from Cloudflare:Cursor_and_Overview___CloudFlare_-_Web_Performance___Security

So what does Cloudflare actually do?

For one, Cloudflare is a caching service that essentially stores a static version of your site on their servers. This allows for a reduced load time and reduced server resource load. The second thing that Cloudflare does well is that it stands as a buffer between you and the visitor, or in this case the attacker.

When you set your status to “I’m Under Attack!”, you create this 5 second interstitial page. Cloudflare will then analyze the traffic and block it if it’s part of the DDoS, or let it through if it’s a true visitor.

Cloudflare_DDoS_prevention_and_protection_interstitial_page

The Results of the DDoS Attack Prevention / Protection

So did this mitigation even work? Did we solve the problem. You betcha.

Take a look at the amount of GPU usage on the server before and after the attack. After the mitigation, you can clearly see a decline and stabilization in regards to the traffic. This is the exact normal pattern the owner was experiencing prior to the attack. GPU_Usage_Report_after_DDoS_attack

Let’s take a look at the Wordfence activity log back on the site’s servers. This is now the server host, not the Cloudflare server. The arrow specifies when we got involved. Wordfence_activity_log_before_and_after_DDoS_Attacl_LoDoWeb

There is a clear reduction in the amount of IPs blocked by the Wordfence plugin. This means that less and less attackers are getting through to the server.

Now what kind of DDoS attack was this? With no clear pattern, I would say this type of attack is one that infects computers with a virus, like a Trojan, and takes hostage of those computers. This creates a network of “zombie” machines capable of masking themselves as human traffic. Clearly, this isn’t human traffic as it’s just sending the server requests for no apparent reason.

So who could be behind this and what can you do to prevent this to your company? It’s not clear who is behind this, but perhaps it’s somebody who the owner may have had a conflict with, or perhaps it’s a competitor trying to “get back” at this company. Who knows, really. In order to prevent this type of thing, don’t mess with someone who has a vendetta against you. In fact, always pride yourself on customer service, no matter how haughty the customer may be. After all, the customer you may be dealing with can be a hacker or may do this just for fun. Either way, you’ll end paying in hosting overage fees.

How can you ensure DDoS Protection? You really can’t, but by following the above steps, you can at least prevent most attacks.

Ultimately, it doesn’t matter who did this or how it happened. What matters is that you have the right protocols in place to handle this type of a situation. With our Premium WordPress Support, this is exactly the type of thing we prevent in the first place. All of our packages come with a security installation and we will monitor your site 24/7 to ensure that the probability of this happening is extremely low.

Have you ever been DDoSed? How did you solve your DDoS attack?