WordPress security plugins – The introduction

/0 Comments/in ,

Selecting a good security plugin for your WordPress website is essential, but using multiple security plugins simultaneously is not recommended. They may interfere with each other’s functionality, causing conflicts and reducing the overall security of your site. Here are some popular security plugins you can consider:

iThemes Security

ithemes wpbeveiligen

iThemes Security is a powerful and comprehensive security plugin with several strengths, including:

  • A file monitor that displays modifications, additions, and deletions of files on your server, making it easy to detect new files added by hackers.
  • An organized checklist of security issues ranked by importance that you can work through to secure your website.
  • Blocks PHP file execution from the uploads folder, an essential feature to prevent malicious code upload.
  • Collaborates with Sucuri experts to provide website scanning functionality.

However, be cautious while using iThemes Security, as some options cannot be easily reversed on an existing WordPress website. Over-securing your website can lead to unintended consequences.

WordFence Security

WordFence is widely known and includes a scanner that compares your files with the core files of WordPress. The free version may not scan all files, as premium plugins are not included in its database. WordFence also offers a Falcon engine, which claims to speed up your WordPress site significantly, but its effects may vary.

Securi Security

Securi is a reputable company that offers a powerful plugin with features like plugin removal and reinstallation, which can be useful for cleaning up hacks. Keep in mind that updating plugins might not remove all hack files, which is why removal and reinstallation are essential in some cases.

Bulletproof Security

bulletproof wpbeveiligen

Bulletproof Security is a more technical and less user-friendly plugin. While it has some unique features, other plugins mentioned earlier offer similar functionalities, such as caching, login security, and Htaccess management.

Ultimately, the choice of the security plugin depends on your specific needs and preferences. Whichever plugin you choose, ensure you configure it properly. No plugin can guarantee 100% security, and it also depends on how well you use your website as an administrator. Avoid clicking on suspicious links in comments, as they may execute malicious codes and potentially lead to a MySQL injection if you are logged in as an administrator.

Remember, as a website administrator, you have more control than a security plugin can provide. Your decisions and actions play a crucial role in keeping your website secure.

 

What is a hack bot? Here’s how to protect WordPress from hackbots

/0 Comments/in

What is a Bot?
A Bot is simply the abbreviation of a “roBot.”

Bots are 1000x faster than humans.

If we make a simple calculation, assuming that a human can manually attack one website per hour by conducting various security tests on WordPress, and then we see that a bot can attack a new website every 30 seconds with hundreds of requests, we can understand how quickly it can happen.

A computer can execute several million requests (tests) per minute.

In short, your website is hacked by a Bot?!

What the bot does in slow motion:
translated from computer language to human terms

Requests for the WordPress version

  1. Html generator?
  2. Readme.html?
  3. Version.php?
  4. Plugin output?

Requests for active plugins

  1. Directory listing wp-content: plugins
  2. Output in HTML
  3. Function request

And so on… Millions of requests per minute!

And this database of requests is kept up-to-date via, yes… another Bot.

What does the bot do after making the requests?

Once the Bot knows the WordPress version running on your server and the active plugins and theme, it compares this information with the database containing vulnerabilities for each plugin and theme.

This process takes people half an hour, but for the bot, it’s a matter of milliseconds. (Thank you, technology!)

Knowledge is power

When the Bot knows which plugins and themes are running on the WordPress version, it will use that information to exploit known vulnerabilities and inject code into the database and server.

Oh no! Code injections into the database and server? That sounds nasty!

Indeed, it is. The injections add data, including files that become active and send spam, or gather more information about users, or gain access to the server.

How do you protect against bots?

The bots know the standard plugins, the default WordPress version, and compare them.
So, if they no longer know which plugins you are using, which theme, and which WordPress version, the bots are left powerless!

Combine this with the right measures against bots:

  1. Proper file permissions
  2. Directories in unknown locations
  3. Hidden directories
  4. Corrections for injections via the browser
  5. Corrections for files on the server
  6. Blocking users and IP addresses (bots)

Then you can stop the Bots. They are just scripts that follow protocols! Break the habit, and a Bot won’t know what to do.

You don’t have to make these adjustments to your website manually; you have a bot for that 😉
A script, or more specifically, iThemes Security!

Securing WordPress: from A to Z

/0 Comments/in

Admin was the default username for new WordPress installations for years. Many users didn’t change it, resulting in thousands of hacked WordPress websites.
And even now, that username is still used too often!

Backdoors allow hackers to regain access to your WordPress website through a single line of code.

Code is often written in PHP and then encoded to base64 so that the server doesn’t recognize it.

Daily spamming will get your website listed on the spam list.

Errors on your site without any modifications? It might have been a hacker, but it could also occur due to conflicts between WordPress, plugins, and themes during automatic updates.

Filezilla is the most commonly used program to manage your server files. You can check the modification date to see which files have been altered by a hacker.

Encoded data like your password is stored in the database, making it unreadable. (But it can be changed.)

Hackers write scripts and spread them on the internet, attacking thousands of websites. They rarely target specific sites.

Illegal plugins are often equipped with backdoors and spam scripts.

Javascript is commonly used to overwrite information on your website. For example, all links might be replaced with links to websites that the hacker profits from. This code can be very short and doesn’t need to be in your theme or templates, making it hard to find.

Lost customers seeing ads or an error on your website will usually not revisit it. They will instantly search for other sites offering similar services or products.

Learning to remove hacks and secure WordPress takes months. Hackers attempt to infiltrate your WordPress website weekly using smart scripts, and there are thousands of active scripts with more added every day.

Matt Mullenweg is the founder of WordPress. He developed WordPress at the age of 19.

Notepad++ and even the standard Notepad in Windows are tools with which a hacker can write a hack script. The ease of use contributes to the abundance of scripts in circulation.

Open source is the reason why there are so many WordPress websites online. The CMS is free to use, and anyone can develop plugins and themes for it.

Plugins can be downloaded for free from WordPress.org, but there are also premium plugins available for purchase.

Queries are server requests. With hundreds of queries from various IP addresses, a DDoS attack is launched. iThemes Security blocks various queries and limits the number of queries an IP address can make.

Comments on your website may contain links with an injection. Clicking on such links while logged in as an administrator can execute commands against your own website.

80% of the spam you receive in your email inbox comes from websites that have been hacked.

Templates like the page template and the header template are often injected with advertisement links, making those links visible on every page of your website.

Uploads folders are often filled with spam files. Every website has a default upload folder that the server and WordPress can write to. This is essential for updating the website, adding images, etc. Hackers like to exploit these folders. The year and month are usually part of the default structure. Check there if you want to get rid of hacked website files!

Remove plugins you don’t use. Even when deactivated, they are still available on the server, causing security issues.

WordPress is a very secure and up-to-date system. The use of poor plugins and themes is what causes the problems.

XSS stands for Cross-Site Scripting, one of the major vulnerabilities in websites. It is abbreviated as XSS to avoid confusion with CSS (Cascading Style Sheets).

Yoast SEO is a WordPress plugin created by Joost van der Valk, a Dutchman. His plugin is well-known worldwide and used by thousands of businesses. Plugins like Yoast SEO are regularly updated, ensuring their security.

You can secure your WordPress website if you have knowledge of servers, plugins, and updates. All this information is available for free on WPbeveiligen!

 

Hopefully, you have learned more about securing WordPress, or you’ve discovered some interesting facts.

Securing WordPress goes much deeper, but we’ll spare you the details in this article. If you want to read more, regularly visit our WordPress security articles page.

Did you enjoy or find this article informative? Share it with others so they can also learn more about WordPress security!

Choosing a secure password

/0 Comments/in

If there’s anything that gives you a headache, it’s the different passwords for each website.

To add an extra factor, all sites have their own rules regarding password security.

Some common requirements we see:

  1. Using an uppercase letter (UppercaseLetters)
  2. Combining letters and numbers (eaad 8934)
  3. The password must contain symbols (*&$!)
  4. The password must not exceed 9 characters
  5. It must be longer than 11 characters…

Sigh…

Can you choose one password that is accepted on every website?

Having one password that works on all sites is not possible..
(And not safe, but that’s beside the point)

Why not?
Because there are many contradictions between sites, where one site requires more than 8 letters/numbers, and another site indicates an 8-character limit.

So, it is advisable to use 2-5 variations.

Creating a strong password

wordpress goed wachtwoord

With the following tip, you can come up with a strong password:

A phrase, for example:
2ENORMEnijlpaarden!
✔ letters
✔ numbers
✔ uppercase letter
✔ special character
(You will remember this one after 4 weeks 😉

It is important that you can remember it yourself. This works best with phrases that make sense to you.

80&$&()JKL is not easy to remember!

But 33nZ1n is!

Note that spaces are not allowed in a password, and the password must contain at least 8-10 characters (numbers or letters), which is a requirement that works on most sites.

So, in summary

For most sites, you’re good with 8-11 characters/numbers/uppercase letters.

Combine these for a strong password.

Do not write it down online or in your email, just write it on an old-fashioned piece of paper and keep it in a safe!

But NOT like this!

wordpress slecht wachtwoord

  1. No birthdates
  2. No first or last names
  3. No first name with 123 after it
  4. Don’t use your name spelled backward
  5. No aaa sss or qwerty123
  6. No dictionary words!!
  7. D0n’t r3pl4c3 l3tt3rs w1th numb3rs

Why not?

If your name, birthdate, or other info is in a profile, a hacking script will first use that information to generate and test your password.

Next, it will try standard keyboard combinations that many people use, such as qqq www -or- qwerty -or- 12345, etc.

Then, the script will use the dictionary from a txt file and try those words on a website to hack your account.

Finally, the script will replace your name with numbers.

Securing a WordPress Multisite

/0 Comments/in

Is securing a WordPress multisite different from securing a single WordPress site?

You have more data, which is self-explanatory, including more tables in one database. All the regular tables of a single site are duplicated for each site you add.

For example, if you have usual tables like wp_options, wp_posts, now you will have them with an additional prefix. For instance, wp1_options, wp1_posts, and so on, depending on the site number.

multisite in WordPress database

What happens at the server level when you set up a Multisite?

In the uploads folder, you will now have a “sites” folder with a corresponding number as in the database. For your first site, a folder named “1” will be created, where all the files uploaded by the users of that site will be stored.

WordPress multisites

A quick note, the wp-config file will get some additional lines when you start with a Multisite, including:
define(‘WP_ALLOW_MULTISITE’, true);
(So, don’t remove this!)

What happens with the users?

It’s important to mention that a user who signs up as a subscriber is automatically subscribed to all sites within your Multisite.

The admins of a site within the Multisite cannot install plugins or themes. This must be done by the so-called “Super Admin” of the Multisite.

Advantages of a Multisite

You have multiple websites, but fortunately, only one WordPress installation to update. You don’t have to go through each WordPress site individually. The same applies to the plugins; the plugins in the main folder are used, so you don’t need to go through all the plugins of each site.

Is a Multisite less secure than having 2-3-4 separate WordPress websites?

It entirely depends on how you handle the sites.

The risk with separate sites is that you might not update everything on time.
The downside of a Multisite is the problem that arises once attackers gain access to your database, as they can directly access the content of all sites.

When considering a Multisite, you should also take into account that it may face more database attacks, as it is linked to multiple websites.

The use of strong passwords, unique usernames, and up-to-date plugins are the key to securing any type of setup.

Facts & myths about securing WordPress

/0 Comments/in

There are many WordPress users, even website developers, and hosting companies who are not aware of the following:

Fact: Restoring an old backup is NOT a permanent solution for a hacked website

This may seem like a solution to many, as they often think that the hacked files are removed from the server. However, they are surprised when signs of the site being hacked reappear within 1-7 days. How is that possible?

Often, only the file responsible for spam or data transmission is removed, but the vulnerability still exists. This vulnerability could be an old version of WordPress, a theme, or a plugin.

What to do

After restoring the backup, you cannot sit back; that’s when the real work begins!

  1. Update/replace all plugins
  2. Update/replace WordPress
  3. Check for theme updates
  4. Secure the website
  5. Secure the server
  6. Change database and user passwords

Fact: Updating plugins does not solve the hack

When you click “update” in your WordPress plugin area, only the files are updated (at the time of writing), not the entire plugin.

plugin updaten wordpress

In short, hack files may still remain, and they are not removed.

Myth: Once secured, always secured

If only that were true. No matter how well you secure the website now, the plugins you currently use are tested by many hackers for possible exploits. If they find a vulnerability that bypasses WordPress rules, there is no security measure that can stop them. This is simply because a plugin has administrator rights, allowing it to write files in intended folders.

Myth: There is a known or hired hacker personally targeting my site

wordpress hacker

No, in 99% of cases, no one is specifically targeting your website. Unless you are Porsche, Nike, or royalty.

These are automated programs trying thousands of WordPress sites and entering those that are not properly secured or not up-to-date.

So, why was my WordPress website hacked?

Someone wrote a script a while ago that searches for WordPress websites and places advertisements using known vulnerabilities.

Fact: A hacker can manipulate the website regardless of server security measures

The hacker doesn’t need to upload or modify files on the server to hack the website.

Even if your entire server is blocked so that each file is only readable and not modifiable…

The hacker can give commands to existing files through vulnerable forms (XSS) or the navigation bar of your website. In this way, they can add information to the database, leaving your site open or adding unwanted texts & links to your website.

Myth: A more expensive hosting provider guarantees a safer website

You can think of it like a Ferrari dealer; no matter how well the car is developed and maintained, they have no control over how you drive it and cannot prevent accidents or theft.

Myth: Paid premium plugins are safer than free plugins

We often come across cases where paid plugins are hacked. These plugins are widely used and promoted on various websites, reaching a large audience.

Also, creators of paid plugins often have just as busy schedules, if not busier, than hobbyists creating plugins. This means that security updates may be delayed.

Myth: More registered members mean a higher risk of being hacked

Each additional member is an additional entry in the database, but members with the roles of subscriber, writer, or editor have specific rights and limitations that prevent them from accessing plugins or settings.

Brute Force attack, what is it?

/0 Comments/in

A Brute Force attack is often used to crack passwords, particularly the password to access the WordPress admin area.

In this attack, all possible combinations of available characters are attempted. It is a very inefficient method due to its time-consuming nature, but it eventually yields results.

Brute Force is a blunt force attack without a specific plan.

What does a Brute Force attack target?

In WordPress, a Brute Force attack targets the wp-admin area where login fields are located.

To conduct such an attack, an attacker needs your username, after which they will try to “guess” the password using a Brute Force approach.

The username is often easy to find, and even manually, this usually takes only 1-2 minutes.

Prosecuting the perpetrator behind a Brute Force attack

It is challenging to pinpoint the exact responsible party behind a Brute Force attack.

Usually, a Brute Force attack does not originate from the attacker’s computer or website but rather from a hacked website or webserver belonging to an innocent person.

Has my website experienced a Brute Force attack?

Every website indexed by Google encounters multiple hacked servers or websites unknowingly executing Brute Force attacks on an automated basis.

Cracking passwords

A fast server/computer without internet limits can submit about 2 million passwords!!

time required by WordPress

With a 6-character/number password, a Brute Force attack can crack the password within a few hours.

With a 7-8-9 character/number password, it takes 1 day.

With a password consisting of more than 10-12 characters/numbers, it takes several months.

And with a “PhraseLike-this-one-with_more-than_21_letters_and_D!verse-characters,” it takes several years to crack it!

In summary, create a strong password!

Can a failed Brute Force attack cause harm?

Even if your password is so complex that it cannot be guessed, and the username cannot be determined, your website still suffers from Brute Force attacks.

Considering that visitors typically request 1-5 pages during their visit, but a Brute Force attack can make 1,000-10,000 requests per minute to your website, you can understand how this affects your website’s speed, resulting in slow loading times for your visitors.

Read also about how to prevent a Brute Force attack.

Preventing a Brute Force Attack

/0 Comments/in

How do you block a Brute Force attack?

You can block a Brute Force attack by using a security plugin that imposes a temporary or permanent block on the computer from which the attack originates after 5-10 failed login attempts. This block is based on the IP address. Initially, the block is temporary, but if the Brute Force attack continues, it may become a permanent ban.

Hiding the username

The security plugin we use immediately ensures that your username is not visible everywhere. This is a critical point as the username is the first key to a Brute Force attack.

Usernames are easier to determine than you might expect. For example, many users still use “Admin” as the username or have a username that is the same as the website’s name.

Hopefully, you don’t recognize yourself in these common mistakes. But even if you have a username that is as long as the dictionary, the usernames can be easily retrieved from the database, the author page, or the name above blog posts. There is even hacker software that can reveal usernames.

Think of it like the nameplate on your house – easy to read, but make sure they don’t get their hands on the password (the key)!

Hiding the login page

It’s important to prevent a Brute Force script from easily accessing your login page.

By default, every WordPress login page can be reached at:

  • www.yourdomain.com/wp-admin
  • www.yourdomain.com/wp-login.php

This is well-known information.

The Ithemes Security PRO NL plugin allows you to choose a new unique address. For example:
www.yourdomain.com/log-in-here

vulnerability in WordPress

What does WordPress do against Brute Force attacks?

As Brute Force attacks are common, WordPress decided in 2015 that passwords should meet certain requirements:

  1. They must be at least 8-10 characters long
  2. They should include numbers, uppercase letters, and special characters
  3. They cannot be the username or website name

In a Brute Force attack, each character or digit that makes the password longer exponentially increases the difficulty of cracking the password.

When are you most likely to face a Brute Force attack?

The only good news so far is that the better your website performs in search engines like Google, the more bots will find your website.

It means that your website is well-visible and being visited by users!

Prevention is better than waiting..

Brute Force attacks will always exist, so prevention is better than cure. If you act too late, your website may be filled with backdoors, leading to potential damage. Google doesn’t appreciate spammy websites and can even inform visitors with a red warning that your website is unsafe!

10 ways to keep WordPress secure

/0 Comments/in

Keeping WordPress secure is crucial for web designers and website owners. WordPress, as a base, is relatively secure, and regular updates are released to address security vulnerabilities in collaboration with the WordPress community. However, additional steps are necessary to prevent hackers from exploiting any weaknesses. Here are 10 ways to keep WordPress secure:

1. Update regularly: Ensure that you update WordPress regularly, especially for security releases. Check the changelog to see what security issues are addressed in each update.

2. Use strong passwords: Avoid using weak passwords like domain names or simple numbers. Brute-force attacks often target these weak passwords.

3. One website per hosting package: Avoid hosting multiple WordPress installations on a single package, as a compromised website can easily affect others.

4. Customize your CMS: Hackers know the standard WordPress installation, so customize the admin URL and hide sensitive information.

5. Be cautious with plugins: Only install reputable plugins with positive reviews and a good number of downloads. Limit the number of plugins to minimize potential vulnerabilities.

6. Perform backups: Regularly back up your website to have a clean version in case of any issues.

7. Set file permissions correctly: Ensure that the wp-config.php and .htaccess files have the proper permissions to prevent unauthorized access.

8. Restrict server access: Configure the server to deny access to certain folders to prevent hackers from exploring potential vulnerabilities.

9. Purchase premium plugins and themes: Avoid illegal downloads, as they may contain backdoors or malicious scripts.

10. Use a security plugin: A reliable security plugin can handle many of the above tasks, such as securing server directories, logging activities, blacklisting suspicious users, checking files for hacks, and blocking suspicious requests.

Remember that preventive measures are essential in securing WordPress. Following these steps can significantly reduce the risk of a security breach. As the Dutch saying goes, “voorkomen is beter dan genezen” (prevention is better than cure).

Antivirus for WordPress

/0 Comments/in

Whether antivirus for WordPress is necessary depends on your specific setup. If you are using WordPress without many plugins and have a unique theme that is not widely used, then antivirus for WordPress may not be essential. WordPress itself is a stable and reasonably secure system to build your website on.

However, it is important to note that plugins can be the source of security issues. Free plugins available on WordPress.org can be downloaded by hackers, who then test them for vulnerabilities that they can exploit to take control of WordPress websites. Once they have access, they may use the website to promote their own products or engage in other malicious activities.

Hackers are not selective about the websites they target. Any website that can link to their products or improve their website’s status is of interest to them. They often use automated scripts to carry out their attacks.

Hackers may exploit hacked websites for various purposes, including sending spam emails through your server and IP address, placing links on your pages to gain more visitors, and adding links to the hackers’ products to improve their website’s ranking in Google search results (a crude form of backlink SEO).

To protect your WordPress website from hackers, antivirus for WordPress can be beneficial. It can do the following:

1. Stop Brute-Force attacks: Antivirus for WordPress can prevent scripts from launching thousands of password attempts per minute on your admin login to eventually gain unauthorized access.

2. Create database backups: In case of any issues or a successful hack, you can restore your website from the backup.

3. Hide wp-admin: Antivirus for WordPress can hide the standard URL for wp-admin and other links to access the admin area, making it less accessible to potential attackers.

4. Manage user behavior: Antivirus for WordPress can enforce strong password usage for you and your writers. Additionally, some security plugins may prevent the default use of email addresses for logging into the admin panel, which can improve security.

5. Block DDOS attacks: Antivirus for WordPress can prevent DDOS attacks carried out through XML-RPC, stopping pingbacks from being abused to bring down other sites.

A popular and effective antivirus for WordPress is iThemes Security Pro. It provides comprehensive security features to protect your website from various threats.