Wordpress website experts based in the UK.

Wordpress Security

This section of the site has a number of useful articles relating to securing your wordpress website and preventing it being hacked.

We will break down this section into plugins, discussion on hackers and hacking and techniques you can use to prevent your website being compromised.

 
showcase web development placeholder image
Online Security Techniques, Security Plugins, Wordpress Security

5 top tips to improve WordPress security in 5 minutes

As you should know by now, making WordPress security easy and stressing it’s importance is something of a passion of ours here at Showcase. So, here are 5 quick fire tips to improving your website security that non-techies can implement in less than 5 minutes. In this article I will talk you through the points and explain the logic behind them, then at the end of the article I’ll provide you the tool necessary to make all this happen without writing a single line of code.

Let’s get started:

  1. NEVER use ‘admin’ as your username. Because some website hosts and many web developers years ago used to use this as the default username, it’s the first thing that hackers (or their bots) try during a Brute Force attack. If they work out that this username is correct, that’s half the puzzle solved for them! Now, WordPress doesn’t actually allow you to change the username on your website – so you have to install a plugin to do it. The plugin we use is “Username Changer” which you can download here.
  2. Upgrade your password. It’s very easy to get into a routine of using simple, easy-to-remember passwords for multiple sites. However, if you think about it that’s exactly what a hacker would like and totally defeats the purpose of a password. We know that passwords are a necessary evil for many people, which is why we recommend managing your passwords via Lastpass as it can help you not only create really strong passwords, but also stores them securely so you don’t have to remember them. Remember, passwords are graded on 3 elements:
    1. Length – you’re looking to have passwords over 12 characters long ideally. Anything shorter than this dramatically reduces the time required to guess the password by an automated machine (or bot).
    2. Characters – ensure you use both upper case and lower case letters, numbers and at least one special character in your password. Also, remember, just because we use capitals at the beginning of sentences in normal text, doesn’t mean you have to in your password. The same can be said for brackets, just because you open a bracket, doesn’t mean you have to close it. Doesn’t an opening bracket look a little like a “C”….?
    3. Readability – Something many are unaware of, but passwords are graded on their readability – so if you were to write it out on a piece of paper, would someone be able to read it? If so, then it’s susceptible to what’s called a ‘dictionary attack’ where a bot would work through the dictionary with some variations of numbers instead of the letters in the word.
  3.  Move your login page. In order to try and hack your website via ‘brute force’ (multiple attempts trying random – or not so random – combinations of characters for the username and password), first a hacker must find your login page. WordPress by default uses ‘/wp-admin’ and ‘/wp-login’ urls to access your login page and we suggest that you move it. By doing this, it’s extremely difficult for a hacker to ‘find the door’ to attack. It’s another layer of complexity that could make all the difference in persuading hackers to look elsewhere for something to break into. Not sure how to do this….don’t worry, read on and I’ll give you a free tool to help you!
  4. Restrict (throttle) the number of login attempts in a certain time period. A brute force attack relies on being able to try a huge amount of combinations of characters in a short space of time. We’re literally talking 1000’s an hour, so they can get through an unbelievable number of combinations. So, if you restrict the number of attempts in say, 5 minutes, then you dramatically extend the time it would take in order to crack the username and password. We tend to stick to 3 attempts in 5 minutes and we’ll lock people out for an hour if they still don’t get it right. Can you imagine how much slower an attack would be based on this?
  5. Add a CAPTCHA to your login page (and other pages). We’ve all seen these ‘annoying’ tests designed to prove you’re human. Solve this maths question, or decipher the letters from this blob, or select all images with a storefront -type questions. Well, throughout this article we’ve discussed the concept of a ‘brute force attack’ and generally, these (and most other types of hack) are carried out by ‘bots’ – automated programs designed to try thousands of attempts quickly – something that a human would struggle to do. So, adding a CAPTCHA to your login page is designed to mitigate this so that only humans can access the site.
We know that passwords are a necessary evil for many people, which is why we recommend managing your passwords via Lastpass as it can help you not only create really strong passwords, but also stores them securely so you don’t have to remember them.

So, we recommend a single plugin that can do all of this for you, and it literally can be done in less than 5 minutes. You can find out how, along with a follow-along tutorial that I created on our AIOWPS page.

SSL is an important modern feature of the online world and it’s being pushed by all the big search engines including Google as it’s a proactive step towards protecting the sensitive information of Internet users.

If you don’t have an SSL certificate, you really should and if you’re not sure, we’d love to hear from you as we can help you install one if you don’t aleady have one.

SSL – What is it and why should you have it?

Improve the overall strength of your passwords and stay secure online with Lastpass.

Key features include:

  • There’s a free version which stores upto 20 passwords which will give you a chance to test just how easy it is to use
  • The premium version costs £12p/a at the time of writing. That’s just £1p/m which is really affordable for most
  • Helps you generate truly random passwords on-the-go and save them, you don’t even need to know what it is!
  • You can share access to others without displaying your password
  • Store other types of secure information such as bank card details

Lastpass – Improve your cyber security

vector - person pressing keyboard on laptop
Hackers & hacking

What is Hacking?

| Estimated reading time: 5min 36 secs |

We are often saying to our clients – “it’s important to constantly maintain your website from a technical point of view to prevent it getting hacked” and it’s sometimes taken for granted that people know what hacking actually is!

So let’s explore that in this post so you can see why it’s important to help reduce the risk of your website being hacked.

 

So, what is Hacking?

Hacking can come in a variety of shapes and forms, but overall I would say that hacking could be described as:

To obtain control of one or more of a website/domain features without the consent of the owner for a purpose other than that intended by the owner.

Because the form of the hack can come in such a variety of ways, it’s difficult to be more specific than that in this instance.

I think the best thing we can do is to provide some small anecdotes of the types of outcome hackers are generally looking to achieve.

You can generally categorize these ‘incidents’ into two categories – Malicious and Non-Malicious although it could be argued that all types of hacking are malicious in context, we are trying to convey a difference in severity and outcome by using these categories.

 

Malicious hacks

  • To force access to a website in order to obtain card details or sensitive personal information stored on the website – similar to the recent attacks against TalkTalk
  • To gain access to the server that the website is hosted on in order to provide a platform for hacking another site.
  • To implement ‘Ransomware’ on your website – take it down until you pay some money to the hackers for the ‘release’ of your website.
  • To access your server in order to get to your email system and start sending spammy emails from your
  • To take your website down (hide from public view) and put up some kind of advertising / credit for hacking your site – similar to what happened to bluereef.it

Non-Malicious hacks – less severe but still not ideal

  • To create posts / pages on your website linking to other sites which helps to build their traffic / backlinks. Often these are to pharmaceutical or porn websites.
  • To add adverts to sites you know nothing about to your website
  • DDoS attacks

Why would my site get hacked?

Often it’s not really about the target site itself as hackers can automate the process of hacking and send out ‘bots’, little scripts which will go off onto the Internet and hack websites.

Often these bots follow links from the website they are on and then attempt to hack each site they land on. So, it may be a case that an infected website has a link to your website and so a script has been run.

This is the most common situation, but if your website takes payments or stores customer details, then that could cause you to be a target for hacking because of the prospect of getting to those customer details.

 

What are the side-effects of being hacked?

This totally depends on the type of hack implemented, but they are never a positive thing.

If your website is hacked, you will often be affected for some time after the hack is resolved.

Things such as emails constantly being marked as spam, warnings appearing whenever someone tries to access your website, your hosting company contacting you to advise that your website has been taken down as it’s been hacked and also in the case of a DDoS attack, you will be unable to get to your website.

 

How can I tell if my site has been hacked?

Because of the diversity of the types of  hack that are possible, and the range of platforms which are available it’s difficult to give an exact answer here. But, here are some of the key things to look out for:

  • Changes to pages which you didn’t do
  • New user accounts being added to your website without your approval/ action
  • Website slowing down for some reason
  • Your emails suddenly getting marked as ‘junk’
  • Google will sometimes add a warning into it’s search results that reads – ‘possibly hacked’

These are some of the most common indicators of attacks but not all of them.

 

What can I do to combat being hacked?

One of the main things you can do is keep the access to the site secure.

The simplest and most effective measure to secure your website is: Make sure you use strong passwords for your access and NEVER use ‘admin’ as the username.

A strong password is defined as the following:

  • Use upper & lowercase characters
  • Use at least one special character (!,”,£,$,%,^,&,*,,,.,/,;,’,#,[,]) for example
  • Use at least one number
  • The password should be at least 12 characters long

The most common attacks against websites are called ‘brute force’ attacks and this is where an attacker will simply attempt a range of usernames and password combinations until they get through.

Often this process is automated by using algorithms – so they use general trends such as capital letters at the beginning, lowercase letters in the middle and numbers / symbols at the end which helps they try the most likely tries at the beginning.

Here’s a really interesting article on hacking algorithms which is simple enough for non-techys.

So, by using ‘admin’ as a username, you are making things much much easier for the hackers to brute force attack your website.

The same for the password – we recommend 12 chars at least including a special character and a number. This then removes the password from a simple dictionary search as no words in the dictionary have numbers in it.

It’s difficult to compose strong passwords, let alone remember them which is why we use LastPass. For more information on this, have a look at our LastPass post.

You can and should do the following (at least) too:

  • Hide the login page – by making the login page a non-standard URL, you prevent hackers getting to the login form and starting a brute force attack
  • Login throttling – this basically means limiting the number of access attempts by a single user (as defined by IP) within a certain timescale. So only allowing 4 attempts in 5 minutes will dramatically slow down a hacker trying brute force attack.
  • Remove old code from your website. This could be in the form of templates/ themes, modules and even the base platform itself. Keep these updated.
  • Purchase an SSL certificate. This protects the connection between your browser and the Internet to stop hackers intercepting the information as it is transferred between the two.
  • Perform regular checks of the site to spot things early.

 

Not sure if your website has been hacked?

You can give us a call at any time and we are happy to offer some support and advice with a view to getting your website or domain back under your control.

vector - screwdriver over a toolbox
Hackers & hacking

What Hackers Do with Compromised WordPress Sites

Most site owners assume that if their website was targeted by hackers there would be no interesting data to steal such as credit card details, and believe hacking it would be a worthless exercise.

Unfortunately, they’d be wrong, as aside from data compromised site visitors can be monetized in various malicious ways.

The web server can be used to run malicious software and host content and the reputation of the domain name and IP address can be leveraged.

Wordfence recently ran a survey asking people who reported their site being compromised what the hackers did to their site.
The below results were published:


Results from Wordfence 

 

The results clearly show that there are quite a variety of things the attackers are doing with the compromised sites:

  • Defaced site/took offline 
    • The hackers may replace your site with their own content, often political terrorist groups, this gives them free advertising for their cause.
    • Or hackers may simply want to brag that they hacked your site seeking recognition, or simply remove it/destroy it and take it offline.
  • Send spam
    • Spam email is a huge issue, and sometimes the site owner may not be aware of it going on for some time.
    • It can result in the site owner getting blacklisted for spam ad could damage the reputation of the business.
    • Ultimately, the hacker gets to use the resources you are paying for, for free and are trying to get people to click on malicious websites.
  • SEO Spam
    • Hackers are able to divert traffic from your website (by hiding links throughout) to their own to improve their search engine rankings.
  • Malicious redirect
    • Attackers redirect traffic to malicious websites either by using links or adverts, or by diverting all traffic directly.
  • Host phishing page
    • Phishing is attempting to fool the visitor into providing sensitive information, for example credit card numbers or password details.
    • Hackers are looking to use credit card details or even to steal a person’s identity.
  • Distribute malware
    • Attackers can install malware that in turn installs malware on your website visitors computers without their knowledge.
    • This could not only damage your reputation if your visitors are affected, but if google detects what is happening they will flag your site via their safe browsing program, which will cause your SEO traffic to drop significantly.
    • The hackers benefit from this by getting access to steal information, or simply do it to wreak havoc!
  • Steal User data
    • From the above results this was a surprisingly low number that reported data being stolen.
    • Wordfence suggest this may be due to WordPress sites not storing sensitive data beyond user credentials and maybe email addresses OR it could be that it’s very difficult for the site owner to detect if data theft has occurred and therefore the numbers may be understated.
    • Attackers would be looking to steal email addresses to use for spamming, credit card details for obvious reasons and username/passwords in hope that the user is repeating use of passwords and therefore gain entry to other information.
  • Attack site
    • This seems fairly rare based on the above research, however in some cases an attacker will use your website as a platform to launch attacks on other websites.
    • This allows the hacker to use your server free of charge; get past their targets defences by using your domain and IP address and could ultimately ruin your reputation.
  • Ransomware
    • This is a malicious software that blocks your website and demands you pay a ransom for having access restored.
    • If you don’t have backups that you have kept safe from the hacker, then you may decide that the ransom is worth paying, hence the attacker profits.
  • Host malicious content
    • The hacker quietly stores their files free of charge on your server with a domain and IP address that have a clean reputation!
  • Referrer spam
    • Referrer spam is bot traffic to your site set up to look like it’s coming from a fake referrer.
    • The spammer is trying to get the site owner to check out where the traffic is coming from, driving traffic to the site!
    • Their goal is to drive traffic to their websites for reasons that often turn out to be malicious.

So if you thought your site would not be of interest to hackers, then you may have changed your mind after reading the above.

If you want to discuss how to improve your websites security contact Showcase now.

 

vector - padlock on a screen
Online Security Techniques

Welcome to the Wonderful World of Lastpass

Are you always forgetting passwords?

Do you wish there was just some way to remember all those passwords and make sure they are all secure at the same time?

Say hello to my little friend – Lastpass.

As you can imagine, as web developers we have to remember about a million different passwords – and that’s just for our own stuff.

As soon as you start adding client’s details into the mix, it becomes pretty difficult to remember and find passwords for everything – especially since it would be pretty irresponsible for use to write these down!

We needed a solution – and boy, did we find it!

Last year, while looking to solve this tricky situation we stumbled upon Lastpass.

This basically (and most importantly) acts as a list of all your passwords for websites.

It’s secure and simple to use. But it’s much more than that.

Very quickly we discovered the browser add-ons which are free and means that when you navigate to websites, when you have the add-on, it pre-populates the username and passwords for you!

Amazing!

Not only that, when you navigate to a new website and register, you are provided with the option to save the details automagically!

This saves us 100’s of hours a year alone!

Not only this, there are a load of other REALLY useful features which are worth shouting about.

 

Best Features of Lastpass

  • Generate ridiculously tricky passwords
    • We would always recommend using passwords which make no sense, are at least 12 characters long and use special characters – in the interests of security.
    • However, it’s not always practical to remember loads of passwords which are deliberately difficult to remember!
    • Lastpass saves you from this because a) it generates the password and b) it saves it for the site so you don’t ever need to remember it.
  • Cross Device
    • Whilst this may sound techy – it basically means that you can download the free app on mobiles and tablets.
    • This means that you take your passwords with you everywhere you go.
    • What about if my tablet or mobile is stolen I hear you ask – they’ve thought of that!
    • Dependent on the device, you will either be asked for a password, pin code or (my personal favorite), a fingerprint to unlock the app.
  • Sharing
    • For us, this is crucial.
    • The ability to allow others to access our stuff without revealing our passwords is indescribably useful!
    • Need to let your developer into your hosting temporarily? Share access with them then revoke it when ready!
  • Pricing
    • Not only can you get started for FREE, but even the pro version is ridiculously inexpensive at $12 a year!
    • That is $1 a month folks to resolve this forgetting passwords issue. It’s a no-brainer really!

This really is the solution many of you have been searching for.

Also, there are alternatives out there which a quick google could locate, but we’re unable to recommend them due to not using them.

However, if you work with us, you will be urged to look at using Lastpass for your own privacy and peace-of-mind and it will stop you losing or forgetting passwords on ANY DEVICE – full stop.

Enjoy 🙂

vector - shield over a screen
Hackers & hacking

WordPress security – How attackers gain access

A survey conducted by Wordfence asked the question:

If you know how your site was compromised please describe how the attackers gained access.

Over 60% of site owners did not know. For the site owners that did work out how access was gained this is what the breakdown looks like:

The survey results above clearly show that Plugins are the biggest risk. However Plugins play a big part in making WordPress popular and there are over 40,000 plugins available. 

So here are some tips on how to secure your site to ensure your information remains safe:

Keep your WordPress site up to date WordPress is updated regularly, and updates address any vulnerabilities discovered. This makes older versions easier to attack so make sure you always click on new updates.

Keep plugins up to date and delete any you’re not using As above always click on any new updates, and delete any plugins that are no longer in use.

Use strong usernames and passwords (and change your password regularly) Many potential vulnerabilities can be avoided with good security habits. A strong username and password (never use ‘admin’) are an important aspect of this, as is regularly updating your password.

Add two step authentication Logging in with a password is single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. This adds an extra layer of security to your log in.

Store passwords securely Do not store them in plaintext in a document online that may be compromised. You can use a product like LastPass which provides an encrypted ‘vault’ to store your passwords in. The benefits of LastPass are enormous, look out for a blog post specific to this coming soon.

Only download from reputable sites If you are going to download plugins somewhere other than the official WordPress repository, make sure the website is reputable

Limit the number of logins Lock out users after a defined number of log in attempts. This means an attempt to repeatedly hit your server with multiple username and password combinations will not work.

Backup your site regularly A sound back up strategy could include keeping a set of regularly timed snapshots of your entire WordPress installation in a trusted location.

Note that Showcase limit login attempts, never use ‘admin’ as a username and adhere to all the suggestions we outline in this post. Contact us if you want to know more about how Showcase Web Development can help improve your website security.