Serious Security

Security is extremely important and always on my mind but it became even more important October 16, 2017.  Black Monday, this date now referred to as, brought about two security incidents:  KRACK and ROCA.  Appropriately, this week’s chat assignment was to read several articles regarding WordPress security.

Both incidents use WPA2, which is on 60% of the world’s WI-FI networks, to allow attackers to decrypt WPA2 connections.  Any device using WI-FI is likely affected.  KRACK, Key Reinstallation Attacks, designed to steal sensitive information and inject malicious information.  ROCA, Return of Coppersmith’s Attack, designed to compute the private part of an RSA key.

Companies are sending out security patches.  However, it is in your best interest to take additional security steps.  Following are some excellent suggestions for WordPress security.   Even though these are WordPress security steps, most concepts are appropriate for any scenario.

Website security is a huge importance. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to utilize security best practices.  Following are several good steps to begin taking today.

  • Choose a good WordPress hosting provider to ensure that you have good account isolation.
  • Install the newest versions of WordPress core and the theme and plugins you need. Only install what you need and always use a reliable source.
  • Keep everything updated. That includes WordPress core, your plugins and your themes.  Leave automatic updates enabled.
  • Remove the WordPress version from the <head> tag (no plugin necessary) or change WordPress database prefix from the default “wp_”.  If your host allows it, put WordPress in its own directory.
  • Use strong passwords and do not reuse them. Use a password manager like 1Password or LastPass if you need to.
  • Do not use default account names. Rename the ‘admin’ account to something else.
  • Enable two-factor authentication and add security questions to the login screen.
  • Delete Unused Accounts. Enforce the “Principle of Least Privilege”. Only grant the minimum access required. Force strong passwords, expire passwords, and automatically log out idle users.
  • Limit login attempts and Configure backups for your WordPress site. Use backups that are ‘rolling’ and ‘segregated’.  The backup solution I use is BackupBuddy.  You can schedule this as often as daily up to monthly.  It can store the backup to Drobox, which I use as well as other options.  In addition, you can use it to migrate and restore your websites.  It is free.
  • Install a WordPress Firewall.  The firewall I use is Wordfence.  It’s the most popular firewall for WordPress and it has generic protection against cross-site scripting, SQL injection and a variety of other attacks. It also includes the most popular malware scan for WordPress. All for free.
  • Disable File Editing and PHP File Execution in certain WP directories
  • Disable directory indexing and browsing
  • Disable XML-RPC

 Website security should be your first priority.

You should never take security lightly.  If a site is hacked, it can cause serious damage to your business revenue and reputation. You and your customer can have user information and passwords stolen, malicious software installed, and can even have malware distributed to your users. There is also the potential of paying ransomware to hackers just to regain access to your website.

Evan Mattson summed the need clearly in his “How to Not Get Hacked article of October 24, 2017:  “Securing your website is like trying to keep squirrels out of your bird-feeder; there are always going to be squirrels, you just have to make your feeder harder to reach than the others.”

I hope you have found this article helpful.  You can find more detailed information in this WordPress article:  https://codex.wordpress.org/Hardening_WordPress.

Posted in Web

Leave a Reply

Your email address will not be published. Required fields are marked *