We live in a world where bots and attackers are constantly scanning the internet to identify and compromise websites that have a weak security profile. WordPress is constantly in the news for such issues. While WordPress itself is relatively safe, the issues lies in behaviors exhibited by the owner of the blog site. It also doesn’t help that WordPress is the most popular blogging platform so most attacks attacks are going to be geared towards WordPress sites (statistics 101). Typically, blog sites are compromised due to the following issues:
- A Weak password is used for admin accounts
- Malicious plug-ins have either been installed, legitimate plug-ins are not regularly updated, and or the guts of the web site have failed to be updated recently (Ex. Your WordPress Core, themes, etc..)
- Security measures are non existent
So how can we protect our blog site (or at least reduce the likelihood of attacks occurring) against attacks now that we know some of the common attack vectors used to compromise blog sites?
In regards to a weak password being used for accounts, one should avoid using the same password that they use for multiple sites. Using a strong password that’s 15 characters in length and includes numbers, lowercase and uppercase letters, numbers, and special characters like “^” is also a must. Oh and don’t forget to enable two-factor authentication! In the event that your password manages to get compromised, the attacker would still need to defeat your two-factor authentication setup. Using a number generating app for your two factor confirmation such as Duo or Google Authenticator are better choices than relying on a one time password via SMS however, any implementation of two-factor authentication is better than no implementation.
Upgrading software has always been an issue since the dawn of computer time. Luckily for us, most blogging platforms allow you to automate upgrading plug-ins, themes, and platform cores. This should be enabled to ensure that your site is regularly updated, which adds a layer of protection against vulnerabilities which may be associated with old software running on your blog. I do recommend regularly backing up your site, especially if you automate upgrades. This allows you to revert changes quickly in the event that an upgrade breaks your site.
The final issue that I notice with a lot of sites in general is that they lack basic security features in general. Installing a Web Application Firewall (WAF) protects your site from attackers and is a must for anyone who must rely on the confidentiality, integrity, and availability of their platform. WAFs block individuals and bots who leave spam comments, comments with malicious payloads like bad links, and Denial of Service (DoS) attacks among other types of exploits. Another tool you should leverage is an activity log. This allows you to pinpoint when changes were made to your site and by who (typically username and or IP address).
Security is an ever changing field and the defenses that you put up today may not be adequate to protect against the threats of tomorrow however, the above tips will significantly decrease the chances of your blog being hacked. Sometimes, you just need to be more secure than your neighbor to protect yourself against an attack.