# Running a Wordpress based website? Batten your hatches!



## Bob Hubbard (Jul 25, 2014)

I've been a little scarce the last few weeks.  Since the end of June I've been dealing with a prolonged passive brute force attack on a number of my clients sites. Where normally we'd see a small number of login attempts, we've been seeing tens of thousands each day from thousands of different IP addresses. As Wordpress continues to gain popularity as a web site builder, it also continues to become a larger target for malicious hackers.  So to help everyone lock their sites down a bit, I'm sharing some of what I've been doing to keep my clients sites safe.

1 - Make sure everything is up to date.  Security holes are discovered all the time. Wordpress is pretty good at patching as they are discovered, but it's up to you to make sure your site is current.  Wordpress now has the ability to 'auto-update', and there are a few plug ins that extend that ability to themes and plugins as well.  However, you should check the Dashboard regularly to make sure they are working as expected.

2 - Get rid of 'admin' as your user.  I've analysed over 50,000 lockouts, and over 95% were targeting 'admin'.  If you are using this default account, log in, create a new account for administrative use (don't use admin in the name), make sure you make it an administrator, then log out, log in as the new one and delete the 'admin'.  This step alone will save you a lot of headaches.

3 - Delete unused, and inactive themes and plugins.  Doing so removes potential areas where bots can gain a foothold or exploit some long forgotten add in.

4 - Protect your wp-config.php file. Add this block of code to your .htaccess file, right at the top. 


```
# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
```

5 - Protect your .htaccess file.  I add this at the very end.


```
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files> [L]
```

6 - Install a Firewall.  
  Adding a reliable firewall will increase your sites shielding. While there is no single 'do everything' solution, there are several good options available. The core of our defence is Wordfence. It can help defend your site against brute force attacks, logins by non-existent users, as well as verify the integrity of your sites files. There are a number of other top rated options as well.  Depending on the situation, we also use BulletProof Security,  iThemes Security (formerly Better WP Security), Acunetix WP Security Scan as well as 3rd party services from Sucuri Security (who also do vBulletin security).

7 - Monitor your logs.
I know too many webmasters who auto-delete all the 'noise' of notices, warnings and alerts they get from their websites then wonder what happened.  I get an average of 10 notices every 5 minutes, every day. I read them all. It's boring reading, but necessary to make sure you minimize problems before they become headaches.

8 - Make sure you use a webhost who gives a damn about security.  
Too many people are nickel and diming their hosting, and it hurts them.  Budget hosts who charge little to nothing for hosting tend to not put much effort into server security. The bulk of the attacks I've been seeing that are not coming from Russia, China or the Mid East are coming from a very small handful of big-name US cheap hosting companies.  Over the last month I have blocked hundreds of thousands of ip addresses associated with a very small number of companies.  Lax security on their end puts your site at risk.


There is a lot more to keeping your site safe, but this is a good starting place.  If you don't have the time or technical know-how to do it yourself, it's well worth it to use the services of a company that can 'have your back'. A search for 'managed wordpress hosting' will turn up a number of names. WPEngine are the 'big names', running a very secure and locked down environment.  My own company, SilverStar WebDesigns inc. also does managed Wordpress hosting. We have a different approach that WPE which is a little more flexible while still secure.  Both start at about $30 per month and let you worry about other things.

If you have any questions or would like help securing your site, please let me know.


----------



## granfire (Jul 25, 2014)

That's where you were. I thought you done run away from home!


----------



## Transk53 (Jul 25, 2014)

Nice post. Always useful to keep up of such things.


----------



## jks9199 (Jul 25, 2014)

granfire said:


> That's where you were. I thought you done run away from home!



I figured he was out photographing boobies...


----------



## oftheherd1 (Aug 15, 2014)

jks9199 said:


> I figured he was out photographing boobies...



These two said they are considering filing charges against Bob for mopery with intent to gawk.

https://www.google.com/url?sa=i&rct...kCMVYtgazca_AmRfz4xAYK3g&ust=1408216149796931

Good info Bob.  Thanks.


----------

