WordPress is among the most used blogging platform in the world. There are tens of millions of users with perhaps millions of plugins and themes to go along with it. For this reason, it’s also a large target when it comes to hackers. There are just as many exploits for both WordPress and plugins as there are users of it. There’s even automated hacks that will scan the internet and automatically exploit your outdated WordPress software. Many people getting in to the webmaster field don’t give security much thought. However, once your first blog gets taken down and spammed, you’ll definitely think twice. Don’t worry though, there’s a lot of things you can do to prevent attacks, and a lot of things you can do to downplay an attack once it’s occurred. Let’s go over some of the basic things.
Shared hosting vs reseller hosting
Many people don’t consider security when picking out their hosting. For small websites, shared hosting seems like a no brainer. Reseller is more money, and you’re not going to be selling anybody any services, so what’s the difference? Well, the difference from a security perspective is night and day. CPanel by its nature is insecure. When you use the addon domain feature it simply adds another directory to the same user account. All of your websites whether you have two or 200 will be sitting in the same directory.
Let’s face it, not even a perfect webmaster can keep all his sites up to date perfectly. If one site in the network gets taken down, with shared hosting the attacker has access to all of them. If someone hacks your website, he can then navigate through your directory hierarchy and view all of the files for all of your websites. If he can view files, he can view wp-config data, and get into all of the SQL databases. What this means is that if a single website is compromised, essentially all data, and all other websites are compromised on that account.
This is where reseller, or even VPS hosting comes in handy. If you’re a reseller, you can put each website on an individual account. If one website (one user) is compromised, that particular user has no privileges to access any other website. So if you’re a webmaster with over about a half dozen websites, you may want to think about becoming a “reseller”, even if you never actually sell any services. It’s worth the extra $10 a month for security alone.
Mod security is a module for Apache that stops attacks in real time. It analyzes data that the user is sending to the server, including HTTP headers, GETs, REQUESTS, and PUTS. If it detects something that matches a certain pattern, it will stop the connection. This is particularly useful for stuff like MySQL injection. If you have an outdated web application, or are using the latest one that happens to be insecure, mod_security will have a good chance at stopping the attack. This is something that most webhosts install by default, but if you’re running a VPS or a dedicated server, it’s up to you to install it. Personally, I’ve seen this module stop attacks and provide detailed logging of the incident. I would not run a website without this software.
WordPress Fence is amazing software for WordPress users. This adds an extra layer between your blog and an attacker. It scans core WordPress files against the respiratory looking for any malicious modifications. The software also compares files against matches of known malicious software. It uses a centralized database that tracks IP addresses of attackers around the world, and pre-emptively blocks them from harming your website. This software also does basic stuff like enforce good password security, stop brute forcing bots, and can block fake Google bots. All together, WP-Fence is the best security suite for WordPress. Not only does it stop attacks before they happen, but it helps mitigate an attack once it does occur. This is a must for all WordPress users.
Backups are crucial for mitigating attacks. Most of the time your web host will offer you some sort of backup plan. In cPanel, there’s a utility that allows full site backups on a schedule – use it! If your website is compromised, it’s likely that the attacker did it for financial gain. Meaning he’s going to insert spam links, and other nonsense into your blog posts. This boosts his site in the SERPs, at the price of your own site’s rankings. However, if you have a recent backup, you can easily revert any changes an attacker has done to your blog. This would not only remove spammy links, but it would also remove any backdoors an attacker put on your server so he can access your websites at a later time. Reverting your website to a previous date is so easy, so there’s no excuse not to backup your files. The 10 minutes it takes to restore the backup is well worth it, because sorting through all your post to find spammy links and backdoors can take hours.
There are a number of things you can do to not only prevent an attack from occurring, but isolate and solve the attack once it happens. With the correct tools, you should be able to prevent most attacks from even happening. However, when it does happen the above outlines a good strategy to get your websites up and running normally again. Installing updates, backing up your files, and installing basic security software is essential for all WordPress webmasters.