WordPress security affects you if you run a WordPress site. Learn here why it is relevant and what you can do. First, I’ll explain a few principles of security on the Internet before I go on to explain WordPress security.
Darknet, Silkroad, spam, viruses, Bitcoin*. All words that are closely associated with cybercrime. The World Wide Web is still like the Wild West and website operators would be well advised to follow basic security guidelines to prevent their website from being hacked.
What happens if the website is hacked?
In the best case, the text on the page is changed. However, the scenarios are diverse:
- Delete the page
- Installation of malware that displays advertising to the visitor (but possibly not to the administrator) (from which the hacker then earns money)
- Use of the server to send spam
- Use of the server to carry out further attacks on other servers
- Stealing user data in order to gain access to other services.
So even if there is no direct financial loss, this must be prevented.
Do I now need expensive technology to protect myself?
Let’s compare a website with a house. Most people will close the windows and doors when they leave the house; nothing more. Does this mean that no one can break in any more? No. Let’s take a look at a bank: Alarm system, thick glass, security personnel. Does this mean that banks are not being robbed? No.
The same applies on the web. If someone wants access to a website, they will get it. We need have no illusions about that:
- Hack of the White House
- Hack of major media sites such as NBC and Fox News.
- DDoS attacks on Digitec, Interdiscount and Microspot
The list is endless. Therefore, if someone really wants something, they will achieve it. Exactly the same with your house. If someone wants to get in, they will.
As with the house, a risk analysis must take place: What do I have to lose, influences how much I invest in security. In a normal detached house in the country, a door and window will probably suffice. An apartment in a big city, on the other hand, is additionally secured with a door chain. A bank does not have a door chain, but special doors, an alarm system and a safe.
Fortunately, 99% (pure estimation) of all websites belong to the category \”detached house in the country\”.
Unfortunately, many website operators leave windows and doors open and are then surprised that someone has broken in. However, nobody would be surprised if someone got into the house when the front door was wide open.
To answer the question in the headline: \”No, you don’t need expensive technology\”, but you should simply observe the basics (i.e. close windows and doors).
It’s all science fiction
Unfortunately not. However, we normal people are hardly affected by targeted attacks. The danger for us lies in so-called bot attacks, i.e. attacks that are carried out fully automatically by robots:
- Automatically scan websites for known security vulnerabilities
- Automatically try to guess a password (so-called bruteforce attacks)
These attacks are also relatively easy to recognize and defend against:
- Install security updates promptly
- Use strong passwords
Then there are also a few useful free tools, which I will briefly introduce below.
Brute force attack successfully fended off
Just experienced today. When I take a routine look at the monitoring tools, I notice that the server has an unnaturally high load. The figure shows the load increase between the 15. and the June 16. Either this site has suddenly become very famous or something else is wrong.
I search a little further and use Wordfence monitoring: 1 query always from the same IP every second. Someone is trying to guess my password. Fortunately, the systems reacted quickly and blocked all these requests immediately, averting the danger for the first time.
However, this robot from Kiev has not stopped trying. Although this has no effect on safety, it does have an impact on performance. This slows down the page for the normal interested visitor, as the server is still busy elsewhere.
I have been a loyal Cloudflare customer for years. A glance here has also shown that someone is up to mischief. Cloudflare is a so-called reverse proxy, i.e. a high-performance service that is located upstream of the site and answers simple queries directly without keeping the server busy.
A few clicks and the attacker is blocked. It is still trying, but the request is now only landing at Cloudflare, which is already blocking it. The page is already back to normal operation.
That takes us through the general information. Now it’s specifically about WordPress security.
WordPress security – This is special
WordPress is the most widely used CMS on the entire Internet. It is estimated that 30-40% of all websites run on WordPress. That’s a lot! A lot. This makes WordPress a very popular target for bot attacks.
WordPress is OpenSource. If there are security problems, these are publicly known and can therefore be easily programmed into a bot. Both the “good guys” can use the knowledge to improve WordPress, and the bad guys can use it to compromise WordPress security.
You can increase WordPress security with five very simple steps:
- Do not name the first user “admin” but something else (not even root).
- Use strong passwords that you do not use on other platforms (using a password manager).
- Don’t install every plugin you find and like.
- Make sure that you regularly update WordPress and the plugins.
- You have a reliable hoster who takes care of the Basic.
- Bonus tip: make regular backups so that you have a backup in case something goes wrong.
- Bonus tip: Use Cloudflare as a reverse proxy.
This has already increased WordPress security many times over.
*Of course, Bitcoin is not bad per se, but it is a welcome payment option in these circles.