After the hack today that took down some pretty major sites out there that we all use on a daily basis, I wanted to share some helpful information I've come across in the WordPress world. I myself have been hacked twice. Ever since moving my photography business website from a big company, I've finally been able to move on with my life.
Even though today's massive attack affected mostly DNS, your websites server can be attacked at anytime. This is where some helpful little tools can come in handy and help keep us moving along business as usual! This article mostly speaks to those of you using WordPress as your content management system (CMS), and since that is where my hacking experience lies, I don't want to give advice to other platforms.
WordPress Plugins That Will Put You at Ease
- BulletProof Security: Don't be fooled by their goofy graphics; this little plugin has come in handy for me more times than one. It will alert you to many things like login security, monitoring of which users have been in your site, and the feature that sold me: .htaccess. My hacker had not only gained access to the database and WordPress side of things, they where able to create a back door so every time I'd create all new logins and reset my database, boom, a few days later, they where back and spreading poison throughout my site.
- Askimet: This plugin is way more simple and at first all I thought I needed for my photography blog. You sign up for this spam service on an annual basis, and it controls spam hitting your posts. At first, these annoying bot comments seem like just jargon; however, this can eventually lead to hackers getting access to your database. I highly recommend this little tool. It also comes with dashboard reporting, so when you log in, you can see who is commenting and what the system did with it.
- Wordfence: If you're going to just only take away one thing from this article, go learn about this plugin. I found this little sucker too late in the game as my site was completely unsalvageable. However, their upgraded plan can even help sites once the hack has happened, and you need help because you're a photographer and don't want to sit and spend your days cleaning code. It also does many of the features that I've mentioned in the other plugins, however does require a hefty fee.
Without this plugin, I wouldn't have caught the string of text at the bottom of each of my 177 posts that was causing every blog post on my site to re-direct to some online pharmaceutical company. Thank the code gods because I could've moved my site and infected the new server, further opening that door to my online business.
WordPress Hosting Must Haves
Since my switch away from the domain and hosting giant whom I now despise, I've been thrilled with the new service I acquired. Finding not only excellent customer service, I'm now hosted with a company who watches for these types of behaviors and alerts the users if they feel a server is infected and that your site might be a target. If that wasn't ultra helpful enough, they'll take it upon themselves to move you to an entirely new server that has no red flags and give you 14 days to make any changes.
http://www.gettyimages.com/detail/photo/you-could-cut-the-tension-with-a-knife-royalty-free-image/502089751?et=Tf-IffNPTLxVOpg22liMFw&referrer=https%3A%2F%2Ffstoppers.com%2Fnode%2F150918
Being a photographer, I don't want to have to monitor my website all day, every day. Heck, I don't want to monitor it at all! So, going through the painful process of rebuilding our 10 years of work and Internet history really opened my eyes to how important it is doing business in a digital age and knowing you have security. Cyber attacks are becoming more and more evil and are an online business' worst nightmare, and the distributed denial of service (DDoS) attack is one such attack that can cause a massive damage to any service. More information on the attack itself can be found here.
Lead image by Wikipedia user Colin, cropped and used under Creative Commons.
I'd like to mention that when I used Wordfence on my website, it added about 1.27 seconds additional load time at the initial homepage and slightly less time on other pages. Overall its an awesome tool but I had to get rid of the plugin because of the sluggish load time even on GoDaddy's SSD Wordpress hosting plan.
Really? Good to know. I'm no longer with GD (Satan) and my new load time is exceptional!
Hey man, spikes in page load times should be expected when using Wordfence since it's not a network; rather, Wordfence appears to be software. So, Wordfence is still dependent on a network (whatever network or kind of network it is). Depending on what (if any) network service or specific network placement, "initial homepage" load times might be longer compared to other pages due to various variables including network, but also how the website is developed and delivered to the network.
The attack didn't affect "mostly DNS" in a generic sense, as the article reads (not a slam to the article whatsoever); however, it was targeted at a specific domain name service (DNS) provider, DYN. This is important to know since a lot of DNS providers weren't affected; however, they could've been slowed if their traffic was moving through an attacked, shut down, or partially shut down network. This is to say that DYN most likely has domain names that have data going through more than a single network.
I can't attest to Wordfence and the [awesomeness of the tool], but "GoDaddy's SSD Wordpress hosting plan" sounds a lot like marketing speak to me and marketing speak doesn't sound like online security. That's just me though, it could very well be the best hosting plan ever. I just recall Brinkster beginning to use the term "hosting plan" around 2001 and that's about the time they went to shit...
Just my .02 cents worth...
Why dont you put succuri on the list? Paid version is so much better than free one.
Especially firewall feature
I haven't personally used it, however it's now on my to check out list :)
I'd also advise enabling 2FA (there's a number of plug-ins that do this) and limiting access to the WP Login pages to specific range of IP addresses through htaccess if you're able to (if you have a fixed IP Address) and/or limiting log-in to SSL.
I'd also recommend companies that specialise in WP hosting such as Media Temple as they tend to understand the security risks better than many hosting companies and usually have good track records with security.
Also this page helps you understand the various steps:
https://codex.wordpress.org/Hardening_WordPress
The problem with the current attack DDoS is that it's basically unstoppable at present, the underlying code has been responsible for two of the largest attacks so far and took out Kreb's own website despite having a company who managed the attack and was unable to continue. One way to mitigate DDoS is rely on a proxy like Cloudflare or use a geographic CDN which unless you're international doesn't make sense. The actual problem is the lack of security in IoT and people's ignorance but that's a different topic and discussion and it's only going to get worse. If you're interested here's some info:
http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecu...
Yep, good password security is the key for photographers. If you're getting hit by a strong DDoS, you're toast. Even big companies who have millions of dollars invested in IT can still have their site taken down for long periods of time, so for most of us it's just not worth the investment unless we're extremely famous and controversial.
I'd also recommend being as independent of CMS as possible, as the more services your site uses the more risk there is of you not securing an entry point properly, or the CMS having a security flaw itself. Personally, I recently moved my blog section to WordPress for ease of use, but the rest of my site doesn't use any CMS. Of course, I also work as a web developer, so it's easy for me to custom code things. If you're using WordPress for your whole site to make things easy, it's going to be fine most of the time, as long as you have good password security it's unlikely that you'll be the victim of hacking.
EDIT: Password security includes making sure that any devices you use are secure as well - no unauthorized downloads and periodic scans for viruses. Maybe even using a completely separate machine or virtual machine for total security.
I use Rapid Weaver for my site. Wordpress lack of security has keep me from using Wordpress. But a good article for people who use Wordpress.
Thanks William!
Thanks for this information, Amber. I already use Akismet for spam. I don't get all the tech talk in the links to BulletProof and Wordfence - Is one of them sufficient, or do you use both (all three)?
Also, who is your new hosting company that you like so much?
Hi Greg, I use WP Engine and am so so happy! I currently use Askimet and Wordfence :)
This is awesome, thanks for the info!
So I'm intrigued and curious, can you please mention who the domain and hosting giant you despise and who did you go with?
haha yes David I think I can say it :) I was with GoDaddy before and now I'm with WpEngine. They're so so night and day different to work with!!
LOL, I figured that but I wanted to hearing from you. Believe it or not, I have over 200 sites with GoDaddy, 90% of them are clients of mine but I'm going to move my personal site to WpEngine and see how they are. By the way, if I say you referred me will they give you credit?
Yes David, they actually will. Can I email you a link? You can message me here or at amber@jeffplusamber.com