Open up an email sent at 4 AM with the caption “SECURITY ALERT: Too Many Failed Login Attempts” from your WordPress website — and you haven’t been on your website in the last 16 hours.
Better than espresso.
The Bad News: You Need to Pay Attention to This NOW
Let’s get this out of the way: As of this date – 9/3/13 – there are multiple reports in the industry of a huge spike in forced login attempts over the last 48 hours or so on WordPress sites.
The Truth About WordPress Security
The truth is this: Any platform, any content management system – if it’s worth its salt – will attract more malicious-intent hackers the more popular it becomes.
That’s true of WordPress.
Sometimes, when I explain this to clients, the pushback I get is fierce: “Well if it’s not secure then I don’t want it!”
Then I have to explain that this is a faulty perspective. It isn’t that WordPress is a failure. It’s that it’s too much of a success. It’s everywhere, and it’s a tempting, low-hanging fruit kind of target for hackers.
The other reason WordPress is sometimes vulnerable to hacking is that it’s so easy to use. It attracts non-coders and folks who really don’t know much at all about website security and coding in general.
That’s not a bad thing. One of the key components of the philosophy behind Stage Presence Marketing is that you shouldn’t have to become a coding expert to have a solid, hard-working website.
WordPress is, therefore, a really good solution for a lot of solos and creative freelancers who need an easy-to-maintain website.
And therefore it’s a really enticing draw for hackers who want to wreak their havoc — be it malicious or greedy in nature.
So what’s the solution? It’s not “don’t use WordPress.”
It’s “make your WordPress site as secure as possible.”
There are a lot of ways to do this – many different approaches and techniques, ranging from the super-simple to the “better call Annie” to the “Annie calls her guru.”
But here is a super-simple, one-two-three punch technique you can use to shore up your site’s defenses without calling me, or anyone else.
It won’t guarantee your site will never ever be hacked. But it will make it a hell of a lot harder for hackers to gain access, and since hackers are essentially lazy (they’re like robbers – they’re not gonna go break into the house with the clearly visible alarm system), your site will become a whole lot less attractive to them.
And best of all: totally free.
The One-Two-Three “Secret”
How does it work? Very simply, you’re just going to install, activate, and configure three plugins. (Don’t worry – they’re very simple to manage.)
Here’s how it goes:
Step One: Install Limit Login Attempts
The Limit Login Attempts plugin is the first of the three “punches.”
After installing and activating it, visit the settings menu (Settings/Limit Login Attempts) to change the default configuration. Generally, since I’m the only person who should be on my site (I am my own WP genius – if you have other users, you might want to increase this a bit), I configure the settings as follows:
- 2 allowed retries
- 120 minutes lockout
- After 3 lockouts, increase lockout time to 168 hours
- 336 hours until retries are reset
- Email after ANY retry (remember, I’m the only one on my blog – if you have many users/authors, and password forgetting is a problem, you’ll want to adjust this setting)
Step Two: Install Wordfence Security
Next up, install Wordfence Security and activate it. Then, hit the Wordfence/Options menu. For the most part, I think the default settings are pretty adequate, though you’ll want to review them to be sure.
But there’s one section you should pay attention to: the list of options for receiving emails from your site on the occurrence of certain potentially troubling events. It’s totally up to you what you want to receive and when, but here’s my configuration for my sites (again, remembering I’m the only contributor to all of them – if you have multiple users you may want to adjust these to suit your needs):
- Critical problems
- When IP is blocked
- When lost password form is used for valid user
- When someone with admin access logs in
Yes, I will get a few annoying “someone logged in” emails when I’m working on my sites but it’s a small price to pay for knowing when anyone accesses my site!
Step Three: Install WP-Ban
Finally, install the WP-Ban plugin. Wordfence & Limit Login Attemps also allow you to ban IPs, but WP-Ban allows for wild-card specification.
NOTE: I’ve done some very preliminary testing and it looks to me as if there is no conflict here between WP-Ban and WordFence. If you have a different experience, please either comment below or drop me a line to let me know so I can amend this post!
How They Work Together
So then what happens is exactly what happened to me this morning.
- First, you’ll get an email that someone tried to login to your website x number of times (the number you specified when you configured Limit Login Attempts for your site) as a specific user name. There’s your warning.
- Now you need to go into guard-dog mode. Also in that email, you’ll find the person’s IP address. Highlight and copy that IP address.
- Now, go log in to your site. Click on the “Ban” submenu in your “Settings” menu in your Dashboard. Paste that IP address into the “Banned IPs” box, and scroll down to click the “Save Changes” button. Whatever you do, DO NOT BAN YOUR IP! This will be a problem, and then you’ll probably have to pay someone like me to fix it for you.
Set a reminder for yourself to check your Limit Login Attempts log periodically (once a week is my rate). If you see a range of IPs popping up there, you’ll want to go to the WP-Ban settings and modify the banned IP to include the range. (Directions are there on the menu page.)
Keep Your Site Secure
As stated above, these plugins are not “all you need.” There are a lot of other techniques and tools you’ll need to create a truly secure WordPress site. Some may be worthwhile to you to pay someone like me to take care of for you. And I plan to write more about those techniques and steps in the future here on this site. (Today’s article is prompted by the multiple reports of hack attempts of the last few days.)
This is a very simple approach that anyone should be able to manage for just about any WP site. While it won’t keep you 100% secure against hackers, it will go a long way towards making your site not worth the effort for the little buggers.
And if you need more, drop me a line and I’ll be happy to help.