At the risk of stating the blatently obvious, it feels like WordPress is becoming the go-to Content Management System (CMS) for anyone and everyone building a new web presence today. From medical software vendors to rock bands to auto manufacturers, everyone is building content on top of the basic framework that is WordPress. Even two different guys who have worn the moniker, “the fastest man alive,” are on WordPress. Perhaps 60,000,000 people can’t be wrong. If you’re coming to this party, or have already been here for awhile, what are some things we WordPress users need to be aware of?
Brute Force Attacks
Recently there’s been a lot of talk in the news about a 90,000-strong botnet trying to hack into WordPress sites via brute force attacks. This botnet, consisting of previously-compromised computers, tries to log in to various WordPress sites using the username ‘admin’ combined with roughly 1,000 common passwords. If your site is protected by a common password, it may well be taken over to be used in further mischief, or more accurately, crime. When I first read about this wave of attacks, I didn’t lose any sleep. I don’t have an account called ‘admin’ on my sites, and my passwords are randomly generated, taking the form of VxL44aZ07cywn.
I’m also running the first plugin that we’ll talk about today, Limit Login Attempts. As the name implies, this free plugin limits the number of login attempts that someone can initiate from a particular TCP/IP address before they’re locked out of further attempts for a specified period of time. By making them wait, they’ll move on to easier targets that don’t. Think of Limit Login Attempts as a deterrent, much like installing The Club on your car’s steering wheel to make it less appealing than the car parked next to it.
Were I building a new WordPress site from scratch, I’d absolutely begin with another free plugin, Better WP Security. This plugin renames and admin account, discussed earlier, and takes several other steps to make it less obvious to script kiddies that you’re running WordPress. Again, it makes you less of a target. I haven’t installed Better WP Security myself yet, as one of its features – changing the wp-content path – would affect existing external links to a couple of PDF documents that I’ve shared from my site along the way.
Comments, Pingbacks and Trackbacks
Sites like this one benefit from reader feedback. My most recent post on the iOS / Exchange problem is one example. At the same time, I don’t want to end up hosting links to nefarious content. So I long ago checked the WordPress option stating, “An administrator must always approve the comment.” I’d get a few comments per day, delete the spam, and approve any good ones. Recently, though, I decided that the rush of spam was becoming obnoxious. Of the 4765 comments received since this site went live, only 126 (or 3% of the total), have contained some merit.
I installed Securimage-WP last weekend. Securimage-WP allows WordPress sites to add a CAPTCHA requirement to comment submission. (If you’re viewing this post via the full permalink, rather than via the front page, you’ll see the comments section at the bottom.) Since installing Securimage-WP, I haven’t received a single spam comment! Apparently the spammers are scripting their comment submissions, and don’t take the time to visit sites individually to provide a CAPTCHA response. This makes Securimage-WP another successful deterrent against bad behavior. Oh, and as for pingbacks and trackbacks, they serve no particular value that can’t be found elsewhere. I turned off the WordPress option that reads, “Allow link notifications from other blogs (pingbacks and trackbacks).”
Backup and Recovery
While I’m reasonably confident of my WordPress configuration, my two sites represent a significant investment of my time and not a trivial amount of my money. So I want to be able to recover my content, should something unexpected happen. That’s why I elected long ago to shell out $15 per month, per site, for a solution that I could count on. VaultPress is an Internet-based WordPress backup service from Automattic, the folks behind WordPress.com. VaultPress keeps my sites backed up automatically, without any action on my part. They now also offer a $5 per month option, which seems like a reasonable baseline for anyone running a WordPress site.
While today’s discussion is hardly comprehensive, it provides a good place to start regarding WordPress security. Plugins like Limit Login Attempts, Better WP Security, Securimage-WP and VaultPress will go a long way toward making your WordPress experience happy and productive. Using these tools, along with keeping your WordPress version and plugins always up to date, should allow you to rest easy and focus on creating new content. And really, isn’t that what we’d all rather focus on?