Blog security

BLOG SECURITY

http://i.imgur.com/1n8zR.gif

5 Steps to Ensure Your WordPress Blog Is Secure By Marko Saric Published July 4, 2013

Is your WordPress blog safe from malicious people?

Would you like to make your WordPress blog more secure?

TRIAL-N™ Ltd | Nedko Aldev

2

BLOG SECURITY Most often, people don’t think about security measures until it’s too late. But there are some simple steps you can take to keep your blog safe.

Why Secure Your WordPress Blog? A blog that has been hacked can suffer from loss of content, stolen data and expensive downtime. Maintaining the security of your blog helps you protect your reputation and provide your visitors with the best service possible. Because WordPress is such a popular platform for blogging, it’s a regular target for hacking attacks launched by people who find and exploit weaknesses and vulnerabilities in websites. Here are 5 simple security measures that you should implement on your business blog today to protect it from hacking attacks.

#1: Delete the “Admin” Username Hackers look for blogs that use the default WordPress admin username because it’s half of the information they need to gain entry to your blog. When you use “Admin” as your username, you save the hacker a lot of time. All they’d need to do next is to figure out your password. Once that happens, they can enter your blog and do whatever they want. The first step in making your blog secure is to create a new user profile for yourself and delete the default admin username. This makes it more difficult for someone to hack into your business blog. To create a new username profile, open the WordPress admin navigation, go into Users and click on Add New.

TRIAL-N™ Ltd | Nedko Aldev

3

BLOG SECURITY

Create a new user profile and change the role to administrator.

Fill in your details and make sure to give yourself the role of an administrator so you have the ability to make any necessary changes on your blog. After your new username is created, log out of your WordPress dashboard and log back in with your new user details. Go back into Users and delete the default admin user. At this stage, WordPress gives you the option to transfer the posts authored by the admin user to your new user profile; choose that and you won’t lose any of your content or data.

#2: Use a Strong User Password No matter how much awareness is raised around the danger of using a simple password, many people continue to use simple passwords that are easy for them to remember. Unfortunately, this also makes those passwords easier to crack. It’s important that you use a strong and secure password. It should be a minimum of eight characters long with uppercase and lowercase letters, numbers and special characters. To change your WordPress password to a stronger character string, go into Users and choose Your Profile. At the bottom of that page, fill in the New Password fields.

TRIAL-N™ Ltd | Nedko Aldev

4

BLOG SECURITY

WordPress interface for adding a new password.

Make this a requirement for every member of your blogging team as each login password presents a potential gateway for hackers to try to enter.

#3: Update to the Latest WordPress Version In response to security vulnerabilities, the WordPress software, themes and plugins are regularly updated with the latest patches and fixes. When a WordPress update is available, you’ll see a prominent notification across the top of your dashboard.

You’ll see a yellow notification banner across the top of your WordPress dashboard when there’s a new update available for you to install.

Updating is a simple 1-click process in your dashboard so you won’t need to leave your browser or do any manual uploading via FTP.

#4: Back Up Your Blog Database Backing up your database is an important part of keeping your blog secure. WordPress makes the backup process simple with both free and paid options. WP-DBBackup, a free option, is one of the most downloaded WordPress backup plugins and is a simple solution for beginners. To install WP-DB-Backup, go into Plugins and choose Add New. Type “WP-DBBackup” in the search box. Click Install Now and then click OK.

TRIAL-N™ Ltd | Nedko Aldev

5

BLOG SECURITY

It’s easy to find and install a plugin to back up your blog. Under Plugins, click Add New and search for WP-DB-Backup or another backup plugin.

From the Plugins screen, Activate the plugin. After the plugin has been activated, you’ll have a new addition to your navigation in Tools named Backup. From Backup, you can either back up your database immediately or you can set the backup to occur on a regular schedule. The backup files can be downloaded to your hard drive or sent to your server via email.

WP-DB-Backup gives you the option to save to server, download or email.

You’ll appreciate knowing you always have an up-to-date backup of your blog in the event something does happen.

#5: Limit Login Attempts With a Plugin The Limit Login Attempts plugin is especially useful in helping to repel brute-force hacker attacks by blocking access to the login page after a series of incorrect login attempts have been made. As administrator, you decide how many login attempts to allow before the plugin launches the block.

TRIAL-N™ Ltd | Nedko Aldev

6

BLOG SECURITY Install this plugin by going into Plugins and choosing Add New, just as you did to find the WP-DB-Backup mentioned above. This time, search for “Limit Login Attempts,” click Install and then OK. Activate the plugin from the Plugins screen and you will have a new Limit Login Attempts option in your Settings. To set the number of allowable login attempts and other limits, click on Limit Login Attempts, fill in the options and click on Change Options to save your work.

Limit Login Attempts plugin settings in your WordPress dashboard.

Bonus Tip: Here’s one last tip to help keep your blog safe. Remember to research

any plugins you are interested in. This is one tactic used by others to try to attack your blog. So only install plugins from reputable sources and check the reviews on WordPress.org.

Keep your business blog safe. These are five things you can quickly put in place to help make your business blog more secure. They will go a long way in protecting your blog from the majority of hacking attempts and give your blog more security than many of the other blogs published today.

TRIAL-N™ Ltd | Nedko Aldev

7

BLOG SECURITY What do you think? How often do you think about the security of your blog? What other precautions do you recommend to keep a blog safe? Write your comments and questions in the box below. About the Author, Marko Saric Marko Saric is a bloger at HowToMakeMyBlog.com, a site that teaches you everything you need to know on starting a blog and making it a success.

Plugins: ・ Better WP Security - This is sort of an all-in-one security option. It handles a variety of tactics covered in this post. Can overlap with other plugins, so be careful. Free. ・ Limit Login Attempts - Exactly what it says, and a phenomenal way to deter bruteforce hacking attempts on a site. Free. ・ Akismet - Great way to filter out a lot of crap before it ever touches your site. If your site is easy to spam, it might also be easy to hack, so make it a hardened target on all fronts. Paid. ・ CloudFlare - CloudFlare is a CDN, but also so much more. It has some great security features built in, and comes in both free and paid versions. ・ Google Authenticator - Enables two-factor authentication on WordPress, which is awesome. I use two-factor wherever it's offered, because it rocks. Free. ・ Stealth Login Page - You can't crack what you can't find. This plugin hides your login page without needing to edit .htaccess files. Free. ・ WordPress SEO by Yoast - Not only does this have great SEO benefits, but it allows you to easily edit your .htaccess file from within the WordPress admin, which is very handy. Free. ----- end

Personal security As any half-decent hacker knows, the human element of security is usually the weakest link in the chain. The most security-conscious web admin or host can be foiled by a common password (Love, Sex, Secret, God, Hack the Planet!). The human brain likes routines, patterns, and comfort zones; and hackers exploit that with glee! If you want a fascinating yet frightening read on this topic, check out Kevin Mitnick's book The Art of Deception. Here are seven personal best practices for locking down the human element: 1. Never access a WiFi hotspot through anything other than a secure VPN. I personally use Cloak as my VPN (iOS and Mac only at this point), but there are

TRIAL-N™ Ltd | Nedko Aldev

8

BLOG SECURITY lots of options. You'd be shocked at what can be found with simple packet sniffing (Firesheep is a great example, and will probably make you quite uncomfortable). When you use a WiFi network, secured or unsecured, anyone else on that network can get access to your traffic (if all your traffic is encrypted, you're MUCH safer, which is why you should use a secure VPN on any shared network, even if it's a "secure" shared network). If you have WiFi at home or work, make the password a strong one, use WPA2, and set your router to NOT display the SSID (this is a "security by obscurity" tactic). 2. Get a firewall. A good firewall is an excellent defensive tool. In a perfect world, I'd recommend having both a software and a hardware firewall, but that may not be feasible for everyone. At the very least, you need a software firewall (Comodo, ZoneAlarm, etc.). It can be a bit intrusive, depending on your settings, but it's easy to customize and does a very good job. You should have a firewall on every desktop/laptop/server.

See, there you go, a good firewall. Not much is getting past that...

3. Get an antivirus program. Viruses and malware are a dime a dozen, and the chances are REALLY good that you've got at least one on your machine already. If a hacker has access to your computer, no amount of security anywhere else can protect your WordPress installation (not to mention your email, bank account, etc.) I've tried quite a few over the years, and I'm partial to Avast. It's one of the least resource-intensive AV programs on the market (won't bog down your machine), but it's also extremely thorough (there's a free version, but I pay for the full suite for a variety of reasons). 4. Keep your hardware physically secure. If someone can get to your machine, it's a cinch to hook up a keylogger. If you don't password protect your machine, there are all kinds of other quick and dirty things they could do as well. If you use a desktop in particular, and it's in a common area at work, periodically check

TRIAL-N™ Ltd | Nedko Aldev

9

BLOG SECURITY your USB ports and all cords running into the machine for anything unusual. It's uncommon, but it happens. Seriously, you should see the type of security Google has at its server farms!

5. Use really good passwords, and don't ever reuse passwords on multiple sites. Here's where the lazy human element really comes into play. We're not really good at remembering obscure passwords, so we tend to stick with things we'll remember (asdf, 12345678, qwerty12345, etc.). This is bad, because common passwords make things REALLY easy for hackers, especially if you use the same password for multiple sites (don't do that, ever). Operating system passwords are notoriously easy to crack with rainbow tables, so make sure your OS password is long (at least 15 characters) and complex (uppercase and lowercase letters, numbers and symbols, avoiding common substitutions like @ for A or 8 for B, etc.). Here's a cool article that explains why complex passwords make things SO much harder for hackers. Thanks to some pretty serious security blunders over the years, it's easy to find massive lists of passwords used on pretty major sites (RockYou is a great example, with 32 million passwords leaked). With a list like that, you can just pick a WordPress site and try random passwords at will until you get a hit. While far from efficient, script kiddies in particular love this brute-force approach. I've found the easiest way to have virtually unbreakable passwords is to use a tool like LastPass, 1Password or Roboform. They allow you to generate a random, long, extremely complex password for each site, and then encrypt and store them all with one master password. There are desktop and mobile apps available (some of which even contain a secure browsing environment), so you can easily login from your various devices, and all you have to remember is one password to access them all (for the love of all that is holy, at least make that one password complex). Don't write down, print, or store your passwords in plain text on your computer. Just don't. 6. Protect your email accounts with two-factor authentication (and then protect your phone too). If a hacker can't get into your site via the password, their next trick is usually trying to crack your email account so they can just do a reset. If your email provider offers two-factor authentication, USE IT. If you do this, make sure you lock your phone (use a real password, not the 4 digit variety) and try really hard not to lose it, since that is now the key to your accounts (and, in a perfect world, don't put that phone number up online, just to be safe. If a website ever needs a phone number, get a Google Voice number TRIAL-N™ Ltd | Nedko Aldev

10

BLOG SECURITY that you use just for that.) You should probably also set your phone to wipe after a certain number of failed tries, and configure a remote wipe option as well, if possible, as your phone is now the key to your accounts. If your account provider asks you for security questions, use a mnemonic to come up with a totally separate answer (for example: for the question "What was your high school mascot?", I might think, I really hated my CS teacher in high school, and then use that teacher's name as the answer.) This will effectively neutralize attempts to mine your social profiles for data hackers can use to guess your security questions. 7. Learn to recognize and avoid phishing attacks. Whether by email or website, phishing attacks are one of the most common causes of security breaches (you might have heard about the hacked AP Twitter account fiasco that caused a massive stock drop — yeah, that was due to a phishing attack). When it comes to avoiding these sorts of attacks, I live by three rules: If I have to log in to a site, I only navigate to that site through my password manager (this prevents me from accidentally falling for a misspelling URL phishing attack, like if I were to type Facebool.com instead of Facebook.com). Never, ever click on a link in an email and then login to whatever page pops up (see last rule). In fact, I don't click on links in email anymore. I right-click, copy link location, and then paste it into Google, just to be safe. If it doesn't look right, or the results include spammy stuff, I stop there. Never, ever open an attachment from someone you don't know and trust (and even if you know and trust them, drop it in a folder and run a virus check on it before opening it, or open it in a sandbox program first just to be safe). If someone who has you in their contact list gets their email hacked, the hackers start by blasting out emails to that person's contact list to expand their phishing pond. Sam_McRoberts — Sam McRoberts is the Director of SEO at Point It by day, and the owner of VUDU Marketing by night, and has been involved in the online marketing world since 1999. He's a foodie, a gamer and a traveler, and loves all things entrepreneurial. You can connect with him on Twitter, LinkedIn and Google+

TRIAL-N™ Ltd | Nedko Aldev

11

BLOG SECURITY

http://i.imgur.com/1n8zR.gif … I hope your password isn’t password123. ☺

WordPress Security and Safety [Infographic] Last updated on July 3, 2013 by Regina Smola WordPress Security is up to you! Are you being proactive with your WordPress site security? Do you know ways to protect your WordPress blog? When it comes to website security, here's a cool infographic with some WordPress safety tips and statistics for your blog. The Safety and Security of WordPress Blog Infographic includes:

TRIAL-N™ Ltd | Nedko Aldev

12

BLOG SECURITY •

• • • • • • • •

Number of WordPress blogs that have been hacked in the past 4 years Best ways to harden your WordPress site security Ways that WordPress blogs get hacked 27 Common forms of vulnerabilities 9 Signs that show your site has been hacked Most common ways for a website to get hacked WordPress Security statistics What Makes WordPress so vulnerable Breakdown of 400 WordPress Security issues

http://www.wptemplate.com/wp-content/plugins/php-imagecache/image.php?path=/wp-content/uploads/2013/07/Safety-and-Security-ofWordPress-Blog-Infographic.jpg <a href='http://www.wptemplate.com/features/safety-and-security-of-wordpress-blog-infographic.html' title='Safety and Security of WordPress Blog (Infographic)' ><img src='http://www.wptemplate.com/wpcontent/plugins/php-image-cache/image.php?path=/wp-content/uploads/2013/07/Safety-and-Security-ofWordPress-Blog-Infographic.jpg' alt='Safety and Security of WordPress Blog' title='Safety and Security of WordPress Blog (Infographic)' width='' height=''/></a><br/><a href='http://www.wptemplate.com/'>WordPress Templates</a>

--- end

Top 20 Best Access Control WordPress Plugins July 22, 2013 We all know the usefulness of WordPress and how WordPress provides us with a huge plethora of themes that help us create websites to suit our specific needs. But while doing all this, security is another very important issue, and even then, WordPress has some of the best access control plugins that you can use. So here are a few of the best access control WordPress plugins that you can use for your website.

Stealth Login

TRIAL-N™ Ltd | Nedko Aldev

13

BLOG SECURITY

WordPress comes with default urls, and this makes it really easy for hackers to intrude on your privacy. But this plugin changes the login URL to something very specific and private. So even if a hacker has the password, he or she will not have the specific URL to hack into your site.

User Locker

TRIAL-N™ Ltd | Nedko Aldev

14

BLOG SECURITY Hackers are a real menace, and this nice little plugin takes care of that for you. Using this plugin, you can specify a certain number of login attempts that can be made at your website. The moment the specified number is completed, the website locks down to that particular user. Hence, for brute force attacks, this plugin is amazing!

WP Security Scan

This plugin is a very useful tool that you can use to diagnose security problems in your website. After your wordpress installation, this plugin scans your installation and if there are any holes in your security, it provides you with solutions.

WordPress File Monitor

TRIAL-N™ Ltd | Nedko Aldev

15

BLOG SECURITY

This is a very nifty plugin, which monitors all the files that are there on your website. So when any changes are made to them, or any file is deleted, the plugin sends a security alert to a specified email address immediately.

Content Security Policy

TRIAL-N™ Ltd | Nedko Aldev

16

BLOG SECURITY This is a very helpful plugin that prevents content injection attacks from other sites. It helps the admin to know which sites he or she can trust to serve JavaScript and other contents, and any harmful content instantly gets blocked.

HTTP Authentication

This plugin will help you use existing means of authenticating other users to wordpress. It even includes the Apache HTTP authentication module, and many others.

WP Members

TRIAL-N™ Ltd | Nedko Aldev

17

BLOG SECURITY

For those wordpress websites that require membership security solutions, this plugin is the best you can come across. There are tons of features on this one, from membership customisation to automated membership management, and automated payment options and processing, content protection, etc.

AskApache Password Protect

TRIAL-N™ Ltd | Nedko Aldev

18

BLOG SECURITY This plugin adds numerous security layers to your blog website, and does not tamper with your database at all. The best part about this plugin is that it updates itself automatically, and stops attacks on your blog from hackers.

Login Encrypt

This plugin uses RSA and DES, with complex combinations to provide ultimate security for your website. It encrypts your password, and prevents hackers from gaining access to your site.

WP Email Guard

TRIAL-N™ Ltd | Nedko Aldev

19

BLOG SECURITY

This plugin is one of the best there is. It converts any email from users of your website into JavaScript code, so that it can be read by humans only, and clicked by humans only. It prohibits spammers from crawling, as they can’t do so with JavaScript.

Login LockDown

TRIAL-N™ Ltd | Nedko Aldev

20

BLOG SECURITY This plugin keeps a record of all IP addresses and timestamp of every failed attempt at logging in onto your website. If there are many attempts from one particular source for a short period of time, then all functions from that source are instantly disabled.

Limit login attempts

It limits the number of login attempts both in case of normal login and also those using author cookies. Apart from the above, here are a few more access control plugins that you can try out.

Semisecure Login Reimagined

TRIAL-N™ Ltd | Nedko Aldev

21

BLOG SECURITY

WordPress Firewall

Secure WordPress

TRIAL-N™ Ltd | Nedko Aldev

22

BLOG SECURITY

AntiVirus

Ultimate Security Check

TRIAL-N™ Ltd | Nedko Aldev

23

BLOG SECURITY

Exploit Scanner

TRIAL-N™ Ltd | Nedko Aldev

24

BLOG SECURITY Admin SSL

Tinypass

TRIAL-N™ Ltd | Nedko Aldev

25