Practical Techie: Ways to fight off brute force attacks on blogs
WordPress is one of the internet world’s most popular page building platforms, mainly because it is free, open source for website building, and intuitive for non-technical bloggers. In non-geek speak, WordPress is the easiest and most powerful blogging and website builder today.
On a more mechanical level, WordPress is a content management system (CMS) written in PHP coding language that uses deep database algorithms in its design. It has hundreds of readymade designs that go from blogging to e-commerce to business and portfolio websites, either for large or small websites.
WP allows the administratos to add multiple authors and other user roles, which may lay a security problem. See ithemes.com for a detailed description of the platform’s many capabilities.
USERS — An administrator is the main manager role in WordPress. When a user installs WordPress, it creates a new user with the username and password defined during the installation. Any first user is assigned the role of administrator to perform all actions on a WordPress website and have full capabilities. You can add 35 users to your private blog and later purchase the Unlimited Private Users upgrade if you want to add more. If you refer to a public blog, there is no limit on how many official users you can add.
Web content expert Andrew Mathew asks the following question: My WordPress website has never been hacked. Do I still need security? Yes.
HACKS — Statistics reveal that 50,000 websites are hacked every day through WordPress plugin vulnerabilities. Plugins are bits of software that you can upload to your website to add more features. Attackers use automated tools to try hundreds of username-password combinations. Then, they keep on trying until they get the right credentials. If successful, they can access any password-protected information.
While no website platform is 100% secure, WordPress continues to improve with a team of core developers and users who produce security patches. Research suggests that WordPress plugins are behind 90% of vulnerabilities; 4% belong to WordPress core files, and the remaining 6% to WordPress themes. WordPress security issues are usually due to user error, rather than the software itself. Many website administrators don’t realize their portals have already been hacked, a situation that can cause irreparable loss, damage your reputation, and decrease revenue. Then Google marks your website as unsafe. So that is when WPScan and other security platforms come in to help.
SCANNERS — One major type of attack is a Denial-of-Service (DoS). Hackers overload the server with traffic requests by constantly asking for resources, which leads a server to crash. When this happens, even authorized users cannot access the website. The WPScan CLI tool is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test t safety of a website.
You can use it to scan your WordPress website for known vulnerabilities within the WordPress core and popular WordPress plugins and themes. Since it is a WordPress black box scanner, it mimics a real attacker. Other security plugins for WordPress are Sucuri, Jetpack Security, Wordfence, BulletProof Security, All In One WP Security & Firewall, and the Google Authenticator. This site explains it in more detail.
Mathews recommends that WP users concentrate on two basic scenarios to stay above any vulnerability.
SAFEGUARDS — One is hosting. Where a user places its website is crucial for security. Good web hostings should take certain basic steps to keep your website safe, including firewalls to block any malicious traffic.
They will also keep an eye on the entire network as a well-organized system instantly detects any suspicious activity and takes proper measures to prevent new attacks. Another safeguard is updating. The user must make sure everything is up to date. That includes server software, PHP versions, hardware, disaster recovery, and accident plans. Otherwise, hackers can easily exploit old security vulnerabilities.
Luckily, the providers of WordPress maintain and update the platform regularly. The system automatically makes minor updates after every major release. But the WordPress webmaster must also update the latest versions of plugins and themes because they are necessary to deal with the vulnerabilities. The update has the cures for new viruses and malware. Prudently, a good admin also frequently changes the default username.