Have you heard about the most recent brute force attack on WordPress websites? Is your site protected against XMLRPC pingbacks? Do you have a security plugin installed and a system for creating unique secure passwords? Do you add increased functionality to your WordPress website using code snippets or use HTML code in text widgets? Find the answers to these questions in this week’s #FridayFinds.
WordPress Security Alert from WordPress
Hopefully, you (or your webmaster) keep your WordPress software and plugins up to date and you have a good security plugin installed. Like many of you, I rely on the Wordfence Security plugin to protect my site. I also sign up for their newsletter so that I can keep abreast of any potential risks. (For example, they often will warn their users of potential security vulnerabilities in plugins.)
Two days ago, I received this email from Wordfence:
“We’re seeing an increase in brute force attacks (password guessing attacks) across WordPress sites from 2000/min to peaks of 15,000 currently. The attack started just after noon yesterday March 18th Pacific Time and gradually increased to a peak of 15,000 attacks per minute today March 19th at 5am and it’s currently holding at that frequency. This looks like it will be a sustained attack and will likely last from 24 more hours to several days. Please keep a close eye on your WordPress sites for unusual activity and ensure your backups are current.”
Note: While Wordfence issued this tweet 24 hours ago, that the current attack is subsiding, the threat is never completely gone:
The Necessity of Strong Passwords
In addition to have a security plugin installed on your site, it’s strongly advisble to use strong passwords that contain a mix of capital and lower case letters, numbers and special characters.
This week, I saw a retweet of an evergreen post from Ian Anderson Gray on iag.me. Even though his article is two years old, it’s still as relevant today as it was then. In Your Password is Not Safe, Ian shares his “I like salted peanuts” system for generating new secure passwords. I found Ian’s system to be very creative and I’ve now implemented a similar system on my site (and the sites that I manage). I hope you find it helpful. It’s a really simplified process to me.
Time to Tighten Up WordPress Security
Another blogger who I follow is Kimberly Brink-Castleberry on her just-ask-kim.com site. This week, Kim has written an article that casts more insight into why it’s so urgent that we take security on our sites seriously.
In Warning : Your WordPress Site May Be Part Of A Pingback DDoS Botnet Attack, Kim shares her insight into the WordPress DDOS (Distributed Denial of Service) attack botnet. Kim stresses that these attacks are not isolated and they’re part of a larger scheme involving attacks on sites like Aweber, GetResponse and MeetUp.
Be sure to check out Kim’s post for a better understanding of what these security threats are and how we can take steps to protect ourselves. Like me, Kim also uses the Wordfence security plugin but she combines that with the Better WP Security plugin and additionally recommends installing the Remove XMLRPC Pingback Ping plugin as well.
Note: In case you haven’t heard , Mike Alton of TheSocialMediaHat.com, also blogged recently to alert his readers that HootSuite Endured a Denial of Service Attack as well.
Adding Functionality to Your WordPress Theme using Code Snippets
What is a code snippet you may ask? According to Kevin Muldoon on ElegantThemes.com, a snippet is:
“Code snippets are little pieces of code that can be inserted directly into your theme files. Sometimes they contain full functions, other times they simply modify an existing function.”
For those of you who are experienced writing code, you may find Kevin’s article Eight Useful Code Snippets for WordPress helpful. However, if you’re not experienced with code, I don’t recommend trying these. Kevin’s suggestions require modifying your wp-config.php, or theme’s functions.php file.
What you can do with Kevin’s 8 snippets is:
- Empty your trash more often. (WordPress defaults to 30 days.)
- Reduce the number of post revisions that are saved in your SQL database.
- Move your WP-Content folder to deter hackers. (Personally, I would not do this. I think this has the potential to break your site.)
- Redirect the author archive link to your about page. (If you publish guest posts, you won’t want to do this.)
- Redirect your reader directly to the post if a search returns only one result.
- Exclude specific pages from your WordPress search results.
- Reduce comment spam by removing the URL from your comment form.
- Enforce a minimum length for comments
As always, before modifying your WordPress installation or theme, please make sure that you have both a database and a full backup of your site. I also always keep a copy of my php files and my htaccess file handy.
How to Insert HTML Code into a Text Widget
The number one mistake that I see people making when they modify/add code to their websites is not using a text editor. While it’s tempting to use a word processor (for example Microsoft Word), to copy and paste and work on text, word processors add miscellaneous code that you and I can’t see but can potentially wreak havoc with HTML code.
For those of you who aren’t comfortable modifying code, (potentially you could break your site), check out my post How to Add Follow Buttons to WordPress without a Plugin. In that article, I show you how to use a add HTML code to a text widget. Modifying a text widget is definitely not as risky as making changes to your WordPress and/or theme files and several readers have let me know (in the comments) that they have successfully added follow buttons in their sidebar by following my tutorial.
You can always create a test post to practice your code in. (Be sure to switch from the default “visual” mode to the “text” mode when you’re entering code into a post.) After you’ve previewed your post to make sure your code works correctly, you can copy and paste it into your text widget. (If you’re inserting and linking images, don’t forget to click on the “Open link in a new window/tab” box when you’re linking the image.)
Over To You:
What is your favorite security plugin for WordPress? Have you ever added snippets of code to your WordPress website or added HTML in text widgets? As always, feel free to share your ideas and thoughts with us. As I always say, “We can all learn from each other”. Happy blogging!
For more great information, connect with the featured authors, Ian Anderson Gray, Kimberly Brink-Castleberry, Mike Alton, and Kevin Muldoon on Google+. You can also follow WordFence on Twitter and connect with me on Google+.