Have you heard about the most recent brute force attack on WordPress websites? Is your site protected against XMLRPC pingbacks? Do you have a security plugin installed and a system for creating unique secure passwords? Do you add increased functionality to your WordPress website using code snippets or use HTML code in text widgets? Find the answers to these questions in this week’s #FridayFinds.
WordPress Security Alert from WordPress
Hopefully, you (or your webmaster) keep your WordPress software and plugins up to date and you have a good security plugin installed. Like many of you, I rely on the Wordfence Security plugin to protect my site. I also sign up for their newsletter so that I can keep abreast of any potential risks. (For example, they often will warn their users of potential security vulnerabilities in plugins.)
Two days ago, I received this email from Wordfence:
“We’re seeing an increase in brute force attacks (password guessing attacks) across WordPress sites from 2000/min to peaks of 15,000 currently. The attack started just after noon yesterday March 18th Pacific Time and gradually increased to a peak of 15,000 attacks per minute today March 19th at 5am and it’s currently holding at that frequency. This looks like it will be a sustained attack and will likely last from 24 more hours to several days. Please keep a close eye on your WordPress sites for unusual activity and ensure your backups are current.”
Note: While Wordfence issued this tweet 24 hours ago, that the current attack is subsiding, the threat is never completely gone:
The Necessity of Strong Passwords
In addition to have a security plugin installed on your site, it’s strongly advisble to use strong passwords that contain a mix of capital and lower case letters, numbers and special characters.
This week, I saw a retweet of an evergreen post from Ian Anderson Gray on iag.me. Even though his article is two years old, it’s still as relevant today as it was then. In Your Password is Not Safe, Ian shares his “I like salted peanuts” system for generating new secure passwords. I found Ian’s system to be very creative and I’ve now implemented a similar system on my site (and the sites that I manage). I hope you find it helpful. It’s a really simplified process to me.
Time to Tighten Up WordPress Security
Another blogger who I follow is Kimberly Brink-Castleberry on her just-ask-kim.com site. This week, Kim has written an article that casts more insight into why it’s so urgent that we take security on our sites seriously.
In Warning : Your WordPress Site May Be Part Of A Pingback DDoS Botnet Attack, Kim shares her insight into the WordPress DDOS (Distributed Denial of Service) attack botnet. Kim stresses that these attacks are not isolated and they’re part of a larger scheme involving attacks on sites like Aweber, GetResponse and MeetUp.
Be sure to check out Kim’s post for a better understanding of what these security threats are and how we can take steps to protect ourselves. Like me, Kim also uses the Wordfence security plugin but she combines that with the Better WP Security plugin and additionally recommends installing the Remove XMLRPC Pingback Ping plugin as well.
Note: In case you haven’t heard , Mike Alton of TheSocialMediaHat.com, also blogged recently to alert his readers that HootSuite Endured a Denial of Service Attack as well.
Adding Functionality to Your WordPress Theme using Code Snippets
What is a code snippet you may ask? According to Kevin Muldoon on ElegantThemes.com, a snippet is:
“Code snippets are little pieces of code that can be inserted directly into your theme files. Sometimes they contain full functions, other times they simply modify an existing function.”
For those of you who are experienced writing code, you may find Kevin’s article Eight Useful Code Snippets for WordPress helpful. However, if you’re not experienced with code, I don’t recommend trying these. Kevin’s suggestions require modifying your wp-config.php, or theme’s functions.php file.
What you can do with Kevin’s 8 snippets is:
- Empty your trash more often. (WordPress defaults to 30 days.)
- Reduce the number of post revisions that are saved in your SQL database.
- Move your WP-Content folder to deter hackers. (Personally, I would not do this. I think this has the potential to break your site.)
- Redirect the author archive link to your about page. (If you publish guest posts, you won’t want to do this.)
- Redirect your reader directly to the post if a search returns only one result.
- Exclude specific pages from your WordPress search results.
- Reduce comment spam by removing the URL from your comment form.
- Enforce a minimum length for comments
As always, before modifying your WordPress installation or theme, please make sure that you have both a database and a full backup of your site. I also always keep a copy of my php files and my htaccess file handy.
How to Insert HTML Code into a Text Widget
The number one mistake that I see people making when they modify/add code to their websites is not using a text editor. While it’s tempting to use a word processor (for example Microsoft Word), to copy and paste and work on text, word processors add miscellaneous code that you and I can’t see but can potentially wreak havoc with HTML code.
My personal choice for a text editor for a PC is Notepad++. I don’t use Macs myself but I’ve heard good things about TextWrangler. (Feel free to mention your favorite text editor in the comments.)
For those of you who aren’t comfortable modifying code, (potentially you could break your site), check out my post How to Add Follow Buttons to WordPress without a Plugin. In that article, I show you how to use a add HTML code to a text widget. Modifying a text widget is definitely not as risky as making changes to your WordPress and/or theme files and several readers have let me know (in the comments) that they have successfully added follow buttons in their sidebar by following my tutorial.
You can always create a test post to practice your code in. (Be sure to switch from the default “visual” mode to the “text” mode when you’re entering code into a post.) After you’ve previewed your post to make sure your code works correctly, you can copy and paste it into your text widget. (If you’re inserting and linking images, don’t forget to click on the “Open link in a new window/tab” box when you’re linking the image.)
Over To You:
What is your favorite security plugin for WordPress? Have you ever added snippets of code to your WordPress website or added HTML in text widgets? As always, feel free to share your ideas and thoughts with us. As I always say, “We can all learn from each other”. Happy blogging!
For more great information, connect with the featured authors, Ian Anderson Gray, Kimberly Brink-Castleberry, Mike Alton, and Kevin Muldoon on Google+. You can also follow WordFence on Twitter and connect with me on Google+.
About Sherryl PerryWelcome! If you're looking for help building an Internet presence that fits your needs and works for you, you're in the right place. I blog common sense articles about WordPress, social media and SEO. My goal is to help small business owners and entrepreneurs understand their core business. Together, we can develop and implement business strategies that make sense to you.
Security of your website or blog really matters a lot and on WordPress you are independent and you have to take care of your blog’s security yourself which becomes a little hard and sometimes threatening but playing smart, you can manage it.
Good tips Sherryl, they are going to help everyone.
Keep writing 🙂
I have been blogging on several blogs, including one on cyber security, i have worked closely with hackers to find out what it takes for them to hack any website.
Believe me It is easier than we think, so its better to do your homework before you come to there trap.
Good points added up there.
Thanks
Abhishek kumar jha recently posted..Samsung Galaxy Note 4 Price, Specs and Features
Yes. I should definitely consider LastPass. I find the amount of passwords that I manage to be reasonable but it could be a nightmare for someone else should I ever need someone to cover for me. THANKS
quiz expo recently posted..RBI as Banker of Banks
Worddefence is an excellent security plugin, I also used sucuri to scan sites.
Using Succuri to check for malware is a great suggestion. Thanks for adding that Jason.
Sherryl Perry recently posted..What Blogging Tips Are You Missing?
Hey Sherryl,
Nice post and Yes, security is really become very important factor these days as hacking is become very common these days. We have to make sure that our password should be strong enough so that our account cannot easily hacked.I continuously change my password in regular interval of time. Thanks for sharing this security plugin with us. This plugin really gonna help many bloggers.
Hi Sudipto,
Thanks so much for letting us know that you too take security seriously. It sounds like you already recognize the importance of secure passwords and changing them.
Sherryl Perry recently posted..How Safe Are Your Backlinks? #FridayFinds
Hi sherryl,
Now a days bloggers should be alert about the safety for their WordPress sites because there are multiple no. of spammers who try to harm WordPress websites. For a blogger it is important to know about the stuffs to increase security for their websites As we all know we can safe our blog from spam comments by using some plugins like Akismet but sometimes it doesn’t work because it put some real comments into spam list.
For some effective response CommentLuv is better. Though I am using Akismet with the combination of GrowMap Antibot Spammer plugin.
Bloggers should hide their index files using some codes in .htaccess file. There are many other security functions which you have described are useful.
Thanks for the post. Have a great weekend.
~Ravi
Ravi Chahar recently posted..How To Prevent Google From Indexing Sitemap ?
Hi Ravi,
Thanks for the additional tips. One common mistake that I’m seeing happening more often is people not updating their WordPress software. That amazes me because with every new release, the developers announce what security issues have been addressed. Anyone who is interested in hacking a WP site, could use that information to target sites with the older version.
Now, I’m not recommending immediately installing the latest update but I have at least one client (who only hires me on an as-needed basis) who is significantly behind on WP updates. I’ve cautioned him recently about doing this and his attitude is that no one would want to target his site. I have even explained to him that it puts others using the same shared hosting at risk too but to no avail.
Thanks for stopping by and weighing in on this. I apologize for not replying sooner. It was a 3-day weekend here in Massachusetts and I’m still catching up.
Sherryl Perry recently posted..Google Manual Web Spam Action or Algorithm Change?
I recently helped a friend with a site problem(s). It was very oddly set up – a blog post had been put on a Page that was then set as the page the blog was to appear on. It was built with some kind of pointless paid layout app that kept crashing when I tried to fix it.
It quickly became apparent everything was years out of date. She had hundreds of spam comments she had begun working through approving, thanking them for their remarks. (oops) There wasn’t a single valid comment.
Updating everything solved some of the issues. I was able to set the blog up properly. But there was a ton of template weirdness i had to leave as they had no resources.
Related to the comments on OpenSSL, I’ve seen businesses talked into servers they didn’t know how to manage that have not been updated since setup.
David,
That sounds like a nightmare. It reminds me of one the clients I work with. She originally hired me to build a self-hosted WordPress site and migrate her Blogger site. I now manage three WordPress sites for her in total. She’s a wonderful client and there are absolutely no issues with those sites whatsoever.
On the other hand, she still maintains one HTML website that’s a total nightmare to update. HTML should be pretty cut and dry but this code must be left behind from some sort of website builder. It’s horrific. The person who originally managed the site even admits that the coding is very complex.
Anyways, sometimes you just don’t know what you’re walking into and sometimes, a clean start is your best choice.
As always, thanks so much for sharing your experiences with us David. Have a nice weekend!
So are the WordPress.com blogs more prone to the Heartbleed Bug?
Heartbleed was an issue with OpenSSL. Once updated it’s fine. WP.com took a little time to update, but they centrally updated everything. WP.org sites are scattered on servers across the web which all needed to be updated. Most have been but a small % have not. So it’s not that one type is more prone, its if server maintenance is adequate.
David,
Do you know if we need to be concerned about WordPress installations that aren’t using OpenSSL? Is that part of the core installation or an add-on. (As always, thanks!)
Sherryl Perry recently posted..The Heartbleed Bug and More #FridayFinds
Hi Sherryl
OpenSSL is the encryption system on about 2/3 of servers, the https part. It’s an open source package that runs on Linux (Apache) servers, the most common web platform. It’s called Heartbleed because the OpenSSL build was called Heartbeat.
This is quite independent of WordPress or any plugins that may tap into it, such as for eCommerce. It’s the servers that needed the update, not WordPress, although there was also a WordPress update the next day. And another since.
WordPress running on a web server that doesn’t use OpenSSL (the other 1/3) is unaffected but also fairly rare I think. It has historically been a lot more work to get WP working on the MS platform for example, although that’s evidently improved recently. (Even MS had some affected servers ie: not running on MS Server)
The majority of WP sites are on hosted servers I would expect. Those hosts would have a tech support staff and would have updated quickly. The issue is more with web servers run in the back of a small business or charity, etc. Like your client that saw no need to get updates.
Thanks for the clarification David. I’m sure a lot of readers will appreciate your clear cut explanation. Once again, our choice of web hosting vendors is important.
Enjoy your weekend!
I think a lot of site owners get confused when people start talking about web security because it may be over their head, or they’re not interested in learning about it.
A lot of people assume that nothing will happen to their site so why worry about it. You really never know. There are so many possible scenarios that could be related to a hack or exploit.
I just try to stay informed, and read up on new issues as much as I can. There is always something new going around and it can be difficult to keep up all the time.
Ray recently posted..How To Setup And Configure cPanel Email Forwarding
Ray,
I don’t know if you read my reply to David about a past client. This man hires me sporadically when a need arises but he does not engage me to maintain his site. Actually, in the past, he has told me that if “it’s not broke – don’t fix it” and he applies that logic to updating WordPress and plugins.
Anyways, I let him know that I had been notified by his WordPress security plugin that someone was trying to hack into his site. He replied to thank me and tell me that he would look into it over the weekend. However, by his comment “I’m not sure what motivation someone would have for ‘hacking’ my site” lets me know that he does not appreciate the severity of the situation. (This is after I reminded him that he’s 3 versions behind on WordPress and has several plugins that need updates.)
As you said, some people don’t think anything will happen and they don’t worry about it. The problem is that people using shared hosting are probably sharing severs with these people.
Trying to stay informed can be a challenge. I agree with that. Thanks for weighing in on this Ray.
Wordfence announced that the recent surge in attacks on WordPress sites was coming from… other WordPress sites.
http://www.wordfence.com/blog/2014/04/wordpress-brute-force-research/
Make sure you have decent passwords on your admin accounts.
Just got a note that Better WP Security has become iThemes Security. “totally revamped”, the site indicates new features are added. It includes a checklist of tiered priority to review. There is also now a Pro version. Lots of ongoing development. And it’s included if you have one of their packages already.
http://ithemes.com/2014/03/25/4-reasons-buy-ithemes-security-pro/
btw – they offer a variety of free ebooks for various aspects of WP
Thanks for letting us know David. I received an email from them yesterday too. It said “The best part? Current Toolkit and Plugin Suite members will now find iThemes Security Pro available for immediate download from the iThemes Member Panel.”
I’ll be keeping an eye out to see what goes on with it. For now, I’m going to stick with Wordfence because everything seems to be working as expected and I don’t want to upset the apple cart. 🙂
They’re also now offering a plugin deal, if you’ve been waiting for a discount. I’ll eventually do it to get a few extras for the ecommerce.
Thanks Dave. I have a Plugin Suite (Unlimited sites) license with iThemes. So, I can download and install the security program.
Hi Sherryl,
This is a very important and informative post. I too use Wordfence and earlier I did use BetterWPSecurity, which too was good.
I did change my user name from the default “admin” and I think this is a very important step that everybody should follow. You should hide all your index files using a code in .htaccess file, and also do a couple things on your web host account settings to hide the vulnerabilities.
The best way to keep safe is to use a mix password as you suggested. I agree with your choice of Notepad++, its really good.
Okay, I use CloudFlare. So, when I get the news of attacks, I put the security settings to the highest on both CloudFlare and Wordfence.
I use the combo of Akismet and CommentLuv’s GASP, but still some spam does manage to trickle in. Also, you should be careful not to install old or suspicious plugins and definitely remove them if not in use.
Such a practice would definitely help keep your WordPress site secure. Thanks again for this important reminder. 🙂
Harleena Singh recently posted..Don’t Miss These Tips on Home Safety for Seniors
Hi Harleena,
That’s a great tip to raise the security settings on CloudFlare and Wordfence. I don’t use CloudFlare on this site anymore (because I ran into issues) and I had forgotten that you could do that.
In late February, I ran into more commenting issues on my blog. I never fault any single plugin because my blog is getting old and what I really need to do is make some tweaks to optimize my database. Plus, I need to move my site to a new host because there appear to be issues with the server that I’m on. (Andy Bailey replicated my site on his test server and could not duplicate some of the CommentLuv errors that I encounter.)
Anyways, my commenting system was returning “You appear to be a spambot” errors. After tracing that message back to GASP, I ended up deactivating both it and the Anti Backlinker plugin (which I had been a huge fan of). I’m now using the Anti-spam plugin that Ileane mentioned. So far, it seems to be working well for me.
Thanks for the reminder to delete old plugins that we’re not using or are suspicious. Sometimes, authors abandon their plugins and if we’re using one that hasn’t been updated in a long time, we really should question whether or not it’s time to replace it.
As always, thanks so much for dropping by and weighing in on this.
Sherryl Perry recently posted..How to Secure Your WordPress Site and Add Functionality #FridayFinds
Hi Sherryl
What an important topic!
I have been playing around with various security plugins in WordPress. Wordfence was slowing my site down so I remove it. but better WP security I found pretty darn good. I also use restrict login attemtps (although Better WP has that included).
I will also have to check out Ian’s recommendations, as he is the WordPress man to ask in my opinion. Knows his stuff :>
Let’s hope now DDOS come our way!
ashley
Ashley @ madlemmings recently posted..MLP004: Using LinkedIn the Right way – with Sarah Santacroce
Hi Ashley,
Thanks! I figured this would be a timely topic due to all the attacks on WP sites last week.
I used Better WP Security for a long time until last year when I got the “Googlebot can’t access your site” message in Google Webmaster Tools. BlueHost tech support told me that my htaccess file was blocking it. They also told me that the logs indicated that the change came from Better WP and they recommended that I deactivate it. I’ve been using Wordfence ever since. Although, I wouldn’t hesitate reinstalling it when iThemes releases their version.
Ian does know his stuff and I appreciate that he’s been joining the conversation here. I appreciate your dropping by too! I’ve been noticeably missing on a lot of blogs that I regularly visit including yours. I’ve been dealing with a lot of personal stuff lately but I promise to be by soon.
Hey Sherryl,
I’ve taken a few security measures myself to make sure that my blog is secure although we can never be 100% sure.
I haven’t read the password post but I change mine monthly and I have my own way of doing them. I saw Ian’s comment though and as he suggested, I’ve used LastPass for years and I don’t know what I would do without that program. That’s why I can have long encrypted passwords on all my sites and change them on a regular basis. None of them are the same either because that program remembers them all for me.
I never use WordPress for working with my text code on my blog. I use Notepad for pretty much everything because I learned a lot time ago about the stuff that WordPress throws in you site.
I wasn’t aware of any brute force attack last week on WordPress but I didn’t have any issues with my blog either so I guess all is well over here. You can never be sure though so take all the necessary precautions you can and keep those people out.
Great shares Sherryl, thanks. Hope all is well, haven’t heard back from you about next month so let me know if anything has changed okay!
Have a good week.
~Adrienne
Adrienne recently posted..How To Build A Rockin Successful Email List
Hi Adrienne,
Just moving your site from a shared hosting environment helps with security. Not everyone takes security seriously and some sites are vulnerable to hacking. Being hosted alongside a site that gets hacked increases your odds of getting hacked too greately.
I don’t know why I’m not using LastPass. It’s officially on my to-do list for this week.
I first heard about the brute force attack from the emails that I get from Wordfence. They do a really nice job of keeping us up-to-date on security news and potential risks. It may be too much info for some people but I appreciate being made aware of plugins that can potentially harm us. Even if I don’t have those plugins installed on any sites that I manage, often, the news is worthy of sharing.
Thanks for dropping by. I sent you an email this morning. I will definitely have my post to you in time to be your April guest blogger. 🙂 I’m looking forward to it!
You have a good week too!
Sherryl Perry recently posted..How to Secure Your WordPress Site and Add Functionality #FridayFinds
Hi Sherryl,
Thanks again for including me in one of your articles. WordPress security is something I am very interested in and take very seriously. I am glad you found the password method useful. I came across that from LifeHacker and it’s certainly an easy way to have different passwords across all your sites. However if you want to make it even easier and insanely more secure I’d recommend using a password manager like LastPass. I honestly don’t know what I’d do without LastPass- it allows you to have very different complicated passwords across all your sites. All you need to remember is your password for LastPass and it does the rest. The majority of my passwords are at least 16 characters long with a mixture of letters, numbers and special characters. To make it even more secure you can add “2 factor authentication”. That sounds a little geeky but isn’t as bad as it sounds. As well as entering your Lastpass password you need to enter a code from your phone. That means if your LastPass password has been stolen a hacker still won’t be able to access your accounts.
I also install the Better WP Security plugin for WordPress across all our sites. It makes your WP site a lot more secure and I am really happy with it. The plugin was bought by iThemes and the new version is coming out next week (it’s being renamed iThemes Security) so it will be interesting to see what is new.
Thanks again!
Ian Anderson Gray recently posted..Boost your Mailing List with Twitter’s Lead Generation Cards
You’re welcome Ian. I started out writing about the brute force attack and I was Googling for some topic related posts when I came upon your article.
LifeHacker is such a great resource. I share their posts a lot when I see them on Facebook and Google+ but when you mentioned them, I realized that I wasn’t following them on Twitter. I am now. So, thanks for reminding me of them.
You’re the second person in this thread who has mentioned LastPass. I’m certainly familiar with them but up until now, I’ve felt that the number of passwords that I have are still manageable. Although, after reading both your and David’s endorsements, it occurred to me that LastPass would be a good addition to my business continuity plan. Also, I’m all for the second authentication in the cass of security.
As for Better WP Security, I used it on this site for quite a while until I ran into a conflict with it. I’m certain that the issue lies somewhere within my site and is not an issue with the plugin itself because I run into more than my share of plugin conflicts.
For example, I was encountering a really weird issue with CommentLuv. Andy Bailey replicated my database on his test server to help me troubleshoot it. (I’m a big fan of Andy and CommentLuv.) You guessed it. Andy could not duplicate the issue. His conclusion (and I suspect there’s a strong possibility that he’s right) was there may be something about my server that is causing the problem. So, after I move my site to another host, I may try BWPS again especially now that iThemes has bought it. I’ll keep an eye out for it.
As always, thanks for dropping by and joining the conversation. I’m sure you’ll see more of your posts featured here in #FridayFinds in the future.
Sherryl Perry recently posted..Does Your Content Marketing Strategy Stand a Chance? – #FridayFinds
Good and important article, Sherryl!
As you know, I have been using WordFence for a long time and am really content with it. My Swedish site that’s on a UK server was targeted heavily in the recent brute force attack. But WordFence stopped the hackers. What I did is manually block the IPs that were trying to get in. They were from all over the world.
Tested my URLs on Securi and they have presumabley not been used for DDOS attacks. But to be on the safe site, I just installed Remove XMLRPC Pingback Ping on both my sites so, hopefully, they are now even more protected.
Catarina recently posted..Has the world failed Syria?
Catarina,
I believe that you’re the person who introduced me to Wordfence. At the time, I was using Better WP Security and I ran into a plugin conflict with it. So far, I haven’t had any issues with Wordfence at all. I subscribe to their newsletter and I’ve found that they’re a wonderful resource for security news.
It’s good to hear that your sites tested fine. I’ve installed that plugin on all of the sites that I manage too. It’s so much easier to be proactive rather than reactive especially when it comes to keeping our sites secure.
As always, thanks for sharing your insight with us.
Hi Sherryl
First thing I did was pick a blog-specializing host that is proactive about security. The site includes several ways to lock it down if desired and has protection at the front end, prior to my blog. (easyPress.ca)
On Passwords, I used to carry a Palm computer around, mainly to keep track of all the passwords I used. Several hundred. These days I use LastPass, which can be accessed via smart phone or any browser. Then you just have one main password to remember. It includes a complex password generator and saves them for you. No formulas needed, although I have a trick I use for the few passwords I do have to remember, like for my laptop.
I have noticed a lot of trackback spam lately. In fact its the only spam I get as forms have captcha. I notice a lot of it has nonsense domains so I assume its for testing and checking. But we discussed this on a bloggers forum recently and I disagree with killing off trackbacks. Just moderate. This is the web after all and cross-linking related articles is useful. I make heavy use of internal trackbacks too, such as explaining terms and so forth.
And yes, I use code snippets. HTML and CSS. I didn’t find a plugin I liked for Follow, so I used your example (in the article) and found some great buttons. I also tweaked the CSS for links, fixed a display bug in 2 plugins, a bug in the theme, and tweaked the form sizes in Contact Form 7. It’s a great way to tweak theme and plugin settings that don’t have a form control. You just have to research a little to find the CSS label used.
I fully agree on Notepad++ too (with spell-check). I’ve run into several people who have written articles in Word, then pasted them in, dumping a bunch of extra code into their posts that is inappropriate and can cause security issues. It can also bog down some sites.
On the issue of revisions, I write my articles in Notepad++, leaving the links between paragraphs. When it’s ready to go, I then paste it into WP, add the links and it’s ready to go. Only occasionally do I have a bunch of revisions to worry about.
Another tweak I’ve seen is changing the name of your “admin” user account. Leaving it at admin just makes it easier to hack your site. Only the password has to be guessed. Same as a router. Don’t leave your new accounts on default.
David,
You’ve raised a great point about hosting your website with a company that specializes in websites built with CMS (Content Management System) software such as WordPress. It does make a difference. As does, choosing a shared hosting plan versus dedicated or VPS (Virtual Private Server). Some people don’t realize that no matter how much we try to secure our sites that if we’re using shared hosting, we could be at risk simply because our “neighbors” have not been diligent.
Just this week, I emailed a past client that I had been notified by their WordPress security plugin of 25 unsuccessful login attempts within a short period of time. (I no longer maintain his site for him and obviously he doesn’t either.) I logged in to take a quick peek and change my password. I noticed that his WordPress installation is still 3.5 and he has several plugins that need updating.
I emailed him to alert him to the situation and to recommend that he replace his security plugin with Wordfence. In his reply, he thanked me and told me that he would look into it over the weekend but his comment “I’m not sure what motivation someone would have for ‘hacking’ my site, but I appreciate your warning” makes me think that he does not appreciate the severity of the situation.
I don’t have several hundred passwords. So, I have not used a service like LastPass (yet). Honestly, I know I’m being paranoid but I can’t get the thought out of my mind that there has to be a remote possibility that they too could be hacked. 🙂
I agree with you about turning off trackbacks. That should be a last ditch effort. I did turn them off temporarily when I was dealing with a massive amount of spam but I’ve since got that situation under control. I can’t help but wonder though who linked to my blog during that time that I was never aware of.
Sounds like you’ve done quite a bit of tweaking to your site. I have to confess that I am not one to play with CSS much. I simply have never taken the time to learn it. Thankfully, a lot of designers share tidbits of code and I usually can find what I’ve needed online.
I write my articles in Word and paste them using the “Word” button in my WP editor but I do make a lot of edits in WP. So, I have to add that snippet to my site.
Thanks for mentioning the “admin” user account. That is a huge “no-no” but I still see people doing it. Thanks too for contributing such a great comment! Readers have told me before that they benefit from the discussions that they read here and it’s people like you (and many others here) who I have to thank for that. Have a great weekend.
Sherryl Perry recently posted..How to Secure Your WordPress Site and Add Functionality #FridayFinds
Hi Sherryl
I recall back in the day getting a large traffic bill from my web host. It was way disproportionate so I brought it up with them. They insisted it was valid. But when they took a closer look, they discovered someone had broken into the web server, created a hidden folder under our site, and posted a French horror movie there which was evidently being shared. So yeah, good hosting makes a difference. And your own site security doesn’t help if the host isn’t secured.
On LastPass, yes, they could be hacked but the passwords are encrypted locally and stored online that way so hacking their servers wouldn’t give any access. The only place they could gain access is locally when the vault is open, but thats true of any storage system. If you keep your computer clear, it should be fine. I used to use a locally encrypted folder until the software hiccuped and I almost lost it all. This way, I have a secure backup. (a file-type backup system of encrypted folders may not restore properly – only use Imaging for that)
I welcome the move to online identity systems that will do away with this nonsense but that isn’t going to successfully come from one of the players who want to track your activity, like those invitations to sign in with your Google or Facebook login. (not)
I don’t use Wordfence as its seems a little over the top but appreciate the review if it becomes needed. I do have a few bits like Limit Login. And the aforementioned good host.
And yeah, many clients are much more concerned with problems they recognize, not “vague” things like site security. But imagine if your site is flagged for spamming. I recall a friends site got a virus (lame password). She lost search engine ranking, got labeled a hazardous site by many AV and site inspector tools, and lost the confidence of many of her former readers. It took a long time to build it back again.
Well – when I started my first web site in the 90’s, it was all hand-coded. I later learned CSS. Don’t do much of that anymore but did ensure the theme I chose allowed for tweaking the CSS to get the look I wanted. I played a little with Ajax but have no real coding skills. (markup isn’t really code) One of the reasons I love WordPress is because it’s modular so you can customize with pre-coded modules like plugins.
Hi David,
That’s an interesting story about your experience with your web host’s server being hacked. That can be such a horror story and it can really affect a business by putting their site out of commission for a while.
Yes. I should definitely consider LastPass. I find the amount of passwords that I manage to be reasonable but it could be a nightmare for someone else should I ever need someone to cover for me.
Funny you should mention logging in with Google or Facebook. I recently read an article about shopping cart abandonment and it built a case for eCommerce businesses to offer logging in with Facebook. One of the benefits that they mentioned was having quick access to what your customers liked and being able to target them with their data.
I don’t find Wordfence over the top but I did find WP Better Security to have more bells and whistles than I needed. I used to use a couple of plugins including Limit Login but I felt that my site outgrew it. I really appreciate the fact that Wordfence notifies us of potential risks such as vulnerabilities in plugins.
I used to code for mainframes but I don’t miss it. I didn’t code my first website until about 2003. Coding is just not something that I enjoy. Some people do though and that’s great.
As always, thanks for dropping by and joining the conversation.
You’re welcome, Sherryl. Thanks for the thoughts on WordFence. I’ve followed their Twitter feed now.
Interesting – I recently chose iThemes Exchange for ecommerce – they’re new but very active in development. But key is they have the option to use Stripe rather than Paypal. Paypal takes users off your site so you don’t know what happens if theres a problem. Stripe keeps them on site.
That should address the question you raise and personally the last thing I want to share with facebook is all sales activity on my site. They love collecting that stuff because they can sell it to 3rd parties and it can give them insight on users shopping habits. Way too much of that, I’m afraid.
David FB recently posted..Seer, Sage, or Shanti
Thanks for the tip on iThemes Exchange for eCommerce David. I’ll keep them in mind for the future. I’m not a big fan of Paypal but then again, I remember the days before eBay owned them.
Are you familiar with the “Collusion for Chrome” extension? I just read about it this morning and I plan on installing it. It shows you just how many companies are accessing your data secretly while you’re online and it provides ways to block them. This morning has been particularly hectic. So, I checked it out but haven’t found the time to install it yet! 🙂
Sherryl Perry recently posted..Google Manual Web Spam Actions and Penalties #FridayFinds
Heck – I remember the day I got the 500 page spec for custom building an ecommerce solution that would connect with Verisign. Before someone built shopping carts that could be integrated.
I used Collusion for Firefox but just as a display. The trouble with some of the blocking tools is they break site functionality. Using Priv3 currently to block social beacons but it still allows you to use them when you want (to Tweet an article, for example) It’s indicating 30 on this page, mainly Google.
Hi Dave,
A 500 page spec? Yikes! I hope you were part of a team.
I still haven’t installed Collusion. Maybe, I don’t want to know. 🙂
Oh my, i am a bit embarrassed to say that i have never even thought about security plugin – not sure why, but i always assumed whatever the “common sense” changes i have done are enough.
Like, for instance, i have a somewhat complex password and my login is NOT admin – as i know brute force attacks usually aim at the admin login, like Leora suggested in her comment… I think i also have a plugin to limit the login attempts but that’s about it. For a small blog like mine – i thought these measures would be enough. Was i wrong? 🙁
I will check out most (if not all) posts you have referred to – especially the one about pingback DDoS botnet attack – that does sound scary.
Thanks for a great Friday finds post, Sherryl 🙂
Diana recently posted..Improve Your Website – First Order of Business
Diana,
For those of us who use “share”d hosting accounts for our websites, it’s very important to have at least one security plugin in place. Kim uses two plugins but she also makes it clear that she has them configured so that they are performing different functions.
The problem with shared hosting is that you may have all sorts of safeguards in place for your site but if you’re unlucky enough to be sharing server space with someone who has a vulnerable site, that increases your risk of being hacked too.
I included quite a bit of reading this week. I think Kim’s article on the DDOS botnet attack is a good choice to start with.
Thanks so much for dropping by and taking the time to share your thoughts with us. I’ll be by to visit your blog again soon. Have a great weekend!
Sherryl Perry recently posted..3 Things You May Not Know About Google and SEO – #FridayFinds
Sherry — my webmaster told me about the recent brute force attacks. I already have the Wordfence Security plugin installed. I wouldn’t consider touching code because that is not my strength. I leave that to the experts. I don’t quite know what “Reduce the number of post revisions that are saved in your SQL database” means but I do tend to make a lot of revisions once I have inserted a post in the dashboard so I will check that out. Thanks for another thoughtful and helpful post.
Jeannette Paladino recently posted..Does Content Marketing Get Results for B2B Companies?
Hi Jeannette,
It’s best to not touch code unless you understand it and you have to be really cautious if you’re working in a live environment. Coding isn’t my strongest suit. I can certainly code if I have to. (My first entry into the IT world was learning to program on those long paper punch cards. LOL)
Reducing the number of revisions reduced the size of your database. Blogs as old as ours get bloated after a while. So, (while I haven’t added any of Kevin’s snippets yet), I’ll be adding that one and the one that directs readers to the post when there’s only one result to the search.
Thanks so much for taking the time to share your thoughts with us. I appreciate it as always and I hope you have a wonderful weekend!
Sherryl — My webmaster described the revisions issue and he had already deleted old revisions because I felt my site was a bit slow in loading. My Coke post includes three videos which also reduces speed because the videos have to load. I didn’t know that so will keep that in mind when I’m writing posts that include videos.
Jeannette Paladino recently posted..Does Content Marketing Get Results for B2B Companies?
Thanks for letting us know Jeannette. Do you host your videos on the same server as your website or upload them to a site like YouTube?
I use the embed code from YouTube so guess that means I host them on my server. Otherwise I’m assuming you mean I would link to the YouTube video but then my readers wouldn’t be drawn in by seeing the video on my site.
Jeannette Paladino recently posted..Does Content Marketing Get Results for B2B Companies?
Hi Jeanette
Actually, the question is where is the video file and from whence does it play. What embedding does is place a player into your web page from another source. A Youtube (or Vimeo, etc) video is Youtube hosted. The big advantage is their servers are configured for media-serving rather than web page serving. If the video was hosted by your blog, it would probably be much less smooth playing and would use both your bandwidth and storage space up.
Youtube is huge from a number of angles. In the early days of video streaming, if you wanted to have more than an animated gif (image) on your site, you had to pay for separate and expensive media server space and bandwidth. The quality of MP4 compression rather sucked too. It took services like Youtube, Paypal, and WordPress to make such services available to most everyone. And now Youtube will serve HD. Huge progress.
I always learn so much from you, Sherryl!
Jeannette Paladino recently posted..Does Content Marketing Get Results for B2B Companies?
David, Thanks for replying to Jeannette. It was a very informative answer and I greatly appreciate it when there are true conversations going on here!
“Reduce the number of post revisions that are saved in your SQL database.” – this is so important for reducing the size of your database. I think the default should be 3 revisions, and you should have to change it to have more. But who is listening to me.
You have so much in this post! A programmer friend said the best passwords are really, really long. I came up with a method for password-protecting my passwords (and it’s not an online method).
At Kim’s suggestion, I did install Remove XMLRPC Pingback Ping on two of my sites yesterday. I started using WordFence. I stopped using Better WP Security a few months ago when I changed some settings (I thought to make it more secure), and a few weeks later it crashed my site. One person said the ultimate way to do security (for the detail-oriented coders out there) is to implement all the security that these plugins implement but one by one with code. I thought about that but never even tried. Seems one of the key ways WordPress sites get attacked is by usernames with ‘admin’ – so that’s always one to change.
Have a great weekend.
Leora recently posted..Making Contact: Contact Form Plugins for WordPress
Hi Leora,
I did get a little carried away writing this post but I just kept finding great articles! Besides, I just read a post this week about the ideal length of different content and it said the ideal post was over 1000 words! I don’t normally write that much but today, I did. 🙂
I agree with you about the post revisions. I intend to add that snippet and the one that directs readers to the post when there’s only one result to the search.
I have some fairly complex passwords myself but it wasn’t until I read Ian’s suggestion that I developed an easy formula to standardize them across all of the sites that I manage. (I put this formula to test last night when I was away from my office and easily figured out the combination that I needed to access a client site.)
I installed the Remove XMLRPC Pingback Ping after reading Kim’s post too. I also had issues with the WP Better Security plugin crashing my site. (I swear I blogged about that but I can’t seem to locate the post now.)
Thanks for the reminder about the WP admin user account. I wish there was some way for WP to prompt website owners to change that at the time of installation.
As always, thanks for taking the time to add your insight. I hope you have a great weekend.
I so get lost in all that needs to be done to secure my site, Sherryl. The best news is I use a great person much like yourself to help me decipher this stuff and decide what I need and don’t need. The one that I know of that is my favorite is Akismet for spam. The other plugins, I quite frankly don’t remember the names… is that bad? I do know we use snippets but how that all works, again, is a bit of a muddle for me. Thanks goodness for you and trusted people like you. :-)))
Susan Cooper recently posted..Maine Coon Cat, Samuel: Story (Podcast)
Susan,
I’m happy for you that you’ve found the right person to manage your website(s).That leaves you more time to write and work on your wonderful illustrations!
A lot of people speak highly of Akismet. That plugin was not a favorite when I started blogging but they’ve definitely improved it.
You don’t need to understand which plugins you have installed on your site because you have someone managing it for you. One of the things that I admire in you is that even though you don’t necessarily “need” to read blog posts like this, you still do. It must be that quest for knowledge that you have. 🙂 That’s great. I’m honored that my blog is one that you come to.
Sherryl Perry recently posted..3 Steps to Protect Your WordPress Blog from Hackers