Have you heard about the ongoing Brute Force Attack that’s being perpetrated against WordPress blogs worldwide? The attack started earlier this month and a botnet with 90,000+ IP addresses is hammering blogs, looking for a way in so that the sites can be hijacked.
Your webhosting company can only do so much and it’s up to individual webmasters to secure their blogs against attack. It always pays to take responsibility for your own sites – that means doing (and downloading) your own backups, keeping your blog installs and plugins up to date and securing your blogs from attack as best you can.
Securing a WordPress blog is not the easiest thing to do and many plugins are available to aid in this task. Some are free but don’t work well in a shared hosting environment due to the amount of server resources they use. Some only offer advanced security features if you upgrade to the Pro version of the plugin.
A common plugin is one like Login Lockdown that locks out IP addresses that make too many attempts to log into your blog in a short time frame. The problem with this type of plugin is that it’s pretty much useless against the current ongoing botnet attack. With over 90,000 IP addresses to play with, the botnet will simply rotate to a new IP address after failing to log in when it probes a site’s login page. Plugins like Login Lockdown won’t see this kind of probe as an attack on the site so won’t block the IP address.
SecureScanPro is a new security plugin for WordPress that identifies 14 standard vulnerabilities in WordPress installs and provides simple “Fix It” buttons that will plug that vulnerability. It takes a minute or two to run though the 14 checks and fix them, after which your site is much more secure. There’s more comprehensive review of it here.
The plugin uses a traffic light system (Red = Bad, Green = Good) to show the state of the various items in your WordPress install.
There’s also a set of Advanced options which require a little more technical knowledge to implement (such as editing the php.ini file or WordPress them files). But getting as many of these into Green status as possible will harden your blog’s security even more.
The SecureScanPro plugin also has a Core file scanner which will check your WordPress install against the official files on the WordPress Repository and notify you of any files that have been compromised. The scanner can be scheduled to run whenever you like.
WordPress has a silly flaw – in the event of a failed login, the login screen will tell you if it’s the username or password that’s wrong. Hackers use this information to identify if they need to concentrate their efforts on cracking just the username or the password for the blog.
SecureScanPro‘s Login Protector removes the login screen notification so there’s no message about what bit of login information is wrong. It also adds a captcha to the login screen with a bit of simple math, the result of which you need to type into the captcha box (e.g. what’s 9+4?). Automated attacks don’t expect to see Captchas on a WordPress login screen, so that’s a great security benefit for your site. Advanced bots might be able to read Captchas but since the one provided by SecureScanPro is a bit of simple math rather than just a sequence of numbers and characters, simply putting the math expression into the Captcha box won’t work. The math has to be solved (by a human) and that result entered into the box. It might be a bit more work for you as the webmaster logging into the site but it certainly adds a while new level of security to your blog.
An preventing a hacker from getting access to your blog is a whole lot more desirable than fixing a blog that’s already been hacked. If Google detects a hack (like Malware being on your site) before you do, your site will be penalized in their search engine. And clawing your way back up through the rankings after you fix your blog is quite a bit of extra work.
By the way, I’ve added this plugin to all my blogs and as I bought the Developer License, SecureScanPro will be included on all the blogs I can build for clients with my “Done For You” Sites service.
Tagged with: .com • access • Advanced bots • Advanced options • affiliate • bit • blog • blog installs • bloggin • blogging • blogs • bots • box • Brute Force Attack • button • captcha box • captcha box e.g. • clients • common plugin • comprehensive review • Core file scanner • date • deals • developer license • easiest thing • effort • end • extra work • features • free • Google+ • great security benefit • Green status • hackers • hosting environment • image • individual webmasters • investment • ip address • ip addresses • kind • Knowledge • login • login information • Login Lockdown • login page • Login Protector • login screen • login screen notification • look • Lt • Mark • math expression • message • Much more • new IP address • new level • new security plugin • number • official files • ongoing botnet attack • options • page • plugin • plugins • press • Pro version • problem • rankings • resources • review • screen • search engine • SecureScanPro plugin • security features • server resources • set • shared hosting • short time • short time frame • silly flaw • simple math • site • sites • Sites service • sources • standard vulnerabilities • Stop Hackers • task • technical knowledge • text • thing • time • TracksAnd Protect • traffic • user • various items • way • Web • webhost • webhosting • width= • WordPress • wordpress blog • WordPress blogs • WordPress install • WordPress installs • WordPress login screen • WordPress Repository • WordPress Site • WordPress sites • world
Filed under: WordPress Plugins