I’m a big fan of plugins that provide internal WordPress protection from hackers. I call these ‘hack hardening’ plugins because their principal role is to make it more difficult for hackers to get into your website.
Unfortunately, its unlikely these plugins will stop every single hacker, so I don’t consider them to be hack-proofing, but they do a good job at improving your site’s hacker resistance – hence the label ‘hack hardening’
Web Server Hardening
It’s usual to have some form of hacker protection in your web server, such as config server or similar. These are very technical to setup and even interpreting results can be difficult. If they aren’t bundled with your hosting package you will also be up for a further licence that increases your web hosting costs significantly.
You’ll probably have to ask your web host if config server or similar is installed, then ask them to reconfigure it to email the logs to you. Good luck with interpreting the reports!
On the positive side, these systems also monitor attacks across all subsystems running on the webserver.
Popular points of attack inside a web server include:
- Apache (where your website lives)
- STMP server (used for webserver emails)
- FTP (used to transfer large files)
- Unix console (for managing Unix. Apache usually runs on Unix)
As config server can scan your entire hosting space, sneaky attacks that put files outside of the immediate public access areas are reported 😉
More to come
Watch for further updates in this post on:
– DDOS protection
Using Plugins and Themes from Untrustworthy Sources
Using Poor-Quality or Shared Hosting
In Site Hack Hardening
There are a couple of excellent in-site hack harden products for WordPress, and frankly, if you aren’t using one in your website, then its a hack incident just waiting to happen.
WordFence produces what I’d suggest is the best in-site hack hardening plugin going round. They call it a ‘endpoint firewall and malware scanner’.
WordFence has a dearth of protection capabilities that can be tweaked to suit the end-user’s requirements. I think the great thing about the product is you install it and with minimal configuration its operational. The free version is highly functional, the the licenced version takes it to the next level.
iThemes Security Pro
iThemes produce a range of quality plugins, but most notably iThemes Security Pro. This security plugin provides an additional layer of security and protection in WordPress sites. iThemes includes an extensive bundle of WordPress specific protection capabilities.
Types of Hack Attempts
I feel one of the lesser known aspects of hacker activites is the diverse range of hack attack types. The industry has classified hack attack types into categories, but frankly these are quite technical so Ill attmept to translate some into ‘people speak’ here:
Brute Force attacks involve repeatedly trying to login to your website by cycling through hundreds if not thousands of potential userid and passwords. This is undertaken by ‘bots’ (software robots) which grind away mindlessly, pounding your website’s login page hour after hour, day after day. Each time it fails, it changes the userid, or the password and tries again.
More sophisticated bot’s can retrieve login ids from within your site – if you let them (this can blocked by these plugins). Some may may even try passwords that have been sourced from the dark web.
The WordPress security plugins will block repetitive failed logins from the same IP, at least until a threshold is reached, then that IP is blocked from acess to the site. This prevents the bot from continuing to consume your website’s resources and also reduces the chance of it successfully ‘guessing’ your userid and password.
Smarter brute force bots can swap to another IP address if they are blocked (using a technique known as ‘IP Spoofing‘) to continue to try to penetrate your site’s login. The security plugin needs to block series of IP addresses that have been attempting a brute force login.
Sites we monitor have between 500 to over 100,000 brute force attempts per month.
As brute force login attempts are not reported in WordPress, these hack attempts may be silently going on without you being aware.
File Change Detection
This is a deceptively simple, but highly effective approach at detecting if your site has been hacked. The in-site protection software crawls through every file in the website checking each against a list of known file details.
If there is something different about a file in your site compared to the original release files, then its a fair chance there’s something amiss.
I love WordFence’s hack-removal feature, where the changed file can be overwritten with the original at the click of the mouse. It can also compare the original file with the site’s potentially hacked file at a byte level so is can be quickly reviewed for potentially being hacked. Nice work Wordfence!
This helps to dramatically speed the recovery from a hack.