WordPress Security

WordPress Security Basics: 4 Tips from a hacker

In case you missed My Story, I’m a computer hacker that has spent time in many jails and prisons, including time in federal prison. Now, I don’t know if this means I was a shitty hacker for always getting caught, but, you know, whatever.

 

A whole bunch of us are using WordPress to earn a living. And a select few of us are making A LOT of money with our WordPress installs. It would be  ashamed if something happened to one of those WP installs that are making a lot of money out there.

 

I like WordPress, I like WordPress A LOT. And, I like it for multiple reasons.

 

When I was earning a living by breaking the law, WordPress was always an easy target, especially in its early days. Like, seriously, so easy. It was easy to take a small or medium sized eCommerce operation, hold it hostage, and demand a ransom.

 

It was easy to get into a WordPress site that had a lot of registered users, pull all of the verified email addresses, and use something like DarkMailer to properly spam them all. Hacking into someone’s WordPress site was easier than winning a prisonyard game of horseshoes

 

These days I like WordPress because It’s easy to use and, despite being a terrible designer, it’s very versatile and customizable. 

 

Update Your WordPress Core, Themes, and Plugins

 

There’s a big reason why so many WordPress core updates are put out, yet they very rarely have any actual new features. That’s because these updates often contain bugs and security patches. Does anyone remember the time that Reuters got hacked because they didn’t update their WordPress core to the latest version.

 

It’s just as important to update your plugins and themes as well. It’s entirely possible that your WordPress core could be super secure, but one tiny little bug in a plugin that you never even use is just opening the doors to someone whose intent is likely malicious.

 

Hackers create scripts that troll through the web finding WordPress installs that have various combinations of certain versions of plugins installed. One plugin may let the hackers add themselves as a user. Another plugin may let them escalate their freshly-created account into administrator status.

 

Protect WordPress Against Brute-Force Attacks

 

 

We always had scripts of software that would let us load up a list of passwords (called a dictionary file) and then have this script or software try every single password possible for a certain username. 

 

We might have one that also cycled through usernames as well, although that usually took A LOT longer, so knowing the usernames made it a lot easier. Here’s how you can protect your WordPress install from Brute-Force attacks:

 

Don’t Use The Username: admin – Again, knowing the username made it A LOT easier. We would oftentimes go to a new target if we weren’t sure of the target’s username or email address. Using a different username outside of ‘admin’ or even ‘administrator’ will make you much less likely to be a target.

 

Limit Login Attempts – Because brute-force attacks must try so many different login combinations, limiting the number of login attempts allowed is a great way to thwart their efforts. Sure, there’s ways around it, but limiting the attempts is likely to make hackers focus their efforts elsewhere. The Cerber Login Attempt Limiter plugin is great for this.

 

Hide Your wp-admin URL – If attackers don’t know where your admin login URL is then they’re, again, likely to turn their focus elsewhere. It’s easy to take a WordPress site, add /wp-admin/ to the end of the domain name, and now you’re at the front door. All you need is a key. Try making it to where hackers can’t even find the door. WPS Hide Login is a great plugin for this.

 

Setup Dual Factor Authentication For WordPress

 

 

Have you ever gone to log into your online banking, or some other site that has sensitive information, and had them send you a text to verify a security code? Or give you a phone call to verify a security code? That’s known as dual-factor authentication.

 

The first factor to authenticating your account is by using your credentials — a login name and a password — the second factor usually involves using your phone in some way. This means that if hackers get your username and password, they still can’t login without physical access to your phone.

 

I’m going to suggest some dual-factor authentication admin login plugins for WordPress that will put a third security box on your wp-admin login form that makes you physically interact with your smartphone before you can gain admin access.

 

 

How To Secure wp-config.php

 

 

Because of the explosion in popularity of those one-click installation services that many budget web hosting companies include these days — softalicious, mojo marketplace, etc.. — a lot of new WordPress users simply don’t understand the importance of the wp-config.php file

 

If you’re an old-school WordPress user, or one who prefers manual installation, then you know that this file can cause a lot of damage. Wp-config.php contains, among other things, your MySQL database credentials. This makes it the single most important file with WordPress. Because without a database connection, you have no website or blog.

 

CHMOD / Wp-config.php Permissions – If you take a look at your list of files through an FTP program, or even through cpanel, you will likely see this configuration file sitting in the root directory or in public_html. WordPress documentation suggests you CHMOD this with 400 or 440 permissions so that no other users on your server can access this file. You can typically right click the file in an FTP client or look for something that says CHMOD / Permissions.

 

How To Move wp-config.php – Because this file is located in the root directory, it’s easy for hackers and attackers to find. Remember how we said moving the wp-admin location would deter 99% of hackers? Same goes for hackers targeting this specific file. Aaron Adams has a very thorough guide on how to move wp-config.php.

 

WordPress Security Isn’t Scary!

Seriously, it’s not. I have multiple WordPress blogs that earn me a decent living. I am constantly posting about ways that I use WordPress to make money since it was hard for me to get a job with multiple felonies. You might even see some funny prison stories.

I would love to be able to let you know whenever I post more content. I’ll never spam. Just stories and tips.

Click to rate this post!
[Total: 2 Average: 5]

Leave a Reply