Ways to Help Defend WordPress From Attackers and BotNets
As I’m writing this, MidnightRyder.com is under continuous attack from a BotNet. Of course, you might
notice that it’s still up and running just fine – there’s reasons for that, and I’m going to help you keep yours up and running, too.
Not familiar with the term “BotNet”? I’ll simplify a bit here: it’s a group of computers controlled by a third – usually somewhat unknown – party running a specific set of programs or scripts. What’s most important is that it’s a group of computers, not single computer you’re up against.
The disadvantage is simple: you can’t just block a single computer to solve the problem. The advantage is that the botnets aren’t super-sophisticated. They have a pre-defined set of scripts they run (though, some of them are able to be updated on the fly) looking for an easy way in most of the time. Right now, the one that’s attacking MidnightRyder.com (and some of our customer sites) is attempting to find weak passwords – it’s looking for ways to log into the site, then, turn it into a member of the botnet.
Even if your site doesn’t become compromised and join the Borg, there’s another problem with such attacks: if you’re on a server that isn’t particularly powerful (for instance, some share hosting environments – which means most of the $10 / mo. and less environments) the extra load could bring your server to it’s knees. At my last check, 5,000 separate machines had made at least one attempt at hitting this site.
Why do they do it? Well, that’s well beyond the scope of this quick little article. I may write something about it later, but, heck, you can Google information on that 🙂
We’re not going to block against JUST this botnet though – instead, let’s try and block against a wider range of threats than just the current one knocking on our door.
No one security method is perfect, so let’s steal from a concept called “Defense in Depth” – we’re not going to focus on using a single fix for the problem, instead, relying on multiple tools that do different jobs. (Quick note: this is an article for those without much knowledge of security – you might learn something new, like the use of WordFence, if you’re already familiar with security, but this doesn’t cover extremely detailed scenarios, nor does it cover every possible scenario.)
CloudFlare For Defense & Load Reduction
First, let’s add a new tool if you’re not already using it: CloudFlare. It’s going to do two things for us – first, if you don’t already have a good caching system (or don’t know what one is), you need CloudFlare installed. In fact, it’s better than most of the default WordPress caching systems, because it acts as a cache outside of your hosting environment. If you’re on a shared hosting account somewhere, then you’ll probably notice something awesome after you install it: you’ll see a new burst of speed on your site!
Using CloudFlare with WordPress based sites is pretty simple.
- First, sign up for a free CloudFlare account
- Second, Install the CloudFlare plugin for WordPress
- Third, follow the instructions in the Plugin 🙂
On certain hosts, it’s even easier than that – no need for a WordPress plugin. For instance, on DreamHost, go under Manage Domains, click your domain, and hit the checkbox for CloudFlare. It handles the rest.
While CloudFlare’s primary job is to act as a cloud based content distribution network (CDN), it’s going to give us one of our first extra layers of security. See, CloudFlare tries to act as a first line of defense by blocking known-bad stuff: bad URL’s, servers that are known to be compromised, things like that. I said before that around 5,000 machines had attempted to attack MidnightRyder.com. In reality, the number is almost twice that – CloudFlare has stopped 4,700+ attempts before they even got to this site! So, in 36 hours, almost 10,000 attacks have been stopped or mitigated (but, the normal traffic for MidnightRyder.com, which is more than most small time blogs see, continues without a hiccup.)
Which means that CloudFlare helps to defend the site, reduce bad traffic, and keep our site up and running even when it’s under attack or would normally be overloaded with traffic. Oh, and heck, let’s throw in one more thing – it also acts as a bit of a barrier against comment spammers. That’s a heck of a tool!
Server Side Protection
Now, for our next trick: some web hosting environments give you an option for “extra security”. It’s basically just some configuration changes that are made to your site for you. I won’t dig into the nitty gritty of what it is, how it works, etc. Instead, I’m going to tell you what to look for. If you’re running on DreamHost, for instance, go in to the “Manage Domains” area of your control panel. Click on your domain, and make sure the entry called “Extra Security” is checked. Save your work, and in about 5 minutes, your server configuration will be tightened up a bit. It’s not a huge change, but one worth making.
Now, if you’re on another hosting provider, you might wonder where it’s at. Well… look for something similar. Honestly, there’s no standard for it – do a little digging in their help, and you might find it 🙂
Similar to CloudFlare, WordFence gives us a free and a pay option. For the most part, you probably don’t need the pay option. Install the WordFence plugin, then go to the WordFence site and create an account, and follow their instructions for getting an API key, and place that in your WordFence options.
For the most part, you’re done. You could call it good right there, and be done with it. But… I like to tweak this part out a little bit. On your site, go under WordFence -> Options. First, put an email address in the Basic Options area. Don’t worry about the rest of the Basic Options, let’s move on to Advanced.
Here, we get some cool tools to play with. Under Alerts, check all the boxes. This does a couple of things. First, if someone it attempting to login under an invalid account, the system is going to email you (and lock them out, based on configuration changes we make here shortly). It’s going to give you a hint that something might be going on. But the big hint is the admin login – if someone logs in as an Admin, and you’re the only person who has access to your site, but you see an email when you’re not actually logged in? You know something just went wrong, and you can start scrambling to try and fix it.
The next section, Live Traffic View is kind of cool, but it’s a bit of a novelty, really. You’ll probably never get to do much interesting with it, so it’s only going to take up CPU time and disk space. I have mine turned on just because I like to watch the traffic, but acknowledge that I’m not going to do much with it. 🙂
Under Scans to Include, turn them all on (except the subscriber only one, if you are using a free account). We’ll run a scan here in a bit, but let’s finish configuring this all first.
Under Firewall rules, hit Enable Firewall Rules and Immediately Block Fake Google Crawlers
Under Login Security, enable it. Make sure Immediately Lock Out Invalid Users and Don’t reveal valid usernames is turned on.
Now, then, go down and hit Save Changes at the bottom of the page.
Great – now we’ve got a couple layers of defense working for us. CloudFlare stops a portion of them, then WordFence tries to stop those that get through the front line. Not too bad, really. It’s not perfect, and a determined hacker could probably make his way through our defenses if 1) he’s good, and / or 2) he’s determined enough. Some people will refute what I’m about to say, but I’m going to say it anyway: no matter how much security we put in place, no matter how tight we wind it all down, someone can find a way around it. Even InfoSec (Information Security) guys get owned from time to time. We’re just trying to make it harder, and block the most prevalent threats. We’re also giving ourselves some heads up when it looks like something might be going wrong!
Updating Plugins & Themes
You notice I didn’t say to scan your site with WordFence just yet, right? There’s a reason for that – we need to make sure all of our plugins are up to date. This is something you should be doing anyways – all themes and plugins used in WordPress should be kept up to date at all times. From time to time, plugin and theme authors make a mistake – they’re only human. When it’s found, they update it, and if it’s a security issue, we need to make sure our system is updated, too. That’s one less place someone might be able to get in.
So, under plugins, look and see if any of them say they have updates available. If so, click update on them. See, that was easy. Same goes for themes.
One thing though – if you have extra themes or plugins that are installed, but aren’t currently active (and you don’t plan on making them active in the future), go ahead and delete them. That’s one less potential point of entry, and one less headache we have to keep updating.
OK, now that we’ve updated everything, let’s make sure our system is health. Go to WordFence -> Scan, and click on Start A Scan. Now, let it do it’s thing. If you’ve got a lot of articles, or are on a slow system, this may take a bit. Have a cup of coffee, or whatever, and relax for a bit. ‘Cause, see, WordFence does something pretty cool: you don’t have to sit in front of the website waiting. While It does have a display of any problems it finds, it will also email you the potential problems! How awesome is that?
And, now that WordFence is installed and configured, once a day it’s going to scan your system for you. If anything new comes up, it’s going to email you and tell you what the problem it found is. The most common one you’re going to see? That you need to update plugins. (That’s why I had you update everything first 🙂 As new updates for your installed plugins come out, WordFence is going to warn you about them, once a day. It’s a great way to make sure you stay on top of fixing those!
This is by no means an industrial strength guide to security. It’s a “Good Enough For Now” guide to securing WordPress. But, to be honest, it’s more likely than not enough to keep your site from being borgified by the existing Botnets, protects from from some hackers, speeds up your site, and gives you a little extra protection from comment spammers. Not bad for something that only takes 20 – 30 minutes to configure!
How do you protect against all possible threats? Well… first, you’d have to get a pretty solid education in Information Security, and even then it’s a ever changing field as new technologies and new bad guys pop up. And, as I’ve mentioned before, there’s no way to defend against everything. I may write a couple more articles on how to further batten down the hatches at some point, if there’s demand for it. 🙂Davis Ray Sickmon, Jr Midnight Ryder Technologies