Recently, two web security issues have been causing a great deal of concern and uncertainty for many of our clients.
To help you understand what you need to do to keep your website secure, today’s post focuses on the new Heartbleed bug and not-so-new brute force attacks.
I’ll quickly explain each, outline the steps you should take to protect your site, and link to a few helpful resources.
Heartbleed Bug
The Heartbleed bug is a serious vulnerability in OpenSSL, a security standard that encrypts communications on a majority of online services. Heartbleed allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. You can learn more about the vulnerability at http://heartbleed.com/.
For the average small business website owner, there are two ways that Heartbleed may affect you — through your own website and through other websites that you visit on the wider Internet.
Protecting yourself when surfing the Net
- Learn more about staying secure on sites you visit with McAfee’s article about The Heartbleed Vulnerability: What It Is and How It Affects You.
- Mashable has published a helpful list of popular sites known to be affected by the Heartbleed bug. This list will help you identify on which sites you absolutely must change your account password.
- For more in-depth info, InfoWorld.com also has a great checklist for dealing with Heartbleed as a user, administrator and developer.
Securing your WordPress website from Heartbleed
To secure your own website, review these three areas of vulnerability:
- Check with your web host to make sure they have taken care of the OpenSSL update.
(We have already checked with our recommended web host, MDDHosting, and confirmed that the necessary updates have been completed.) - If you use an SSL certificate on your site (typically used for ecommerce transactions or collecting personal information), re-issue your SSL certificate.The company that issued your SSL certificate will be able to provide you with more detailed instructions. As a general reference, click here to review the steps recommended by Namecheap.
- Change the account passwords on the following:
- Your web hosting account manager / control panel
- Your domain name registrar
- Your WordPress website user account (especially your Administrator-level account)
Brute Force Attacks
Many of Arch’s clients have seen the resource use on their WordPress websites spike due to brute force attacks.
Although it sounds scary, these are not “personal” attacks but random attempts by “botnets” that try usernames and passwords, over and over again, until they get in. They can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’ Basically, they are an attack on the weakest link in any website’s security: You.
This sort of attack is not specific to WordPress — it happens with every web app out there — but WordPress is popular and therefore a frequent target.
Obviously, making sure you ALWAYS use strong, complex passwords is a key to preventing these attacks from being successful but these attacks present another problem for your site hosting, even if they never gain access to the site itself.
Due to the volume of log in attempts during these attacks, you will likely find your server’s memory goes through the roof, causing performance problems as your server runs out of memory. Some hosts might even flag your account or temporarily limit access to your site to prevent other sites on your shared web server from being affected.
What can you do to protect your WordPress site from brute force attacks?
The manual approach is to use your htaccess file to limit access to wp-login.php by only the specified IP addresses.
Alternatively, you can install the “Rename wp-login.php” plugin from your WordPress dashboard.
I prefer the manual approach via htaccess because I like to limit the number of plugins in use on my site. That said, using a plugin is easier for most clients to manage on their own especially since it doesn’t require entering and updating IP addresses.
MDDHosting has published an interesting article about WordPress brute force attacks that includes graphs of resource usage during an attack.
Basic Website Security
Despite the extra security precautions listed above, the standard WordPress website security recommendations still apply:
- Make sure all of your site passwords are strong (long, random, complex) and unique to that account (i.e., not the same password that you use for anything else).
- Always keep your site software up to date, including your theme, plugins, and WordPress files.
- Do regular site backups so you can recover quickly if the worst ever does happen.
Arch Web Marketing can help you keep your WordPress website secure. If we built your website, we offer a service plan for $49 CAD /month that includes software updates, regular backups and ongoing monitoring.
Contact Arch today to set up your monthly service plan or for help implementing security measures to protect against Heartbleed or brute force attacks.
Hi there! I just wanted to ask if you ever have any problems
with hackers? My last blog (wordpress) was hacked and I endedd up losing a few months of hard work due to no data backup.
Do you have any solutions to prevent hackers?
Hi Margareta,
Sorry to hear that you lost all of that work! I have been fortunate enough not to have experienced that personally but I know colleagues who have and it’s very frustrating.
I install a plugin called Wordfence on my sites that helps protect against attacks. There are a number of others both free and paid that offer the same protection, such as iThemes Security and Securi. Whether you opt for a paid version depends on the nature of your site and how crucial it is to your core business income.
Of course, no plugin can offer 100% protection so you should prepare for the worst by having regular backups that are stored somewhere other than your web server (as I’m sure you already do now!)
I have recently started a web site, the info you offer on this web site has helped me greatly. Thank you for all of your time & work. “The word ‘genius’ isn’t applicable in football. A genius is a guy like Norman Einstein.” by Joe Theismann.