Dan Davies{ Front-end Developer }

WordPress Security

4th June 2015

Why are you using WordPress Dan? It’s shit Dan. Always being hacked. Use [insert popular CMS]

They are right of course, it’s alway being hacked, or it seems to be. I guess with popularity though, it’s part of the territory.

I’m pretty green with WordPress. I’ve been using it for a good few years now but I’ve only recently started to get to grips with it and trying to understand more about it. Plus, my current role requires me to manage other WP sites, sites often neglected. The last couple of months, my eyes were open to how stubborn hackers can be.

Woah Dan, you say hackers like it’s some American blockbuster movie!

I’ve not idea what to call these people or bots so for the benefit of this article, we’re going sensational and calling them hackers.

Someone hacked my websites [insert sad face]

Where was I, oh yes, the last few months. I was pretty aware of how vulnerable a WordPress site could be but I guess like so many more, I relied on people not really knowing about my sites enough to think they were safe.

Until a site was royally buggered by an attack. And I mean royally. To this day, I don’t really know what happened except that plugins were not updated very often and it was an out of date WordPress install. It left me with 2 broken websites and an entry on every email blacklist known to man.

Did you cry?

A bit, but once I picked myself up, I went about finding out why. First off, I was told by email that the site was linked to a few dodgy links. Sure enough, you could now navigate via google search to pills and all sorts of spam. On investigation via Google Webmaster Tools, we spotted that someone had become a verified owner of the site account. That was quickly unverified by me. This was a shock to be honest and quite worrying. No idea how they did it.

The next step was to sort the files out. Every PHP was buggered. I took the decision to back up what I could and just delete it. I had all the content so I knew it would be ok. Down it came. An hour later, site back up, latest WordPress and all fresh installs of plugins. We’re done now right?

Far from it.

The concern for me was this could happen again so I started to look at ways of stopping it. I reached out to Twitter…as you do.

Are there any good security plugins for WordPress that I am missing that you can recommend? Just assume I don’t know any of them

Everyone pretty much replied back with

Wordfence!

So that’s what I did. I installed Wordfence. What an eye opener. Straight away it was telling me that some files were compromised from the old site that I carried across. Was in the upload folder of all places. That was deleted and I was now secure 100%. Over the last few days, it has been telling me about attacks on about the site I would never know. It’s brilliant. I feel much safer with it. It’s free but there is a paid option.

Other suggestions I had were but I’ve not tried yet (I will):

  • All-In-One-Security
  • WordPress Firewall 2
  • iThemes Security
  • WP Security

Anything else

Spam is a pain in the arse isn’t it? I’ve ignored it for so long but when I last looked, I had 200 odd comments to approve, 200 spam comments. I have Akismet installed but it’s not doing anything so that is now running and working like a charm. Also, there is a contact form which is delivered via Contact Form 7. There used to be a CForms on there but that is no longer supported and I have my suspicions that it was the main fault of the attack so for now Contact Form 7 is the winner. Anyway I recently received a spam email from that and another, then another to the point where it became an issue but I managed to sort it with the help of Akismet.

By adding a little extra markup, Akismet looks at the entries and tells them to jog on if spam.

Name [text* your-name akismet:author]

Email [email* your-email akismet:author_email]

So now, the contact form is no longer spamming me. I’ve turned off comments on the blog too.

I’ve also come across a great little plugin that stops people logging on after a few attempts. Limit Login Attempts although just looking, it’s not been updated in a long while so I may have to revisit this. Anyway, from what I have seen, it works. Quite interesting how many people try and get in and what they use to try. So far, they’ve not got in…

Other things to look at are standard to any website with a backend. Don’t be slack with your username and password. Admin and password123 is just plain daft and asking for trouble.

In summary

Like I said earlier, this isn’t an expert opinion. It’s just plugins and a bit of advice really in the hope that maybe it helps out someone. You have to stay on top of your site. Update everything often. Don’t leave to chance as WordPress is getting battered by spam and hackers daily.

I’m not as put off using WordPress now. It’s clear that it has issues. I still really enjoy using it and would recommend it to everyone but you have to take it seriously.

Further reading

If you have any recommendations or guides to security, let us know and I’ll add to the list below.

http://speckyboy.com/2015/05/21/standing-tall-in-the-face-of-recent-wordpress-security-scares/

Back to top