This week I am diverging from my Healthcare Marketing Series to discuss a very important and extremely relevant topic. This morning I woke up to find 429 site lockout notifications for our MDWebPro.com site. These notifications are generated by our WordPress Security package when we detect that a hacker is attempting to gain access to our site. Our security package blocks access based on IP address and then sends and email to me informing me of the action. I am used to seeing 1, 2, or even 5 of these notifications come through each day. I have never seen over 400 of them in just 8 hours. Below is a partial list of some of the IPs that were blocked.
We have spent some time writing about website security and WordPress security in particular. This month we released our WordPress Security ebook, our WordPress Security Case Study, and we also discussed Securing Your Plugins.
Earlier this month Trend Micro announced it had discovered about 195,000 domains and IPs that have been infected by this latest attack. That is 195,000 sites running either WordPress, Joomla, or Drupal as their content management system that are now actively working to infect other systems. The common denominator between these sites is their lack of basic security practices.
Today my goal is to give you a WordPress security checklist that you can pass on to your IT Director or web developer to ensure that your WordPress install is as secure as possible. I’ve even ranked the checklist in order of priority.
- Enforce strong passwords for all users (WordPress, FTP, etc) and SSL connections
- Hide your WordPress admin area
- Only allow admin logins from a whitelist of IP addresses OR block repeated failed login attempts based on IP address
- Subscribe to a known bad hosts resource such as HackRepair.com
- Ensure that wp-config.php and .htaccess files are not writable by the web server user
- Regularly backup your WordPress database and site files
- Actively monitor site for changed files
- Block access to URLs over 255 characters long
- Regularly update your WordPress installation and all plugins
- Only install plugins from known and trusted sources
And that is it. Following these recommendations will set your site into the 99th percentile for security and most hackers will simply move on to easier targets allowing you to rest assured that your site is safe for your visitors.
Edit: As I typed this article, I received 5 more site lockout notifications from our mdwebpro.com site. If you are not actively protecting your site, chances are very good that it will be infected or is already infected. Please forward this checklist on to your webmaster to ensure your site isn’t easy pickings for the hackers.