This article was published in the June 29, 2015 issue of The Business News.
Zombies are relentless mindless horrors fixated on a single goal … consuming all life. They make for fun television, but if they existed, they would be an absolute nightmare. Fact is, there is a zombie horde out there in the digital world right now, constantly scratching at the door of your website, trying to get in and consume its delicate tasty bits. Hackers, bots, botnets, cross-site scripting, brute force attacks and more make up this nefarious group working day and night to gain access to your website. They aim only to take control, expand their efforts, or to inject questionable content that can’t be seen, but can significantly impact the credibility of your site.
Just like defending yourself against a zombie apocalypse, there are actions you can take to protect your website from threatening attacks. But humans can be lazy when it comes to security, and when the threat never rests, it requires discipline to maintain a certain level of protection.
According to Business 2 Community, Wordpress powers over 23% of all worldwide websites and over 60% of all CMS-managed websites. It’s a popular platform that has often been given a bad rap for security flaws, but the fact is, Wordpress itself is quite secure. Most often it is third party plugins—that aren’t strictly tested to minimize security gaps—that can bring a website to its knees. Most of the best practices below focus on the Wordpress platform, but can applied universally.
We all hate passwords. We all try to make them memorable so that we can continue to get into our accounts, and then say unfriendly things when we forget them. Laziness with password creation is the most common reason websites become infected. A “bot” is simply a program that was written to constantly try variations of usernames and passwords until it’s lucky enough to stumble upon a successful attempt. Once it gains access, whatever programming it was written with is executed. A “botnet” is a group of bots attempting the same thing… How long would it take to guess a username and password when it’s trying over and over, 24/7, many times per second?
It’s time to put the generic “password123” to rest and bury the body. Common word-based passwords are also easily compromised. Make sure your administrative account uses a strong password that includes numbers, upper and lower case letters and symbols. The longer and more complex you make it, the less vulnerable your site will be.
Of course this will make remembering these complex passwords really difficult. Thankfully, there is program to help you, and once you make use of it, you will not know how you lived without it. LastPass is a standalone application and mobile app that can store all your account passwords. A single LastPass account password can automatically log you into all your secure websites without having to remember several complex passwords.
Every Wordpress installation uses a database. That database is usually the target hackers attack with several malicious code types. Each database is created with a default table prefix, and that default prefix is often vulnerable. By changing the default table prefix to something random, you can make the hacker’s efforts a bit more difficult. Smart human hackers can still find ways around this, but to defend against the zombie-bot horde, it’s a solid first step.
In the past, security was generally a concern for e-commerce sites and those with sensitive information, such as online banking. When you see the little lock icon next to URL bar, you know that you’re able to log in securely.
An SSL certificate makes the connection between your computer and the server of the website you’re logging into secure, so nothing can snoop around when you hit the submit button and capture your username/password. SSL certificates cost $99-$500 annually, depending on your required level of security. An added benefit, Google now puts preference on websites that have SSL certificates over those that don’t.
Just as it’s not good to go at it alone against zombies, it’s good to surround your website with some muscle. Plugins such as Clef, BruteProtect and Bullet Proof Security can provide some serious protection for Wordpress.
Clef is a new tool using two-factor authentication via your smartphone. Along with the app for your phone, it replaces the usual login fields on your website with a series of moving bars. When you click the ‘log in with clef’ button on your website login page, the series of bars is displayed, then you hold your phone up to the computer screen. When the bars on your phone match the bars on the screen, you are granted access. In order for someone to bypass this security, they would have to steal your phone. If there are no login fields to use, bots and hackers have no place to go.
Note: If you don’t want to require your phone to log in every time, an alternative to Clef would be to rename or hide your login page. There are free plugins available to achieve this.
Talk about adding some muscle to your group … BruteProtect is a security plugin that guards against botnets by connecting its users to track every failed login attempt, across all installed users of the plugin. You now have the strength of the entire BP network (currently over 200,000 users) working together to protect each other.
BPS provides many configurable security options from firewalls, .htaccess file security, database backup, database table prefix changer, limit login attempts, file monitoring, and many more, to make your Wordpress website incredibly secure.
Wordpress is often met by IT departments with furrowed brows and spiteful comments on its security, but if we take the time and effort to effectively lock the doors on the gaps used to compromise our websites, Wordpress is as reliable as any other platform.
Just like in the movies and TV shows, it’s usually when the humans take time to rest, close their eyes, or let their guard down that the zombie horde makes them their lunch. The same is true with a relentless swarm of hackers and bots that are always clawing at your digital doorstep to get at your information. There is no such thing as a totally secure site, but by taking the time to adhere to the steps outlined above, you will certainly be much more prepared and protected to fend off the enemy at your gates.