GPWA Times Magazine - Issue 32 - June 2015

WordPress security essentials A quick guide to detecting and preventing hacking attempts By Dan Horvat Roughly 80 percent of owners of hacked websites aren't aware their site has been hacked. The most common targets for hacking are WordPress websites, as they're the most numerous and share common vulnerabilities. Therefore, it's imperative for a WordPress webmaster to pay attention to security and learn to pre- vent and detect hacking attempts. Why would someone want to hack my site? Usually, sites that store credit card in- formation are the best (and the most dif- ficult) targets for hacking attacks. While most online gambling affiliate sites don't collect credit card information, there are more than enough valuable assets on your site to make it a target. Most of the time, hackers don't care about your business or what your site is about. They just want to use your server to send spam or your website to send malware to your visitors' computers. If a hack suc- ceeds, your visitors download malicious files from your website without either of you knowing about it. Hackers might also want to use your site to attack another one: A distributed de- nial-of-service (DDoS) attack requires a botnet, which is a large network of com- promised computers. Some hackers will just hack your site for fun to improve their hacking skills. The last category of hacking is a tar- geted attack against you where the cul- prit is someone who wants to hurt you specifically — maybe a competitor or a former employee. Most hacking attempts don't originate with a human being sitting at a computer and hacking your site, but are in fact hack- er-designed bots that exploit well-known vulnerabilities on your server or website. In fact, a 2012 study by website security company Incapsula concluded that 51 percent of all website traffic is nonhuman. Five percent of all traffic is from auto- mated hacking tools searching for vulner- abilities, and 2 percent is from automated comment spammers. The odds of a robot finding a security vulnerability on your website are much higher than the odds of a human spend- ing hours hacking into your site. Most of the time, the war against hackers is a war against thousands of bots that poke your website trying to get through. Keeping a website secure is all about mak- ing the hacker's life difficult on as many levels as possible by doing small things. It's a numbers game; you want to reduce the chance of being hacked, and you want to increase the chance of detecting a hack if it happens. Update WordPress, themes and plug-ins Plug-ins are custom pieces of code devel- oped by more-or-less skilled developers who are usually working alone, as op- posed to being part of a team that has all the necessary testing and quality control departments. As a result, plug-ins can not only be unstable, but can become a secu- rity problem. When a security hole for a plug-in is dis- covered, the news spreads like wildfire throughout the hacker community. If you happen to have that particular plug-in and that particular version, you're in dan- ger of a random hacker finding your site and, at the very least, toying around with it to improve his or her hacking skills. That's why it's important to keep plug-ins to a minimum, reducing the chance of one of them causing a problem down the line. It's equally important to use stable plug- ins by reputable developers. Don't install junk on your site, and uninstall any plug- in or theme you aren't using. Don't use admin as a username Most hackers or bots trying to gain access to your site administration area assume the WordPress administrator username is admin. If it's not, they're in a lot of trou- ble; they now have two things to guess instead of one. To change your administrator username, you'll have to edit the MySQL database. Google "how to change WordPress ad- min username" and you'll find step-by- step guides. An important note: Open a different au- thor account to post articles on the site. Otherwise, the admin username might come up in every article, and it won't be a secret anymore. Secure the /wp-admin folder There are two ways to make your /wp-ad- min folder, which you use to log into the administration area of your WordPress website, more secure. The first is to password-protect the di- rectory, so a Web browser will ask for a password before you even enter the admin credentials. This is done through the cPanel — there's a feature called Password Protect Directories, and it's pretty straightforward. The second way is to restrict access to the /wp-admin directory to your IP address, but since your IP is likely to be dynamic and therefore ever-changing, this can lead COVER STORY WordPress security essentials

RkJQdWJsaXNoZXIy NDIzMTA=