GPWA Times Magazine - Issue 32 - June 2015

Use a content delivery network A content delivery network (CDN) pro- vides an additional layer of security, as all traffic will first pass through the CDN and then be routed to your website. CDNs such as CloudFlare use this to block ma- licious visits before they even reach your site. This saves bandwidth and prevents bot attacks. It won't protect you from a human hacker, but you'll be a bit safer from automated attacks. There will be less spam if you allow users to register and comment. Keep monitoring your site Securing a website isn't something you just do once and forget about. Instead, it's a dynamic process that demands on- going attention after you have security measures in place. Most of the time you can get away with minimal security, but if you want to improve your chances of having a healthy site in the long run, you need to keep an eye out for intruders as there are a lot of them trying to gain ac- cess to your site on a daily basis. Do WordPress security plug-ins work? WordPress security plug-ins, usually with about a million downloads and a five-star rating, don't do much. These plug-ins mostly deal with user authentication and failed login attempts. People who have a lot of spam comments on their blog in- stall these in a futile attempt to resolve the issue. These plug-ins are designed to meet the demands of people who want to download such a plug-in, but the plug-in itself is useless. WordPress security plug-ins don't work because they're native to the WordPress platform, while the major security vulner- abilities are external to WordPress and exist on the server. WordPress is a data- base-driven platform, and it's possible to gain access to the database in spite of the WordPress security plug-ins, because they don't protect the database at all. Also, if the hacker just wants to use your server to send mass e-mails, he or she doesn't need access to WordPress. He or she just needs the phpmail() function to be en- abled and doesn't care whether your site is built with WordPress, Joomla, Drupal or PHP. No matter how popular the security plug- in is, it's probably not doing anything to make your site more secure and you'd be better off spending your time on some- thing else. All the real security is done with Apache, meaning the .htaccess file. When it comes to plug-ins, the only usable ones are those that scan your site for secu- rity vulnerabilities, such as Acunetix WP Security, and those that scan for malware, such as Sucuri Security. That's what you want: plug-ins that detect malware, in- truders and hacking attempts; not a plug- in like All in One WP Security & Firewall that's basically a tool to manage spam and won't stop or detect a hacker. Test (and keep testing) the security of your website Download a free trial of a tool called Acunetix. It's a professional tool used by system engineers when they're testing the security of large systems. While the trial version won't reveal how to resolve a particular security issue, you'll get a full list of all discovered security problems so you can start addressing them one by one. Expect to be vulnerable to a denial- of-service (DoS) attack; pretty much ev- eryone is. Address all other high-severity type vulnerabilities. There is also a WordPress plug-in, Acunetix WP Security, which is free and is used to detect WordPress- specific vulnerabilities. This is a must- have on all your WordPress sites. Acunetix scans your website for security vulnerabilities in general and doesn't de- tect actual hacks or hacking attempts. For that, you'll want to use a malware scan- ner. Acunetix just helps you build a for- tress — it doesn't detect intruders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dan Horvat has been described as a serial entrepreneur. He has been involved in the gaming industry for several years on both the operator and the affiliate side, most notably with the sports betting website Oklade.net. Apart from his online and offline business projects, he is majoring in computer science at Harvard University. 37 WordPress security essentials