Hi All,
My name is Ron Frazier. I've been a Security Now fan forever and a SpinRite user about as long. Thanks to Steve and Leo for all the good advice. Much of my security knowledge came from them. Then, I frequently go off on my own and do research. I often cite Steve's and Leo's work in my blog posts.
The following quote came from a post over in the Steve's Blog forum in the Welcome to the Blog thread. I decided to create a separate thread here solely about Securing WordPress ... Or Leaving WordPress.
This post came from OldAngryMan - https://forums.grc.com/members/oldangryman.2416/
WordPress security is a topic near and dear to my heart. I have been running my Ron's Tech Rant blog for years, although for the last couple of years, I've been tied up with other things and haven't written articles. All this while, I've been using WordPress. I've done lots of research into securing it. Below, I share what I found out. I don't consider myself to be a WordPress expert, just a guy that listens to Security Now and who wants to run a blog and not get destroyed.
About 4 years ago I was deep into the battle with the hackers. I ended up writing this blog article.
How To START Securing Your WordPress Site
Shortly thereafter, the people at WordFence Security noted that many WordPress sites were being attacked by hacked routers. So, I wrote up and published this blog article.
Beefing Up Your ROUTER Security
Here's a summary of the points in the WordPress article. But, see the article for much more elaboration.
01) Use LastPass or something similar to generate a really long password for the WordPress site login. I like to use 32 or 64 random characters generally. I usually don't use symbols. Some websites balk at 64 characters, so I gravitate to 32 mostly.
02) Install Google Authenticator or something similar on at least 2 of your devices. This allows you to use a time varying 6 digit code as your 2nd factor. If you lose or break one device, you must have a backup for all your access codes. Every time you store an access code on one device, do it to the others. If you lose a device and the person that finds it could use your Google Authenticator, you must reset the 2FA credentials on every site where you've used them.
03) Install WordFence on your site.
04) Upgrade to WordFence premium.
05) Learn to use the 2FA (2nd factor authentication) features of WordFence. WARNING - if you do this, you will be required to append SPACE WF CODE to your password to login to your admin page, where the CODE is the time varying number from Google Authenticator. Make a note to yourself. You can save the note in LastPass. Have LastPass fill in the basic password and then append the 2FA code yourself. If you don't do this, and just have LastPass try to auto login to your site, it will fail repeatedly and you will get locked out of your own site. If the WordFence setup asks you to generate and save backup codes for alternate access, DO SO! You can also save those in your LastPass record where your main password is stored. This pretty much ends anyone's ability to break into your site through the front door, unless you get a virus in your PC or something and it steals your data.
06) Scan your site and fix any problems.
07) Use the Live Traffic feature to see what’s hitting your site. If you have much traffic at all, you'll see lots of attacks, trying to access non existent plugins and such. You can also note which countries most attacks come from.
08) Learn to use Country Blocking and use if appropriate.
09) Reduce the page access throttling limits if applicable.
10) Learn to use the other options in the WordFence setup.
11) Learn to use the WordFence support ticket system to ask questions when needed.
12) Join the WordFence mailing list to receive email updates of important security news.
13) Minimize plugin and theme use to the absolute minimum.
14) Use a hosting provider that provides safe mode or managed mode or something similar. This way they keep the WordPress and plugins up to date. PAY to get this if needed.
15) PAY a little extra if needed to get an SSL / TLS certificate so you can run your site with https encryption.
16) Consider the plugins shown below.
17) Hopefully, your site won’t be compromised. But, if it is, I would wholeheartedly recommend hiring the experts at WordFence to clean it for you. That’s what I would do.
The moral of the story is: Yes I strongly recommend WordFence. Yes you must actively be conscious of and actively involved in the security of your site. Yes you WILL be under attack whether you know it or not.
I am not affiliated with Wordfence in any way other than as a user.
*** plugin - Wordfence Security
*** plugin - BackupBuddy
The following two get rid of the Gutenberg editor - just my personal preference.
plugin - Advanced Editor Tools (previously TinyMCE Advanced)
plugin - Classic Editor
plugin - Disable Comments
The following two disable some automation on WordPress that allow, among other things, hackers to attack your site at high speed with automation to try huge numbers of attacks very quickly.
plugin - Disable REST API
plugin - Disable XML-RPC
This helps Google index your site and notifies them of changes.
plugin - Google XML Sitemaps
This helps make sure every link on your site is secured by SSL.
plugin - Really Simple SSL
As I understand it, current forum settings will delete this post in 7 days after it's replied to last. So, if you want a copy of this text, grab it and save it.
NOW, having said ALL that and ALL that's in those articles, the volume of WordPress attacks over the past few years has just gotten too big to keep up with. Steve and Leo have mentioned using a static site instead and abandoning WordPress altogether. They mentioned a site generator called Hugo. With a static site, there's no PHP, no automation, no programs, no dynamic site generation. Nothing but text, images, links, CSS (I presume), and other basic HTML features. There's no admin, and no admin login. There's no WordPress and no WordFence and no plugins. There's just the login to your web space where you upload the static text, a login which you should protect the same way I mentioned for the admin login above.
I'm planning on moving my site to a static site when I can. I tried a HUGO export plugin but couldn't get it to work.
Steve and Leo, if you'd like to explain how to get going with a static site, either here or on the podcast, that would be great.
Hopefully, that information helps. Some is a little dated, but it's mostly still relevant.
Sincerely,
Ron
My name is Ron Frazier. I've been a Security Now fan forever and a SpinRite user about as long. Thanks to Steve and Leo for all the good advice. Much of my security knowledge came from them. Then, I frequently go off on my own and do research. I often cite Steve's and Leo's work in my blog posts.
The following quote came from a post over in the Steve's Blog forum in the Welcome to the Blog thread. I decided to create a separate thread here solely about Securing WordPress ... Or Leaving WordPress.
This post came from OldAngryMan - https://forums.grc.com/members/oldangryman.2416/
Steve,
Couple of points on WordPress. I've been battling Brazilian and Russian hackers for almost a decade. I had to rebuild the website more than 10 times. Constant defacing, comment spams... I was an easy pick for these #$%&^*. Finally, I decided to stop and do some research. Apparently, I was not the only one pissed off enough to do something about it. One change to .htaccess to put new rewriting rules which disabled the listing of login names plus 2 free plug-ins to stop the brute force attacks, nasty URL formating, known email addresses and IP, country blocking, etc.... has put the source of my constant aggravation to an end. I haven't been hacked in over 6 years. And, I sleep like a baby not worrying about my website.
1. WordPress plugin - Stop spammers by Trumani
2. Wordpress plugin - Edit Author Slug by Brandon Allen ( I used something annoying that starts with "kissmy...."
3. Wordpress plugin - Edit User Name (to rename userid without needing SQL "update" skills)
4. Rename the default administrative account from "admin" to something cute and secret using plugin #3. Any attempt to use the default will be blacklisted by plugin # 1.
5. change user_id from 1 or 2 to something MUCH HIGHER value.
Easy peasy.
Finally, you will get one more source of entertainment and satisfaction: watching logs included in the plugin- #1, automatic blocking, sending to the penalty box, and knowing what the ridiculing message, that YOU can create, was presented to the poor soul.
WordPress security is a topic near and dear to my heart. I have been running my Ron's Tech Rant blog for years, although for the last couple of years, I've been tied up with other things and haven't written articles. All this while, I've been using WordPress. I've done lots of research into securing it. Below, I share what I found out. I don't consider myself to be a WordPress expert, just a guy that listens to Security Now and who wants to run a blog and not get destroyed.
About 4 years ago I was deep into the battle with the hackers. I ended up writing this blog article.
How To START Securing Your WordPress Site
Shortly thereafter, the people at WordFence Security noted that many WordPress sites were being attacked by hacked routers. So, I wrote up and published this blog article.
Beefing Up Your ROUTER Security
Here's a summary of the points in the WordPress article. But, see the article for much more elaboration.
01) Use LastPass or something similar to generate a really long password for the WordPress site login. I like to use 32 or 64 random characters generally. I usually don't use symbols. Some websites balk at 64 characters, so I gravitate to 32 mostly.
02) Install Google Authenticator or something similar on at least 2 of your devices. This allows you to use a time varying 6 digit code as your 2nd factor. If you lose or break one device, you must have a backup for all your access codes. Every time you store an access code on one device, do it to the others. If you lose a device and the person that finds it could use your Google Authenticator, you must reset the 2FA credentials on every site where you've used them.
03) Install WordFence on your site.
04) Upgrade to WordFence premium.
05) Learn to use the 2FA (2nd factor authentication) features of WordFence. WARNING - if you do this, you will be required to append SPACE WF CODE to your password to login to your admin page, where the CODE is the time varying number from Google Authenticator. Make a note to yourself. You can save the note in LastPass. Have LastPass fill in the basic password and then append the 2FA code yourself. If you don't do this, and just have LastPass try to auto login to your site, it will fail repeatedly and you will get locked out of your own site. If the WordFence setup asks you to generate and save backup codes for alternate access, DO SO! You can also save those in your LastPass record where your main password is stored. This pretty much ends anyone's ability to break into your site through the front door, unless you get a virus in your PC or something and it steals your data.
06) Scan your site and fix any problems.
07) Use the Live Traffic feature to see what’s hitting your site. If you have much traffic at all, you'll see lots of attacks, trying to access non existent plugins and such. You can also note which countries most attacks come from.
08) Learn to use Country Blocking and use if appropriate.
09) Reduce the page access throttling limits if applicable.
10) Learn to use the other options in the WordFence setup.
11) Learn to use the WordFence support ticket system to ask questions when needed.
12) Join the WordFence mailing list to receive email updates of important security news.
13) Minimize plugin and theme use to the absolute minimum.
14) Use a hosting provider that provides safe mode or managed mode or something similar. This way they keep the WordPress and plugins up to date. PAY to get this if needed.
15) PAY a little extra if needed to get an SSL / TLS certificate so you can run your site with https encryption.
16) Consider the plugins shown below.
17) Hopefully, your site won’t be compromised. But, if it is, I would wholeheartedly recommend hiring the experts at WordFence to clean it for you. That’s what I would do.
The moral of the story is: Yes I strongly recommend WordFence. Yes you must actively be conscious of and actively involved in the security of your site. Yes you WILL be under attack whether you know it or not.
I am not affiliated with Wordfence in any way other than as a user.
*** plugin - Wordfence Security
*** plugin - BackupBuddy
The following two get rid of the Gutenberg editor - just my personal preference.
plugin - Advanced Editor Tools (previously TinyMCE Advanced)
plugin - Classic Editor
plugin - Disable Comments
The following two disable some automation on WordPress that allow, among other things, hackers to attack your site at high speed with automation to try huge numbers of attacks very quickly.
plugin - Disable REST API
plugin - Disable XML-RPC
This helps Google index your site and notifies them of changes.
plugin - Google XML Sitemaps
This helps make sure every link on your site is secured by SSL.
plugin - Really Simple SSL
As I understand it, current forum settings will delete this post in 7 days after it's replied to last. So, if you want a copy of this text, grab it and save it.
NOW, having said ALL that and ALL that's in those articles, the volume of WordPress attacks over the past few years has just gotten too big to keep up with. Steve and Leo have mentioned using a static site instead and abandoning WordPress altogether. They mentioned a site generator called Hugo. With a static site, there's no PHP, no automation, no programs, no dynamic site generation. Nothing but text, images, links, CSS (I presume), and other basic HTML features. There's no admin, and no admin login. There's no WordPress and no WordFence and no plugins. There's just the login to your web space where you upload the static text, a login which you should protect the same way I mentioned for the admin login above.
I'm planning on moving my site to a static site when I can. I tried a HUGO export plugin but couldn't get it to work.
Steve and Leo, if you'd like to explain how to get going with a static site, either here or on the podcast, that would be great.
Hopefully, that information helps. Some is a little dated, but it's mostly still relevant.
Sincerely,
Ron