Tips&Tricks for the pro butterfly
I’m hoping your site hasn’t beet hacked, but it might. After being the target of an attempted hack this week, I can sure tell you it feels GREAT to know you’ve done your best to be safe. I was always of the “my blog won’t be a target, it’s too modest” kind of conviction. Then there was giveaway hop, traffic surged (as it often does with these things), and I have a sinking suspicion the traffic surge & attack might have been connected somehow. Maybe it’s a coincidence, but I’m not a big believer in coincidences 🙂
Security Lessons Learned:
1. I’m telling you from personal experience that having any user with the username “admin” is a really bad idea – it’s the first forced login attempt the attack went with. What came second? The domain name, ie “butterfly-o-meter“. So DON’T use either the generic “admin” or your domain’s actual name as usernames, that’s my advice. If you have, like Ash advises, make yourself new user(s) with he same rights and get rid of those sitting duck targets. I didn’t have either of these, luckily, which made me feel better when I realized I was under attack. Be smart, keep yourself safe to begin with!
2. Use STRONG passwords! I’m talking letters, capital & not, punctuation marks, numbers, the works! Is it hell to remember? You don’t have to. Keep it written down on your Important Stuff Notebook (preferably a planner or something that exists in real life & you know you always take real good care of, that’s where I keep all my passes & accounts details.). You can also use programs to keep track of them, but I feel my planner which is at home & safe at all times is the kind of data nobody can steal. Am I paranoid? Maybe. Does it help to keep my stuff safer? Definitely.
If your password is long, complex, lots of different combinations of things, it makes it a lot harder to hack. Unless it’s a personal attack (ie there’s someone brainy enough to be able to hack you that’s attacking your a$$, in which case, my thoughts are you’re pretty much gonna get hacked whatever you do), bots will only try to attack for a predetermined time period, number of tries, etc most likely. Attacks tend to last for a while, generally not very long, trying out your defenses, and then move on to greener, richer grass. Make sure the greener grass isn’t you!
3. Defense Line Plugins Galore!!
I’m using pretty much everything I could find & look into, firewall, bad request handlers, login attempts regulators, IP blocking options, the works! As things look now, we seem to have gotten out of the dangerous waters, and I’m pretty sure these plugins did a great lot of work for that!
I already had up some defenses, which is why I realized we were under attack at the first attempt, pretty much. But as soon as I got the first email alert someone was trying to log in with the “admin” username I don’t have, I knew it was hack bot attack time and doubled down on security, Fort Knox style, as much as I possibly could.
Be smart about it though, read carefully, mix & match them so they do different things rather than overlapping their action. After installing them, be sure to actually use them, ie configure them! Very few work as “out of the box”, so look around, read around, find out how to configure them and do so. Just having them installed won’t keep you safe, you have to make them work for you!
I’m not a hardcore coder, but I do speak some code and have some basic understanding of what one thing or the other is. I won’t lie, it helped a heck of a lot to know what I was reading about, looking for, what options I had to consider! But I had to do this extra security setup while under attack, which is not when you should do it!
If you’re looking for some good tips, check out also Parajunkee‘s post on security, Lock Down Your Blog!, I really like a couple of those options there, combined: Wordfence, WP Simple Firewall, Block Bad Queries, Sucuri, WordPress File Monitor Plus, and consider BulletProof & Better WP Security too. Mix & match, because it’s better to be safe than sorry! Make those plugins work for you:
– limit forced login attempts, password recovery form use (possibly setting up alerts for when it happens, cause if you’re the only user on your blog, it’s obvious it ain’t you!)
– setup alerts so you know when you’re under attack – there are things you can do to try and manage it: temporarily blocking malicious IPs, toughening up the security levels all over, etc. It’s a crisis kind of battle plan, it’s good to know when you have to actually use those hardcore-like options!
– as soon as you realize you are under attack, rethink what email alerts you want to get while it lasts. Depending on how mean the bot is, you could be looking at tens, hundreds, thousands of potential alerts maybe. Only keep active those that are actually helpful to you right now, in crisis mode.
– eat a lot of chocolate & read something smutty and real good – okay, so it’s not actually a security thing, but it helps keep you our of freak-out-land while you’re under attack, lol
Cool Discussions around the garden