A recent check of our metrics showed that there are over 1,500 brute-force login attempts every day on our site. So you know if our tiny little site is getting hit this hard, it’s the same for many other sites too. There are many great reasons to having an open-source system for your website, but from those numbers clearly there are also some downsides. The primary one being that every single person on earth now knows the address for logging in to your site. And if everyone knows the address for logging in, it’s not hard for them to come knocking on your door as often as they like.
There are many articles on this subject and why we don’t do it, it’s called security through obscurity. Sure – you could go ahead and change the login URL, but that comes with its own set of problems, such as issues with updates, usability, etc. But the key point here, is that we see obscurity as a weak layer of protection and not worth the other problems it creates.
So how do you make your site secure from all of these brute-force login attempts always happening? Here are some steps we carry out. Keep in mind these are specific to WordPress, but have similarities with other open-source CMSes, like Drupal.
There has to be an administrative super-user on the site. But it doesn’t have to be called “admin.” Name it something else, perhaps specific to your use case or even your name. This is bordering on the “security through obscurity” we mentioned above, but it’s a logical step. And it allows an additional layer of security I’ll talk about in a later point.
We can’t stress this one enough. If even one of your users has a weak password, and they have advanced privileges on the site, your site is extremely vulnerable. Some people might not like using secure passwords, but there’s simply no wiggle room on this one. Get them to use a password manager and lock it down!
Open-source projects are always releasing security and feature updates. Those security updates are really important. Not only for the WordPress core, but every single one of your plugins, as well. If a security update comes out and you don’t update, you’re opening up your site to attack. We check and update our sites monthly, and sometimes even more often if there are critical updates.
We use Pantheon for hosting our sites, because it provides lots of security and performance all in one package – not to mention a silky-smooth workflow that connects with our rhythm just right. Having Pantheon makes it so that all we have to worry about is the site and the site’s code. We don’t have to worry about whether servers are updated and whether they’ll be hacked. And if the worst were to happen, they have automated backups that can be restored in minutes.
Get Cloudflare and put it in front of your website. Even at the free level it has firewall features and other things that’ll keep bad actors from ever even having a chance to touch your site. And the paid plans have web application firewalls (WAFs) that specifically target WordPress and other CMSes. You can also set up page rules to specifically increase security for the WordPress administrative interface.
We don’t think that a single plugin should be a one-stop-shop for solving all of your problems. In fact, sometimes plugins can create more trouble than they’re worth or provide functionality you don’t need, opening you up to potentially more issues. However, there’s a time and a place to properly evaluate and employ a good plugin. And if the developers are actively working on it and improving it, that’s even better. There are a number of security plugins out there, but we chose to start using one called “iThemes Security Pro.” It actually does have too many features to list, but they can all be enabled or disabled. Here are a few we use:
Your website is your public face. You can’t afford to let hackers get in there and mess it up. If any of this doesn’t make sense, get someone to help you with it because it’s a lot easier to deal with this proactively rather than wait until your site is compromised. We work with our clients with this on the regular and consider it absolutely basic to caring for your site.