This section of my WordPress Security Guide deals with how to block spam and hack attempts. Do you have any idea how many times per day someone or something tries to break into your web site? Server admins that review the log files know because they see them every day, but as a blogger you may have no clue how often it happens.
I want you to think about this for a second…if you were sitting in your living room watching TV and five times an hour you heard somebody wiggle all your door handles and windows to see if they were locked or unlocked – wouldn’t you think about beefing up security a bit? This is exactly what is already happenning on your blog 24 hours a day!
Hackers and spammers want to hack or hijack your web site to install scripts, build links, hijack your traffic, and more. Don’t believe me? Not worried because you’ve never been hacked? Talk to some of my clients on my testimonials page – they thought it would never happen to them either.
Here are some of the most common WordPress hacks I hear about every week:
- Our WordPress blog has been hit by the Spam Link Injection Hack
- WordPress exploit: wordpress_options
- WordPress hack: sattan.org spam redirect in wp-blog-header.php files
- WordPress QahTaN-SniPer Hack
- WordPress google redirect hack
Those are just a very few out of dozens and dozens. So now let’s get started figuring out how to block all these bad guys!
Do you get a lot of spammy comments on your web site? If you allow uses to register on your blog, do you get some accounts that seem to be created by automated software or bots? If you’re not protected against these kinds of things, you are encouraging “bad behaviour” on your blog. WordPress comes with “askimet” out of the box, a plugin that does a pretty decent job at cutting out spam comments – but some still manage to slip through, don’t they? Consider some additional protection such as WP Spamfree. I recommend Spamfree because it works silently, and unlike other plugins it requires no intervention from the user at all, such as challenge questions or Captcha’s. It gets rid of automated comments from bots, and trackback and pingback spam. In addition, it works with WP Cache and Super Cache, as well as WordPress MU. Oh – did I mention it’s updated (as of this writing) to work with even WordPress 2.9 (which isn’t even out yet)? This plugin can be used with askimet activated, but says it’s not necessary. I actually got rid of Askimet when I installed this – and personally for me I think it works much better. I know that I gets out double the amount of spam comments that Askimet did.
Once you install WP Spamfree “it just works”. It says in the documentation that it will work just fine with Askimet activated, but it’s not necessary (because this plugin is more effective). If you allow users to register on your WordPress site, you are a target. Installing a wordpress plugin to Prevent Bot Registrations will save you a lot of headache. It will keep bots from registering from on your site, it blocks any bot who’s IP shows up more than twice, anyone listed in spamhaus, or that you’ve blacklisted.
You’ve blocked the bots and the spam, but what if a live person gets through with the intent of crafting a comment with the intent on doing your site harm? Some of the latest attacks infecting blogs use “XSS” or cross-site-scripting. To guard against that you could install HTML Purified. It replaces the default wordpress comment filter with a super HTML filtering library. It produces XHTML compliant code for your comments, but more importantly it’s “XSS Safe”. You have fine grained control over what tags are allowed, and whether or not to filter admin users as well.
Another incredible plugin I’ve found recently is WordPress Firewall. I have to say – this thing is great! I’ve installed a lot of plugins to do individual things, but WP Firewall seems to kill a lot of birds with one stone. Here are some of the fetures:
- WP Firewall configures itself as the first plugin to load for better security
- It looks are suspicious incoming requests to protect your wordpress files and other plugin files as well
- Attacker requests get a 404 error page or home page redirect
- Turn on or off “directory indexing”
- WP Firewall can detect SQL injection attacks
- Can detect wordpress specific database attacks
- it can block executable file uploads
- email alerts for attack attempts
If you want to know how good it works, check out this email I got within 24 hours of installing it:
Unbelievable, huh!? Out of all the free wordpress security plugins available, I think that WordPress firewall is one of the beste so far.
Tracking Errors and Hack Attempts
I think in addition to blocking spam and hackers, it’s also important to track your errors and hack attempts if you can, and review them on a regular basis. Check out the following plugins to watch what’s going on in your WordPress blog:
Tripwire is a plugin that scans for changed files within your wordpress site. Once installed all you have to do is tell it how many days back to check, and it will list all the files that have been changed in that period. In the case of my example image, I had upgraded WordPress on June 11th, and all those files were listed. If you check your files for the last 30 days and lots of files have been changed (and you didn’t upgrade everything) – you may have an issue. It’s worth mentioning again that the WP Antivirus plugin will check your wordpress theme files and email you automatically if one of them has a suspected virus. Tripwire will check all the files in your WordPress site, but has no automatic notification.
Login Lockdown is a plugin that monitors login attempts to your WordPress site. It records the IP address and timestamp of every attempt. If there are a certain number of attempts within a period of time, logins are disabled for that IP range. The default is 3 failed login attempts within 5 minutes, and the lockout time is 1 hour. You can of course change these in the plugin options to any amount you want. Without this plugin installed, you would never know if you have failed login attempts at all.
Error Reporting is a WordPress plugin that will save any errors your WordPress generates in a log file for you to view. In the configuration options you can choose what kinds of errors are saved, from what folders, and if you want repeat errors to be saved more than once. You can even choose to have the errors sent to you in email. I like this plugin because it also detects failed ping attempts as well. Every WordPress site has errors from time to time, and sometimes then only occur once or twice. It become problematic if you get constant errors from a theme, plugin, or WordPress itself. A plugin like this is the only way to check for those errors. Even if you can’t take care of the problem yourself, you will at least have an error message to ask about in WordPress Support, or to give a WordPress consultant. Here’s an image of the log file options for the “Error Reporting plugin”:
Another handy plugin is “404 Notifier”. Once installed, it will email you each time your site generates a “404 Not Found” error. This is helpful in 2 regards. First, if you get error for the same page all the time – you can fix them by creating that page. More importantly (and most likely) the errors you get will be ones you won’t expect, like missing CSS files or includes for plugins or themes – and you can fix those too. The second reason is probably one you don’t know about, many attackers will send your site a garbage request such as “http://mysite.com/crap/garbargeurl?=3o2349-admeknow.js” or something like that. It’s basically just a quick check to see what your server will do, generate a 404 error, or show a directory index – and also check if you’re running WordPress (or something else), and what version. This, by itself isn’t enough information, but it’s a good start. I once had a site that received hundreds of incoming garbage requests like this per day, I found them in the logs about a month later. A 404 Notification plugin like this would have clued me in right away. You can then block the incoming IP address they are coming from, and you can always contact support at your web host for assistance with something like this (or follow the directions earlier to limit access to your site using your .htaccess file). Here’s an image of the 404 Notifier setup options. You’ll see that not only can you get email notification, but the events are also saved via RSS feed as well.
With all of these tracking and notification plugins – your mileage may vary. I would recommend trying them all one by one, to see how they work for you. Also remember, you may not need to have them turned on all the time. You could run tripwire as needed, run login lockdown all the time, and turn on error reporting and 404 notifier as you feel necessary.
Stay tuned, the next installment of my Wordperss Security Guide will go over how to use secure connections to make sure your username and passwords aren’t jacked each and every time you login!