Lock down Securing Your WordPress Website

A simple question never has a simple answer a review of potential security threats.

In twenty thirteen, we saw a rise in Bot activity dominating human traffic over 61.5% according to the study by security firm Incapsula.  What this shows is three out five visitors to your site are robots.  Robots or Bots are autonomous programs designed to perform simple and complex tasks more efficiently than humans and can synthesize human behavior.This is a photo of a robot spider showing how google crawls websites You may know the legitimate ones as a spider or crawler. Google, Yahoo and Bing use crawlers to index information for their search results, the malicious bots have different goals such as scraping content, malware, link injection, spamming, and denial of service (DDos) they can cause serious damage to your site as well as SEO efforts. Do they all pose a threat? While some are malicious the rest are harmless legitimate bots and you should be aware of what traffic is entering your website.  If you are using Google analytics on your admin dashboard, you are not getting the clearest picture of you website traffic. Google analytics uses two technologies “ga.js” or simply JavaScript and cookies and is dependent on request for images or links.  Most bots do not use JavaScript or cookies and ignore some requests. In fact, 10% of all browsers have JavaScript disabled, cookies disabled or set with an expiration time for privacy purposes. Google Analytics (ga.js) is based on JavaScript and the majority of bots do not process in JavaScript, so they do not show up in Google analytics but that is changing as bots are closely mimicking human behavior.  Therefore, the web traffic you see on your admin dashboard is not showing you the whole picture. There is one simple reason for this, the one and only focus of Googles analytics is human traffic rather than bot activity and not security. Human traffic is what counts for their data and all the information that goes along with it such as time on page, top pages visited, click through rates, impressions and actions. Knowing the exact traffic entering your site is the first step to protection. The second is knowing what to do about it.

WordPress website lock down

this is a photo of the usual suspect showing common bot threats to websites

Link injection

One of the most common ways to obtain backlinks is to inject them into the signature of a forum post known as comment spam.  Comment spam can turn your website into part of link farm devalue your website or get you penalized by search engines.

Hacking

Hacking is used to break into the password protected sections of a website. After entering into the website, the hacker can do anything they desire, change the content of the website or inject links in the HTML scrap content causing duplicate content issues.

Malware

Short for malicious software, it is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware injection on a website can cause the dreaded “This site will harm your computer” warning in search results killing your seo efforts and divert traffic.

Link spamming

Link Spamming is a black hat seo technique, which consists keywords stuffing, cloaking, bad backlinks, overloading of anchor tags.

Phishing

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details and could be a threat if you are running an ecommerce website.

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid. By using DDos threat, a hacker can threaten to shut you down until you pay up.

Spam

Spam is flooding comments, links, forum posts, anchor text linking, link dropping of the same message, in an attempt to force the message on people

Scraping

Web scraping is a bot program or software technique of extracting information or content from websites causing duplicate content issues that will ruin your SEO efforts even if you are the original publisher.

Brute Force Login Attempts

when someone will attempt to gain access to your site by attempting an enormous number of different username and password combinations

*Note I am I am not affiliated with any of the plugins aforementioned they are simply my personal recommendation from my own experience. Here is a list of analytic plugins I personally use in all my Organic website projects…  The plugins listed below can and will show you bot and crawler stats, live traffic views and more features than you can shake a stick at.

  • Slimstat is a great plugin with more features than you may ever need and it is free. They do offer a premium version if you want to go beyond the free version for added features. Slimstat is a real time web traffic analytics on steroids.  The features on data reporting are endless from Geo location, filtering, multi-language support, social metrics, rankings, top traffic sources, and real time spy view of who is on your website and where they are located via IP.
  • Wassup is a simple and extremely effective plugin for getting real time stats and one of my favorites.  When installed you get a simple easy to read dashboard widget called “Wassup Summary” that tells you who is currently on your site in the past 24 hours and who were they referred by, they type of bot/crawler, the geo location, IP address and pages visited. By clicking the “More Stats” link on the graph, you are shown a complete overview of your traffic human and or bot/crawler percentage of spams, page views, pages per visit, and visits. This is the most simple and clearest analysis of your website traffic.   
  • Wordfence is a free enterprise security plugin that has it all from real time analytics to built-in firewall to scanning your site, country blocking, IP blocking, and limiting login and forgot password attempts, real time analytics, fending off spam and malicious attacks while protecting your website without slowing it down. It is extremely effective across the board.
  • Askimet is a plugin that targets comment spam and zaps those annoying auto comments and spam link dropping that can hurt your SEO as well as annoy legitimate followers.

How to commence lock down

this is a photo of handcuffs Now that you are able to recognize what traffic enters your website, the next issue is to prevent and protect your site.  I typically like to layer my security and have redundancies, it may be overkill but it seems to be quite effective. Let’s start with Wordfence, it does a great job of IP blocking and scanning for changes in your theme, limiting login attempts, lost password recovery attempts and any bot repetitive attempts at hacking in general.  Wordfence also has a premium function called Cell Phone Sign in, Cellphone Sign-in uses a technique called “Two Factor Authentication” remote system authentication system that is used by financial institutions, government agencies and military agencies and is quite effective. Next is securing all the vulnerabilities that come with WordPress such as the htaccess file, wp-admin login page, declaration of wp version in the header code, and security vulnerabilities in some third party plugins. Better WordPress security is exactly as it is titled; with BWS, you can change your wp-admin page to wp-Login, remove traces of WordPress version in the header code, and secure your site from basic attacks, backup your site block bad query string the list goes on and on.  The user interface is pure and simple, giving you a list of recommended settings that have not been activated and single click activation. If you want to add another layer of protection, you could add block bad queries plugin for added measure if you choose not to use BWS.  Block bad queries is an effective tool that protects your website from malicious URL requests. The next best option is to go with a CDN or cloud delivery network. They are an excellent option to filter and eliminate any threats, security is their main product so you will have peace of mind that your site is protected and in addition using a CDN cam also enhance your page load speed which is great for SEO. If you are interested in protecting your content or images you can disable the right click function making copying virtually impossible with wp content copy protection this a great plugin if your site has copyright material such as articles or photographs etc. For additional info or to download Better WordPress Security Block Bad Queries WP content copy protection The key to a strong security strategy is to identify the offenders, know who they are what they do and create a multi-layer defense against them.  The military uses multi-layer redundancies in defense strategies and some find that it may be the best method for defense and protection. Nothing is 100 percent fool proof so always make sure to update your plugins, and your WordPress version, before  you odd any new plugins make sure that it has been recently updated, and most importantly back up your database and xml files just in case. “By failing to prepare, you are preparing to fail.” ― Benjamin Franklin

[mbYTPlayer url=”http://www.youtube.com/watch?v=Ct33mKMOV-k” opacity=”1″ quality=”default” ratio=”auto” isinline=”false” showcontrols=”false” realfullscreen=”true” printurl=”true” autoplay=”true” mute=”true” loop=”true” addraster=”false”]

When building a Wordpress website for clients I often am asked, “What is the best security measure I can take for protecting my site”. Although a simple question as it may be, it is a complicated answer. Truth is told there are many different threats to your Wordpress website that you should know about in order to properly secure your site.

A simple question never has a simple answer a review of potential security threats.

 

In twenty thirteen, we saw a rise in Bot activity dominating human traffic over 61.5% according to the study by security firm Incapsula.  What this shows is three out five visitors to your site are robots.  Robots or Bots are autonomous programs designed to perform simple and complex tasks more efficiently than humans and can synthesize human behavior.This is a photo of a robot spider showing how google crawls websites

You may know the legitimate ones as a spider or crawler. Google, Yahoo and Bing use crawlers to index information for their search results, the malicious bots have different goals such as scraping content, malware, link injection, spamming, and denial of service (DDos) they can cause serious damage to your site as well as SEO efforts.

Do they all pose a threat?

While some are malicious the rest are harmless legitimate bots and you should be aware of what traffic is entering your website.  If you are using Google analytics on your admin dashboard, you are not getting the clearest picture of you website traffic.

Google analytics uses two technologies “ga.js” or simply JavaScript and cookies and is dependent on request for images or links.  Most bots do not use JavaScript or cookies and ignore some requests. In fact, 10% of all browsers have JavaScript disabled, cookies disabled or set with an expiration time for privacy purposes. Google Analytics (ga.js) is based on JavaScript and the majority of bots do not process in JavaScript, so they do not show up in Google analytics but that is changing as bots are closely mimicking human behavior.  Therefore, the web traffic you see on your admin dashboard is not showing you the whole picture.

There is one simple reason for this, the one and only focus of Googles analytics is human traffic rather than bot activity and not security. Human traffic is what counts for their data and all the information that goes along with it such as time on page, top pages visited, click through rates, impressions and actions.

Knowing the exact traffic entering your site is the first step to protection. The second is knowing what to do about it.

 

 

 

Wordpress website lock down

this is a photo of the usual suspect showing common bot threats to websites

 

Link injection

One of the most common ways to obtain backlinks is to inject them into the signature of a forum post known as comment spam.  Comment spam can turn your website into part of link farm devalue your website or get you penalized by search engines.

 

 

Hacking

Hacking is used to break into the password protected sections of a website. After entering into the website, the hacker can do anything they desire, change the content of the website or inject links in the HTML scrap content causing duplicate content issues.

Malware

Short for malicious software, it is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware injection on a website can cause the dreaded “This site will harm your computer” warning in search results killing your seo efforts and divert traffic.

Link spamming

Link Spamming is a black hat seo technique, which consists keywords stuffing, cloaking, bad backlinks, overloading of anchor tags.

 

Phishing

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details and could be a threat if you are running an ecommerce website.

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid. By using DDos threat, a hacker can threaten to shut you down until you pay up.

Spam

Spam is flooding comments, links, forum posts, anchor text linking, link dropping of the same message, in an attempt to force the message on people

 

Scraping

Web scraping is a bot program or software technique of extracting information or content from websites causing duplicate content issues that will ruin your SEO efforts even if you are the original publisher.

Brute Force Login Attempts

when someone will attempt to gain access to your site by attempting an enormous number of different username and password combinations

 

 

 

 

*Note I am I am not affiliated with any of the plugins aforementioned they are simply my personal recommendation from my own experience.

Here is a list of analytic plugins I personally use in all my Organic website projects…  The plugins listed below can and will show you bot and crawler stats, live traffic views and more features than you can shake a stick at.

  • Slimstat is a great plugin with more features than you may ever need and it is free. They do offer a premium version if you want to go beyond the free version for added features. Slimstat is a real time web traffic analytics on steroids.  The features on data reporting are endless from Geo location, filtering, multi-language support, social metrics, rankings, top traffic sources, and real time spy view of who is on your website and where they are located via IP.
  • Wassup is a simple and extremely effective plugin for getting real time stats and one of my favorites.  When installed you get a simple easy to read dashboard widget called “Wassup Summary” that tells you who is currently on your site in the past 24 hours and who were they referred by, they type of bot/crawler, the geo location, IP address and pages visited. By clicking the “More Stats” link on the graph, you are shown a complete overview of your traffic human and or bot/crawler percentage of spams, page views, pages per visit, and visits. This is the most simple and clearest analysis of your website traffic.   
  • Wordfence is a free enterprise security plugin that has it all from real time analytics to built-in firewall to scanning your site, country blocking, IP blocking, and limiting login and forgot password attempts, real time analytics, fending off spam and malicious attacks while protecting your website without slowing it down. It is extremely effective across the board.
  • Askimet is a plugin that targets comment spam and zaps those annoying auto comments and spam link dropping that can hurt your SEO as well as annoy legitimate followers.

How to commence lock down

 

this is a photo of handcuffs

Now that you are able to recognize what traffic enters your website, the next issue is to prevent and protect your site.  I typically like to layer my security and have redundancies, it may be overkill but it seems to be quite effective. Let’s start with Wordfence, it does a great job of IP blocking and scanning for changes in your theme, limiting login attempts, lost password recovery attempts and any bot repetitive attempts at hacking in general.  Wordfence also has a premium function called Cell Phone Sign in, Cellphone Sign-in uses a technique called “Two Factor Authentication” remote system authentication system that is used by financial institutions, government agencies and military agencies and is quite effective.

Next is securing all the vulnerabilities that come with Wordpress such as the htaccess file, wp-admin login page, declaration of wp version in the header code, and security vulnerabilities in some third party plugins. Better Wordpress security is exactly as it is titled; with BWS, you can change your wp-admin page to wp-Login, remove traces of Wordpress version in the header code, and secure your site from basic attacks, backup your site block bad query string the list goes on and on.  The user interface is pure and simple, giving you a list of recommended settings that have not been activated and single click activation.

If you want to add another layer of protection, you could add block bad queries plugin for added measure if you choose not to use BWS.  Block bad queries is an effective tool that protects your website from malicious URL requests.

The next best option is to go with a CDN or cloud delivery network. They are an excellent option to filter and eliminate any threats, security is their main product so you will have peace of mind that your site is protected and in addition using a CDN cam also enhance your page load speed which is great for SEO.

If you are interested in protecting your content or images you can disable the right click function making copying virtually impossible with wp content copy protection this a great plugin if your site has copyright material such as articles or photographs etc.

For additional info or to download

Better Wordpress Security

Block Bad Queries

WP content copy protection

The key to a strong security strategy is to identify the offenders, know who they are what they do and create a multi-layer defense against them.  The military uses multi-layer redundancies in defense strategies and some find that it may be the best method for defense and protection. Nothing is 100 percent fool proof so always make sure to update your plugins, and your Wordpress version, before  you odd any new plugins make sure that it has been recently updated, and most importantly back up your database and xml files just in case.

“By failing to prepare, you are preparing to fail.”
― Benjamin Franklin