Blocking users that enter in a wrong username and password several times in a row…
Unfortunately, there may be times when the security of your WordPress site could be compromised, through brute force attacks, SQL injections, etc. Personally, I think that people perseverate on the idea bit too much, but it’s still important to take some basic precautionary measures to ensure that you are relatively safe. Better WP Security keeps track of this list, and gives you tools to make security tweaks.
What’s It Do?
Bit151, authors of Better WP Security, break down their plugin into four categories: Obscure, Protect, Detect, and Recover. This is a pretty good breakdown of what the plugin does. First, it’ll take steps to remove the common entry points that hackers use to access WordPress sites, like changing the name of your admin user, and moving the location of the login page. Second, it’ll take steps to protect your site against attack when simple steps fail. This includes locking down your database, forcing SSL on admin pages and banning blacklisted user agents and bots. The next step is to run regular checks of your WordPress install to try and detect any security problems or unauthorized changes that may have occurred. Finally, if the worst happens and your site is hacked, the plugin takes care of regular database backups so that you can simply restore your site to an earlier, trouble-free version.
It’s worth noting that Better WP Security does it’s thing by changing site and database files on WordPress. In most cases, this shouldn’t be a problem, but there is a chance it could break functionality. Before you install the plugin, backup your database. You should be doing this regularly anyway.
How’s It Work?
When you first install and activate the plugin you will see a new panel in your admin panel labeled Security. When you first open the Security tab, you will see some information about what the plugin does, with two buttons below it, “Create Database Backup” and “No Thanks, I already have a backup.” Unless you are absolutely positive that you have a secure database backup of your site, click on “Create Database Backup.” After this is finished, you’ll be brought to a second page with options to either automatically set up the plugin, or do everything manually. For this, click on the first button “Secure My Site From Basic Attacks.” This will configure the plugin as much as it can do, then bring you to the main settings page.
From there you will see a giant list of potential security fixes the plugin can do in four different colors. Green means that the security fix is already in place, and there is nothing left to do. Blue means there is a problem of low priority to fix. Yellow means that this problem should be fixed as soon as possible, and red, of course, means that a fix should be made immediately. Next to each item, you will see a link to “Click here to fix.”
You can either go through the list and make changes one by one, or click on the tabs at the top of the pages to make the fixes category by category. If you use the “Click here to fix” link you will be brought to the appropriate tabs and relavent settings will be highlighted in yellow. Otherwise, it’s just about using personal preferences. Unless you have experience with WordPress security, I recommend using the link. Each tab at the top solves a different security area.
The User tab enables you to change your admin username and ID, so that it is harder for brute force attacks (random guessing) to access your login area.
The Away tab gives you access to Away mode. This allows you to temporarily lock down your login area and make it impossible to login altogether if you won’t be using your site. You can either set a one-time away mode, if you are going on vacation or won’t be using the site for a period of time, or daily if there are times of the day you don’t use the site at all, like when you’re sleeping. Use with care, you won’t be able to access your WordPress site for the specified time if you turn on Away mode.
The Ban tabs allows you to block certain User Agents or Hosts (IP addresses). The first option is to include the default ban list, derived from Jim Walker’s Bad Bots list. It’s probably a good idea to check this box. Underneath this, you have the opportunity to fill in individual user agents or hosts in text boxes if you are having problems with certain client-servers or IP addresses. Any host or user agent on this list will not have access to your site at all.
The Dir tab gives you the chance to change the name of the wp-content database table. This is the table targeted by hackers, as it is where the content of your WordPress posts and pages lives. If you change the name, default and automated hacking attempts will not work. However, changing the name of this table will also break links and media attachments (images, etc.) of any existing content on your site. The best time to do this is, of course, when you have first installed WordPress. But if this is impossible, you can either leave this option unchanged, or find a search and replace script to change all the links once the directory change is made.
The Backup tab lets you set up database backups. You can either chose to “Create Database Backup,” which will automatically back up and store your database right away, or schedule backups every X amount of days, hours or minutes. You can also indicate how many backups to keep at one time. This options defaults to 10, which is a good number if you are performing regular backups. And you can email yourself the backups so that they can be stored elsewhere. This is an overlooked, but very important, security precaution. When all else fails, having at least a daily backup handy makes all the difference in restoring a clean site quickly.
The Prefix tab is a lot like the Dir tab. It allows you to change the prefix of your database tables from “wp” to something randomly generated. The wp table prefix is used by hackers to access the site, so using a random prefix can help prevent database attacks and SQL injections. Once more, this will break links on any existing content on your site, so perform a backup and have a plan in place for replacing the content links once the change is completed.
The Hide tab controls the hide backend feature. This will change the name of the login page from /wp-login, /wp-register and /wp-admin to a URL of your choosing. Since a large part of the web runs on WordPress hackers will sometimes run scripts that automatically access yoursitename.com/wp-login/ and use standard usernames and passwords to try and gain access. If you move your login and admin pages then it will be much, much harder for automated scripts to gain access to your site. Better WP Security will simply use mod_rewrite in your htaccess file to rename these sensitive pages from their default setting. A random access key will also be activated by this feature, in case any of your other plugins use the wp-login.php link in their code, you can use this to manually change the code of the plugin to access the proper location. This won’t be a problem for most use cases.
The Detect tab monitors 404 errors and file changes. 404 Detection will find users with a very high amount of 404 errors in a short period of time. This probably means it is an automated bot trying to access sensitive pages on your site, so these users will be blocked. File Detection will monitor WordPress site files and warn you when a file has been changed. This can help you track if somebody has accessed your site and what they may have changed. This second feature is especially recommended.
The Login tab enables login limits. So if a user tries and fails to login say, 5 times in a row, they will be locked out of the site for a specified period of time. You have full control over how many attempts each user gets, how long they are locked out, and whether or not to blacklist users who have been locked out a few times in a row. You can also chose to be emailed whenever a user is blocked. This is helpful in preventing brute force attacks.
The SSL tab is useful if you have SSL certification enabled on your site. SSL encrypts data that is transfered making it less vulnerable to outside attack. Checkout pages on e-commerce sites, for instance, use SSL certificates so that credit card information cannot be accessed. If you do have SSL configured on your server, then Better WP Security can force admin pages to use the certificate, thus encrypting the data and login information that goes along with it. If you don’t have SSL certification, it’s okay to leave this option alone, or contact your web host to enable it for usually a pretty small fee.
The Tweaks tab contains a list of miscellaneous fixes that don’t necessarily fall into one category. Options that require your attention will be highlighted in yellow, so you should go through and enable these, making sure to check that each option is relavent to your site. Other then that, it’s okay to leave basically everything at it’s default setting unless you have a strong reason to change it.
Lastly, the Logs tab keeps track of all the various error reports and failed login attempts made to your site. It will report 404 detections and file changes, as well as other general errors and vulnerabilities. From time to time, you can use the “Remove Data” button to clear our your database with old logs, so that your database does not get too bloated.
When using Better WP Security always use your best judgement. If something doesn’t feel right, reach out for help, or leave the option unchanged. And of course, backup your site. Always. It’s the best way to prevent any permanent damage.
Costs, Caveats, Etc.
The plugin is completely free, and solicits donations through its admin page. If you think you might be in over your head in terms of WordPress security, Foo Plugins offers a one-time Premium Installation for $79 and one-time access to Premium Support for $39. But you will still have access to all of it’s main features with the free version so not to worry. And if you are having a basic problem, then the support forums are a good place to check out, though I wouldn’t expect any help beyond general questions.
The plugin is updated quite often by the authors and keeps up to date with WordPress. And the whole source code is posted on GitHub so feel free to contribute to it’s development.