WordPress Security Plugins

– Posted in: Plugins, Security, WordPress

Several weeks ago, many… if not all of my websites had been hacked. It was terrible! I spent many hours cleaning all the domains. Since then, I have learned some lessons. I had hoped to bring my lessons to you in an effort to keep you from sharing my mistakes.

Many of my websites are turning into WordPress websites now and I’ve really enjoyed learning new skills and finding a new niche. However, this road is not just learning how to build themes and set up WordPress for clients. There is a whole new level of security to be learned as well!

Imagine my surprise when I received my first email stating that I needed to shut down a site because it was phishing for information from their client’s banking site. Not cool! Imagine my surprise again, when a second and a third email came for some of my other sites that were doing the same thing.

Someone hacked into many of my sites and planted files & folders deep in the framework of each one. It was time-consuming to go through all those file trees looking for anything that didn’t belong. With my limited Linux skills, I was able to determine files with date changes. This helped determine where best to start, but ultimately, I had to go folder by folder, file by file.

I found a website, Sucuri.net, which helped to determine if there was any malware on my domains. However, it wasn’t conclusive. It did tell me that at least one of the domains I manage had been blacklisted. Not good!

In my search for more information, I found many who suffered the same demise. Many seemed incredibly lost with what to do. This is the category that I fell in.

You’ve heard the saying, “There’s an app for that!” said in reference to Apple’s iDevices. Well, WordPress is similar. There’s a plugin for just about anything. So I went searching for something that could scan my domains. Here is what I found, and what works for me.

Anti-Malware by Eli

The very first plugin I discovered is called, “Anti-Malware,” by Eli over at Get Off Those Maliciously Loaded Scripts! This plugin is a lifesaver! After installing and activating this plugin, I ran the plugin on my most attacked site. It took some time, because the site is huge, but this plugin found what I couldn’t. The report showed me of potential threats as well as known threats. I was able to take out all malicious files. It worked so well, that I now have it installed on all my sites.

Pros: There are frequent definition updates and the author stays in contact with his community. You can comment on his site with any issues you’ve come across and he’ll help to eradicate the threat.

Cons: The one unfortunate thing about this plugin… you have to log in and run it yourself. There is no automatic or schedule feature on this plugin. So, YOU have to remember to run the plugin periodically.

Better WP Security

With all the research I have put into this topic, I came across posts that lead me to “Better WP Security,” by bit51. This plugin is more technical than I had hoped for, but I have learned some very important facts about WordPress by using this plugin.

  1. NEVER use the username ‘admin’ when installing WordPress on your site!

    I never realized that this is the most important step. After installing this plugin and reviewing the log reports daily, I’m shocked to see how often people/bots try to log in as admin.

    If you have a site already set up, and your username is ‘admin’ … change it! Unfortunately, WordPress does not allow you to change your username inside itself. There are only two ways that you can change your username.

    1. Install this plugin and it will allow you to make the change.
    2. Log into your phpMyAdmin and edit your database. Although I don’t advise you to edit your database, especially if you’re not clear on what to do, it is possible. Here’s how I did it without wreaking havoc.
      1. Once logged into your phpMyAdmin panel, choose the database used for your WordPress installation. Generally, this is something like _wrdp1.
      2. Next, on the left hand side, look for a table called, wp_users and click on it.
      3. Scroll down the list of users until you find your login. Click edit.
      4. Look for user_login and change your username. Then click GO to save your changes.
  2. Enforce strong passwords! I cannot stress this enough! With this plugin, you can force every role, Administrator, Editor, Contributor, and User to use strong passwords.

This particular plugin is very technical. But don’t be afraid. There are notes along the way as you close up all the vulnerabilities with this plugin. Be advised though, this plugin suggests things like,

  • Change wp-content path
  • Turn off file editing from within WordPress admin area
  • Prevent brute force attacks by banning hosts and users with too many invalid login attempts

Changing your wp-content path, although this is a very good idea for new sites, it is not a good idea with sites that are well established. This can really hose your site. So be careful.

Turning off file editing from within WordPress admin area means you will not be able to edit using the editor inside your dashboard. This can be problematic if you want to edit your theme pages inside the admin area.

Preventing brute force attacks by banning hosts and users with too many invalid login attempts is an excellent tool! I recommend you check this feature out. You’ll be surprised at how many brute force attempts are made on your site daily. However, use CAUTION! This setting can block you out too if you forget your login credentials.

Pros: This plugin will tell you where your website’s vulnerabilities are and walk you through locking it down and making it more secure. The log files are very informative and continually show you where the attacks are. As you get used to how this plugin works, you can begin to ban IP addresses that seem to attack a lot and regularly.

 Technical support seems to be on top of helping their customers out in a timely fashion.

Cons: There is so much to this plugin, if you’re not careful, you could end up locking yourself out or hosing your site.  However, as I said above, technical support seems to be on top of helping their customers. Also, in order for this plugin to be effective, it must access core files as well as .htaccess files. Although this is a plus, it’s also a problem if you need to access your own .htaccess for any reason. Also, this plugin will send you emails of changes to files and login attempts. This is cool except that it sends multiple emails, thus driving the bandwidth of your site up. So once you have a handle on what you really want to know about NOW, you can shut this feature off. It’s already put 3 of my sites over bandwidth.

In my opinion, the Pros outweigh the Cons with this product.

Wordfence Security

Wordfence Security was the latest install added to my security measures. This plugin has some free services and some paid for services. Once installed, I suggest going to options first and get the settings to your liking.

One of my downfalls is staying on top of plugin and theme updates. This plugin will watch that for you and send you an email when there is an update needed to any plugin or theme. This plugin also scans for malicious files, backdoors, Trojans and suspicious code. It scans posts and comments for suspicious content. It can also scan outside of your WordPress installation.

You can set up firewall rules, enabling both bots and humans a crawl speed. This plugin does not have default settings here. You have to choose your own. Here is what I have begun with:

Enable firewall rules: Yes           

Immediately block fake Google crawlers:  Yes

How should we treat Google’s crawlers: Verified Google crawlers have unlimited access to this site       

If anyone’s requests exceed: 30 per minute (1 every 2 seconds) then throttle it.

If a crawler’s page views exceed: 960 per minute (16 per second) then throttle it.

If a crawler’s pages not found (404s) exceed: 960 per minute (16 per second) then throttle it.

If a human’s page views exceed:  240 per minute (4 per second) then throttle it.

If a human’s pages not found (404s) exceed: 120 per minute (2 per second) then throttle it.

If 404′s for known vulnerable URL’s exceed: 30 per minute (1 every 2 seconds) then throttle it.

How long is an IP address blocked when it breaks a rule:  12 hours

Remember, these are only suggestions. You can choose to be tighter or looser on your firewall rules.

Now, for me, the login security options were very important. But be careful… Like Better WP Security, you CAN lock yourself out.

I don’t want anyone to get more than 5 tries within 5 minutes time to log in before I lock them out. And when I lock them out, I want them locked out for at least a day. That gives me time to login and look the abuser up on WHOIS to decide whether they should be locked out permanently. ANYONE trying to login with the username ‘admin’ is blocked permanently.

Once you have chosen your settings, on the left side of your dashboard, under Wordfence, click scan. This will now scan your site for vulnerabilities and report them to you within minutes.

Pros: This plugin, like Better WP Security, will tell you where your website’s vulnerabilities are and walk you through locking it down and making it more secure. This plugin has a Live Traffic feature which allows you to watch traffic as it hits your site. As you get used to how this plugin works, you can begin to ban IP addresses that seem to attack a lot and regularly.

Cons: This plugin will send you emails of changes to files, login attempts and tell you when an administrator has logged in. This is cool except that it sends multiple emails, thus driving the bandwidth of your site up. So once you have a handle on what you really want to know about NOW, you can shut this feature off. It’s already put 3 of my sites over bandwidth.

 

I use all three of these tools together. I find they work well together. I have not had any hackers break through since installing these plugins. Each one of these plugins has its pros and cons but for the most part, the pros outweigh all the cons. There can be plugin or theme conflicts with any of these security plugins, so be careful. I have found at least one conflict with Tips and Tricks, “WP eStore” plugin. All three of these plugins will block “timthumb” files. Even if you have an updated version of timthumb.php, it will still be blocked. So be aware.

Leave me a comment if this has helped you.

33 Comments… add one

Lorenzo April 5, 2013, 3:08 pm

Limit Login Attempts and Login LockDown can also help protect your site against brute force attacks. Both are available from the WP plugins directory.

Heidi Hafner April 5, 2013, 3:17 pm

These options are available in the plugins, Wordfence & Better WP Security. They’re default settings are 20 attempts. However, this is too many tries. Also, any attempt to break into a site by using the username ‘Admin’ should be blocked permanently, otherwise you just give them opportunity to keep trying.

Ed April 9, 2013, 10:17 am

Great article. I just wonder how to locate or know the host and user agent who’s been trying to log in as admin? There is no info about it in the Logs.

I only see:
Time Username Attempted
Time Username Attempted
2013-04-08, 3:26 PM admin

No other information on who they are.

Can you help?

Thanks.

Heidi Hafner April 9, 2013, 11:52 am

Ed, Better WP Security shows IP addresses in the “All Lockout” area and in the “404 Errors” area. The “All Lockout” area will tell you if the IP attempted an admin login by showing you “Bad Logins”. When you click on the IP address associated with those, you’ll be sent to a website that gives you the location of that IP. (i.e. http://www.ip-adress.com/ip_tracer/175.206.187.135). However, with Wordfence, you are given all that information as you can see in the example.

When I only used Better WP Security, I tended toward clicking on the IP addresses, and then either Googling it or going to DNS Stuff for information. Now that I run Wordfence with Better WP Security, I don’t do that as often. Wordfence has a tap that says “Logins and Logouts” under it’s Live Activity.

I hope this helps.

Ed April 9, 2013, 6:33 pm

Thanks but, I can’t find that ‘All Lockout’ area. Can you tell me where? Do you recommend Wordfence?

Ed April 9, 2013, 6:39 pm

There are currently: Your database contains 236 bad login entries. However, I really can’t find who are these people or user agents since the the Bad Login Attempts area only shows the time and username attempted. There is no IP associated. Above it is the 404 Error logs with time, Hosts, URI, referrer and counts. Which part of Better WP Security can I see the “All Lockout Area”?

Heidi Hafner April 9, 2013, 6:42 pm

The ‘All Lockout’ area is on the Better WP Security – Better WP Security Logs page, below the section that is ‘Bad Login Attempts.’

I do also recommend Wordfence. I use it alone on another of my websites because Better WP Security interferes with how the site works. So far, it is doing an excellent job. Today, most of my sites were attacked and Wordfence did well.

Ed April 9, 2013, 6:54 pm

There are currently no lockouts found in the All Lockout Area.

Maybe it is because I did not check this part?
—————————-
Blacklist Repeat Offender

If this box is checked the IP address of the offending computer will be added to the “Ban Users” blacklist after reaching the number of lockouts listed below.

Warning! If your site has a lot of missing files causing 404 errors using this feature can ban your own computer from your site. I would highly advice whitelisting your IP address below if this is the case.
—————————-

Should I check this box for the All Lockout to show records?

Advise.

I will try Wordfence too. If I want to reverse the changes that Better WP Security did to my files, would that be possible? If I remove or deactivate Better WP Security, would my files be back to its original configurations?

Thanks.

Heidi Hafner April 9, 2013, 6:56 pm

Here is an image to show you the “All Lockout Area” All Lockout Area It only has the IP address. If you click on the IP, it will tell you what country it is from. That’s about it.

Now, here is an image to show you Wordfence’s live view. Wordfence Live view This shows you a little more information, like the browser used and perhaps what kind of bot it is. (i.e. Browser: Ezooms version 1.0 Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com))

Heidi Hafner April 9, 2013, 7:02 pm

I do not have the Repeat Offenders checked. I didn’t want to risk locking myself out, even though I have myself on the whitelist.

I do have my limits set low for login attempts. If within 5mins someone uses a login that fails 5 times, that person is locked out. Since I can’t sit here all day and research every lockout, I keep them in Lockout for 12 hours. On some sites I make that longer.

Ed April 9, 2013, 8:16 pm

Thank you for your detailed explanation, Heidi. Greatly appreciated.

However, I don’t understand why there is nothing in my All Lockout records/logs. It says no items found. I wonder why it has no logs if there are already 248 bad login entries in my Better WP Security logs.

But I appreciate your help and guide to this. Thank you for the effort.

Heidi Hafner April 9, 2013, 8:28 pm

Under the Login tab, do you have Enable Login Limits checked to enable login limits on this site.

I would check out the support desk for Better WP Security

Good Luck!

Ed April 9, 2013, 8:33 pm

Thank for helping.

I will email support for more help and guide. It seems I already annoyed you for this :-)

Great article and guide.

Heidi Hafner April 9, 2013, 8:35 pm

Not at all annoyed…So glad I could help. I do wish I could troubleshoot more for you. Have a great day! Let me know what you find out.

Ed April 9, 2013, 8:35 pm

And yes, I enabled the log in limits but did not modify the default settings. Is that fine? Anyway, thank you. I will contact support.

Heidi Hafner April 9, 2013, 8:42 pm

I did change my settings.

  • Enable Login Limits “check”
  • Max Login Attempts Per Host “5″
  • Login Time Period (minutes) “5″
  • Lockout Time Period (minutes) “720″ (The length of time a host or computer will be banned from this site after hitting the limit of bad logins.)
  • Blacklist Repeat Offender “check” (If this box is checked the IP address of the offending computer will be added to the “Ban Users” blacklist after reaching the number of lockouts listed below.)
  • Blacklist Threshold “3″ (The number of lockouts per IP before the user is banned permanently from this site)

Hope this helps!

Ed April 9, 2013, 8:43 pm

Thanks! I will wait for the logs to show…

This is a great help :-)

Ed April 9, 2013, 8:46 pm

Wait, I forgot :D

How about this box: Max Login Attempts Per User? How many attempts? The default is 10.

Thanks.

Heidi Hafner April 9, 2013, 8:48 pm

I’m sorry I missed that setting Max Login Attempts Per User I put to “5″ … There is no reason for any user to need more than 5 attempts to login. If I forget my login, I hit the Forgot Password link by “3″ attempts.

Ed April 9, 2013, 8:50 pm

Ok, thanks again. I will wait until tomorrow if the logs will show. Since I’ve been checking and there are no records. Only the bad log in attempts are there.

Ed April 9, 2013, 8:54 pm

My BAD… I forgot again.

Did you enable this part:

As a getting-started point you can include the excellent blacklist developed by Jim Walker of HackRepair.com.
Enable Default Banned List

Check this box to enable HackRepair.com’s blacklist feature.
—————————–

Or did you just modified your .htaccess manually and paste those BAD BOT LIST?

Sorry for being so annoying :-)

Thanks.

Heidi Hafner April 9, 2013, 9:04 pm

Yes! You definitely want to check the Enable Default Banned List from HackRepair.com’s blacklist. That will keep blacklisted bots and users from accessing your site! The Enable Banned Users you don’t need to check until you have some IPs to ban.

You are not annoying. I am very glad you stopped by to visit.

Ed April 9, 2013, 9:07 pm

Thank you again Heidi.

Very much appreciated. I will dig for more info about it and the Wordfence plugin.

Have a nice day.

Ed April 10, 2013, 8:40 pm

Hi again Heidi.

It’s been 24 hours but still there are no lgos showing in the “All Lockout” area. The “admin” log in attempts are increasing: Your database contains 376 bad login entries.

But I still can’t see those user agents/IP Addresses of those who are trying to access my log in page using the admin user.

I have read the discussions over the support area of Better WP Security but have found no answer to my issue.

I think this plugin is no longer working like you have installed it on your blog. There must be a glitch in the plugin.

Any idea? Sorry for bothering again :D

Thanks.

Heidi Hafner April 10, 2013, 11:13 pm

Today has been an interesting day with both BWPS and Wordfence. All of my websites were attacked hard. Wordfence does a better job of telling you the user-agents. I have a whole range of IP’s that have been attacking my site here. Browser: Ezooms version 1.0 Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com tends to blast hard and eat up all bandwidth. There doesn’t seem to be any benefit from them.

With this influx of bots and attacks today, these plugins were run through some heavy lifting. I did find some troubling things with each of these products. But they seem to cover for each other. Both are supposed to be able to block a full range of IPs but I’m still seeing the numbers from the IP ranges getting through until I permanently block each individually. I did see a complaint to this nature of Wordfence support forum that I will look into further.

Better WP Security does not show user-agents within itself. With Better WP Security, I do see a few IP addresses that attack frequently.

Ed April 11, 2013, 7:33 am

I haven’t tried Wordfence yet. But I sure will try it soon.

The ip addresses of those ones that have been attacking my site with spam comments using bots have been added to Banned Users list. Though there are still spam comments coming through my blog each day. I manually added them to Banned Users.

I though Better WP Security will block all spam bots and attackers, but I just discovered it did not block all. Not even the ones I’ve added in the Banned Users list. These attackers are coming through everyday using different IP Addresses.

My concern now is this: If I will remove/uninstall this plugin, will my files be back to its default settings or not? I guess that’s probably my problem if those changed files cannot be reversed to its old/original settings.

Do you have any idea about it? That would be helpful too.

Great thanks…

Heidi Hafner April 12, 2013, 1:34 pm

Over the course of the last 48-72 hours, there has been a global wp-login brute force exploit attack made on WordPress sites. This attack took down websites across the Internet. Some sites were compromised and hacked, and others were brought down because the security plugins that are in place, maxed out the log files. I believe this exploit may have been too much to handle for the reporting system built into this plugin. I would give it a little more time just to see if it irons itself out. I’m still not clear if there is a delay in the reporting done with this plugin. However, I do see better results today.

I had an interesting conversation with one of the support people for this plugin. He’s very helpful with trying things out and giving advice. Many complaints that I have had, have to do with the emails received. I was completely buried in email notifications! I found others were the same. Today, after all the brute force attacks yesterday, everything is quiet.

I’ve removed the plugin once on a site. The .htaccess kept everything in it. It did not clean out. So it remains secure.

Hope this helps.

Ed April 16, 2013, 5:42 am

Thank you for getting back.

Yes, I see your site is displaying this:
Warning: preg_match() [function.preg-match]: Unknown modifier ’5′ in /home/hafwebnd/public_html/wp-content/plugins/wordfence/lib/wfUtils.php on line 514

I also noticed that Better WP Security keeps on sending notification emails once a file has been changed. I can see that it consumes an amount of RAM each time a change takes place. I think this will consume a lot more RAM each day.

Did you say that if I remove this plugin, everything that has been changed will be reversed?

Thanks.

Heidi Hafner April 16, 2013, 10:10 am

With regard to removing the plugin, I’ve had no problem (so far) with deactivating the plugin and removing it. I have done so on a couple of occasions to do some troubleshooting. However, you may want to head over to Better WP Security’s Support forum and ask about the RAM.

Thanks for the heads-up on the error message. I’m not sure why that popped up. Will have to look into it.

Ed April 18, 2013, 5:09 pm

Thanks for your answer.

I will try to ask BWPS support.

Ed April 20, 2013, 12:28 pm

I just updated Better WP Security to the latest version 3.4.10, however, after installing this update, my blog has encountered a 500 Internal Server Error.

I submitted a comment on the support forum but it seems there is no fix yet.

Do you have any idea on how to fix this?

Thanks.

Ed April 20, 2013, 10:33 pm

I was having a bad experience with Better WP Security. The latest update for version 3.4.10 did make my site vanished. 500 Internet Server Error encountered. Since the author could not give a complete fix, I completely remove the plugin and deleted the .htaccess.

I re-installed the plugin and as a result, I can only access/view my homepage but not my posts and pages. I did re-save the permalink settings as per BWPS author’s advice, yet the posts/pages cannot be accessed – showing 404 error.

I finally removed the plugin for now. I am looking for a better security plugin at the moment. There’s too much to do with BWPS until the author can fix this issues, I am not planning to re-install it.

What do you think?

Mondo April 30, 2013, 10:01 am

Great article Heidi. I have now put these plugins on my sites.

Leave a Comment