This was our founder’s first real taste of securing a WordPress site was when she was the Website Manager for The Sweep Spot Podcast for about two and a half years. This site was originally built using WordPress and a variation on the Twenty Eleven theme as well as a plugin to integrate a BuddyPress forum. Back in 2011, BuddyPress was a problem and was rampant in spammer and scammer attacks. It was uninstalled shortly after it was installed, because it drew in a lot of attention to the main WordPress site for scammers and soon she was noticing that they were attempting to login to the site. What she did to make this site more secure and put an end to attack attempts was the following:
- For the WP-login page, she whitelisted only the IP addresses of the people who were authoring posts and denied all others, because no one needed to log in to the site to view the content. When a login page is not needed for a reader, the best thing to do, is not allow anyone but those that manage the website or contribute to it to have access.
- She immediately applied a well maintained black list of known attackers and black listed certain countries that were notorious for overtaking WordPress websites at the time (Russia and China).
- She installed a plugin that allowed a very fine granular filter for comments, which she set up strict rules for. For example: comments with more than 1 link in them went directly to spam, repeat offenders were logged and prevented from further commenting, comments by new readers were put in the moderator queue if it passed all other filters, the only people allowed to comment without being moderated were those who had at least 1 comment approved already, as well as forbidding certain characters in certain fields to prevent SQL database attacks.
- She also created a new admin account with a username other than admin and deleted the standard WordPress admin user, so that there would be no user with an id of 0.
- She checked in regularly and if she noticed that someone was hitting multiple 403 Forbidden pages, old BuddyPress directories, or WordPress directories and Plugin directories, she would add them to the IP black list.
Since she maintained this site, she has learned of new attack vectors that attackers will try and how to prevent them. She has also learned of better plugins to use to implement some of these things automatically or do a better job of the old plugins she would use to cover all those same attack vectors.