We have recently seen a huge increase in attacks on WordPress sites. On some sites, the attacks are intense enough to run into resource limits.
The first thing to think about when fending off attacks is how to do so while consuming the minimum necessary resources.
The second thing to think about is how to make your site resource efficient. Many themes and plugins are poorly written, driving up resource usage. This is particularly true of commercial offerings. Developers tend to include as many features as possible to increase sales. Often, they haven’t thought about resource consumption. On sites with low volume levels this doesn’t matter much. But when volume goes up, driven by legitimate visitors or attackers – it starts to matter. With plugins, less is often more. Fast sites create the best impressions.
Always keep your WordPress site up to date. Not doing so invites attacks. This is much easier since WordPress 4 because it will automatically update itself. Vulnerabilities are discovered frequently in WordPress itself and in plugins and themes. It’s relatively easy for attackers to find outdated vulnerable sites. Once a site is identified as a target, attackers swarm all over it. And the attacks continue long after it is updated. You want to stay ahead of this.
The only security plugins we recommend are Word Fence and Anti-Captcha. Combined, they do everything you need with minimal resource consumption. The vast majority of attacks are attempts to log in, trying different user names and passwords using scripts. Anti-Captcha (or any other CAPTCHA) makes this much harder for them by discarding login attempts which do not contain the necessary tokens. This happens before much code is loaded, keeping resource waste way down. A CAPTCHA will virtually eliminate comment spam as well.
Many security plugins are grossly inefficient. Some work by adding IP addresses to your .htaccess file, which is a very bad idea. Attacks come from many different IP addresses which constantly change. It’s a waste to block addresses which were attacking you for a few minutes or a few hours and then are never seen again. You don’t want WordPress to try matches against thousands or potentially tens of thousands of addresses on every connection. The thing to do is block attacking addresses for only an hour or a few hours.
Recommended Word Fence Settings – You may find additional settings useful or interesting. This is not an exhaustive list.
- Important: Alert on critical problems – This will send you emails when plugins and themes need updating.
- Alert me when someone with administrator access signs in
- Enable all scan options except outside WordPress, images, high sensitivity, word patterns. Some of these are sometimes of use.
- Immediately block fake Google crawlers
- If anyone’s requests exceed 10 per minute: block
- If a crawler’s page views exceed 60 per minute: block
- If a crawlers pages not found exceed 5 per minute: block
- If a human’s page views exceed 20 per minute: block
- If a human’s pages not found (404s) exceed 3 per minute: block
- If 404’s for known vulnerable URL’s exceed 1 per minute: block
- How long is an IP address blocked when it breaks a rule: 1 hour
- Enforce strong passwords: ALL
- Lock out after how many login failures: 3
- Lock out after how many forgot password attempts: 3
- Count failures over what time period: 5 minutes
- Amount of time a user is locked out: 6 hours
- Important: Immediately lock out invalid usernames: Yes
- Don’t let WordPress reveal valid users in login errors
- Prevent users registering ‘admin’ username if it doesn’t exist.
- Never use ‘admin’ as a user name.
- Prevent discovery of usernames through ‘?/author=N’ scans
- Hide WordPress version
- Hold anonymous comments using member emails for moderation
- Filter comments for malware and phishing URL’s
- Check password strength on profile update
- Important: Participate in the Real-Time WordPress Security Network
- Important: Live traffic: OFF – when you are not actively watching it.
- Cache: Disable all performance enhancements. In our experience, they cause worse performance.
- Scan schedule: use the defaults
- Advanced blocking: use with caution and only if you have a specific problem to solve
- Country blocking is a paid option and is generally not a good idea or necessary
- Blocked IPs – use manual IP blocking only if you have a very good reason.
When you are under attack, immediately blocking invalid user names is extremely valuable to reduce resource waste. It’s worth repeating that you should never use ‘admin’ as a user name. Admin is the default user name and the first name attackers will try, which immediately identifies the connection as an attack. Starting to block the source address immediately is a big win.
We offer highly optimized hosting for Word Press which includes additional security enhancements. As of this writing it is not described on our website. Please feel free to ask questions about this.