How to Defend Against Hackers and DDOS Attacks
In the last couple of days another series of large scale distributed denial of service (DDOS) attacks has hit the internet. (1) Wordfence Blog, (2) ITNews, Australia It is again the old arms race: as defense mechanisms get more and more sophisticated, the attackers get smarter, too. The last big DDOS attack against spam blocker SpamHaus produced traffic of 300 Gigabit per second. That’s 12,000 high speed (25Mbps) internet connections for your home, downloading at full throttle. The new attack averaged 350Gbps with peaks at 400Gbps.
What is a distributed denial of service attack?
What can be done?
Cloudflare
CloudFlare was already in the vanguard fighting to mitigate the Spamhaus attack and is again in the midst of things with the current attack, fighting the good fight. CloudFlare is a content delivery network, which helps you speeding up your website, but offers also a massive security layer. On Feb, 8th traffic to the websites I manage increased by a factor of nine and most of it (88%) was rejected by CloudFlare and never reached the hosting service. Needless to say, I will use CloudFlare on all the sites I manage. They offer a very powerful free plan, but sites using SSL need to sign up for their Pro plan.
Wordfence
Wordfence is a WordPress security plugin. It does a few things very well and again for free. A paid option is also available.
- Wordfence blocks suspicious activity and access from suspicious sources. It also shares this with their command center and distributes block-lists back to the participants. Which means if an attacker gets blocked by Wordfence on some site in the network, it will be blocked on your site right away.
- It scans your site for vulnerabilities and compares your WordPress installation against a reference list to see if anything has changed. Changed WordPress files often indicate a compromised site that will be used as a virus vector a link scheme or other malicious activities.
- It also logs live traffic, be it your regular human visitors, Google crawlers and most importantly successful and failed logins.
- Another log which raises awareness is the “Page Not Found” log. It shows who tried to access these pages and more importantly, which pages. The list tells clearly were there are currently vulnerabilities in websites and who is trying to probe them. For a long time, you could see requests for timthumb.php indicating a weakness in the thumbnail generating software. Current favorite seems to be connector.asp (which is usually irrelevant for WordPress sites)
Some best practices
The list here is long and many can be found on the web. I just want to mention a handful, mostly things that can be done by the user:
- Strong passwords. See http://xkcd.com/936/ . It takes seconds for a computer to guess an 8 character password.
- Unique passwords for each site. Use a password manager like LastPass if you can’t remember them all.
- Hide your admin account by renaming it. It creates more guesswork for the attacker
- Have only needed plugins installed on your WordPress site. Delete the rest.
- Keep your installation up-to-date. Update your plugins, themes and WordPress installation as soon as you can. Most updates are security related.
Backups
Regular backups won’t prevent hackers from gaining access to your site, but you’ll need them if your site has been compromised. You may need actually multiple versions: one for the last 7 days, and perhaps one for the last four weeks. If your site has been compromised, it is possible that it will take you a while until you notice and your last good backup may be as old as 4 weeks. Come to think of it, make it one more backup for each of the last 6 month.
What’s the golden rule for backups? Learn to restore before you need it. Imagine your site is down and you want to have it back up asap. That’s bad time to watch that how-to-restore tutorial.
Conclusion
Security measures rarely can keep a dedicated attacker away. But they need to be put in place to slow down attackers and to make it costly for attackers. As long as it is more expensive for attackers to hack your site than their potential gain, you are safe. But it will slow you down as well, since some of the measures make it inconvenient for you as well. Don’t give up security for convenience.
The weakest spot in security is the human. Don’t be to lazy to keep your website up-to-date. (It’s okay to hire me for that task). And don’t be reckless with your passwords. Make them complex so it takes a lot of time to guess them and use different ones at each site to avoid your password being sold on the internet for use on other sites.
Image Credit: sxc.hu
Great article! Did you attend the Raleigh WordPress Meetup last night? It was on the same topic of WordPress security. I liked your golden rule for backups as well … I feel like NO ONE ever simulates a restoration until it’s too late.