While Truebluetitan has laid dormant a silent attacker has repeatedly snuck in and injected some malicious code into the TBT DNA. Each time I fought back and while it’s made me extremely efficient at re-uploading virus-free versions of my site I haven’t fixed the root of the problem. So I decided to take some necessary precautions to hopefully free me of these annoyances once and for all. Below is a list of security recommendations that I have accumulated from various sites across the Web. I graciously welcome any additional information that you may have to help keep every Wordpress site virus free.
- Backup. Backup. Backup. – Despite my best efforts I still fell victim to malicious intrusion attempts. If I didn’t take backing up seriously (I was once an Auditor after all) there is a good chance that I would have lost everything. While I’m not the most frequent blogger, Truebluetitan means a lot to me, and I’d hate to see it be lost.
- Don’t use the Default “Admin” Account – This is one of those security precautions that is worth being repeated time and time again. I make it standard practice to immediately create a new administrator account and delete the default account every time I create a new blog.
- Change Passwords – As soon as I found out that TBT had fallen to a hacker attempt I immediately changed every password pertaining to the site. Each password is now unique and more secure. Thanks to the wonderful application, 1Password, I don’t have to worry about remembering what they are.
- Login LockDown Plugin – My former audit manager always used to point out that implementing security precautions is great, but you still need some kind of system that alerts you when people are attempting to break in. That’s where plugins like the Login LockDown plugin comes in.
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
- WP Security Scan Plugin – This plugin checks your Wordpress site to see if you have several of the “must-have” security precautions implemented. If not it alerts you and provides you with information/recommendations on how to mitigate the risk. Get it here.
- Upgrade Wordpress – I was a version or two behind in releases from the folks over at Wordpress.org, but that won’t happen anymore. From now on I’ll be making sure that Truebluetitan is now sporting the latest and greatest versions of Wordpress and it’s plugins.
- Don’t Display Your Version – If you’re using someone else’s Wordpress theme then there’s a chance that you have a Meta Tag that displays the version of Wordpress that you are using on your site. If you’ve avoided my prior recommendation then you’re practically showing hackers which security vulnerabilities your site has.
Please note: Even if you follow all of the above suggestions there is no guarantee that your site will be safe from these social deviants, but it is important to always be cognizant that these people exist and together we can do whatever it takes to rain on their parade.
