WordPress has a great deal of wonderful features that make it a truly popular CMS (Content Management System), for many websites. It can be used in a great number of ways beyond blogging. For example, you could use it to run a store, as so many do with WooCommerce and other eCommerce plugins for WordPress, or… it could be easily turned into a standalone website for a band, or portfolio for a photographer, the next great social network (maybe not)!!!
Because of this multifaceted utility… it does in fact… get used… by lots and lots of people. Popularity has many great pros and cons. Such as being popular and opensource, when bugs are discovered… and oh are they… they tend to get patched up fairly quickly. And on the other side of the coin… because all wordpress sites are probably the same at the core… hackers have become intimately aware of the inner and outer workings of not only the WordPress core… but also the many many plugins and themes available to it. Along with detailed information how to exploit them.
But all is not forsaken. There are things that can be done to “Harden” your WordPress, but you’ll never make it bullet proof. Unless, of course, your take it totally off the internet and only view it locally on the box it’s installed on… and even then you might get hacked. But honestly, what use is a web site that’s not on the web. So, we do what we can do make things as secure as possible.
For most people, the easiest route is going to be just to pay the $15USD, or whatever it is per month for the WordPress Pro accounts on WordPress.com, and just let them host it for you. Then you’ll still need to install some random security plugins to stitch up the rest of the holes and flaws. Or most of them at least. That too will come at a price… probably subscription based. And while that probably works for most people… and it’s probably worth the value to be honest… It’s just not for me.
I’ve decided to take the long hard road… can’t learn anything if we go easy.
It all started with setting up a nice secure server. I found me a nice VPS and an affordable price and dropped some linux on it. Got it all setup with firewall, secured up default configurations of services, hooked up fail2ban, got SNORT all configured… and I still have some other things planned… perhaps it’s overkill… perhaps it’s not… but I find it all fun.
While working on a security plugin for my WordPress site, I started wondering, if there might be away to tie fail2ban in the the WordPress login process… to deal with banning IP’s of repeat offenders, in an attempt to regulate brute force attacks. I imagine you could achieve such a thing simply by hooking fail2ban into a log file … that logged the failed login attempts.
Sooo, anyways… that’s where I’ve gotten off to… for the most part. I’m always looking for new things to harden up WordPress an my VPS.
TL; DR; I MAKE ALL THE THINGS! STOP ALL THE BAD BAD!