- Brute Force Password Extraction
- Password Reset Scams
- Email Phishing Attacks
- SQL Injection Attacks
- Cross-Site Scripting
To get started let’s take a look at the basics of these attack types. This will help you to better understand the attack types and what to look for.
Brute Force Password Extraction
This type of attack is one of the most common types of attack usually where a hacker will use a script to repeatedly attempt to guess the password. These scripts are usually combined with the use of a VPN or other IP address cloaking system. These attacks are somewhat systematic often changing username and password combinations in order to get into your website.
Password Reset Scams
This type of attack is almost as common as the above Brute Force attack only it utilises the password reset options of the website. This type of attack relies on attempting to break into your administrator email address and then forcing a password reset on the website.
Email Phishing Attacks
This type of attack is seen by almost everybody with an email account on a somewhat regular basis. This type of scam attack is usually when an email is sent to you pretending to be from another organisation. Often these emails will look like something from your bank, tax office or an invoice from a supplier. The aim of this type of scam is to get you to log into a website that pretends to be the real thing. Once you have logged in the attacker has your password and then tries to utilise the same password and username across other websites including your business website. This works to exploit the fact that many people still use the same password across multiple online platforms.
SQL Injection Attacks
This type of attack is rated as the number one problem on the top 10 security issues faced by website owners, designers and developers. This type of attack attempts to utilise code and scripts to force a website database to reveal its contents. These scripts can be used in many places on the average website including login forms, search forms, contact forms and even as scripts attached directly to the website address. This type of attack is the most dangerous of the attacks because the website database can store all of the website information, passwords, product information, credit card numbers and more. Also a successful injection of this type can lead to the hacker gaining full control over your online system.
This type of attack works by first taking over a part of your website and utilising the front end of your website to launch hacking attempts on your website users. The scripts that get attached to your website can be executed without the site’s original functionality being affected. These types of attacks often work to allow access to your website visitors computers and can lead to things such as crypto locking and data encryption.
How do we combat these attacks effectively for WordPress security.
To be honest it is near impossible to protect your website 100%. But you can take many precautions to mitigate the risk of attack when it comes to WordPress security. The most important reason to do this is to protect your end users and the privacy of any data stored. So below are 5 simple DIY tips you can put in place today to help secure your site and mitigate the risk to your website visitors.
Tip 1 – Use a secure and unique password
When choosing a password for your website make sure to utilise the following items to make your password as hard to guess as possible.
- Adopt long pass phrases – Utilise things such as symbols and numbers to break up a multiple word password. Also make sure to use a mix of capitals and non capital letters. The longer the password the harder it is to crack.
- Create a password blacklist – Hackers often utilise a common list of passwords to get started breaking into your website. Do some online research on the internet to find out what the most common passwords are and compare them to passwords used on your system. If they are similar in any way make sure to change them immediately.
- Implement two-factor authentication – Where possible implement two factor password authentication. This will mean that every time you log in your initial password access is backed up by a secure secondary option. This will mean that when someone does guess your password they will also need the second authentication method to gain access.
- Add additional authentication methods – as time goes by and technology advances other password options will be made available for websites and online technology. These could include finger prints, retina scans and voice prints. All of these options will help increase security.
- Ensure logins over a secure connection – Make sure when logging in on your website that the secure padlock is showing in your browser. This means that your login information is being encrypted and protected. This helps to prevent attacks where passwords are intercepted.
Tip 2 – Use a unique username
When choosing a username for your main admin account on your website make sure to choose a unique username. This means avoid choosing common website usernames such as admin, administrator, advertising, billing, sales, support and test. By choosing a unique username that contains items such as capital letters and numbers you are giving yourself a better chance of securing your website.
Tip 3 – Install antivirus on your computer
WordPress security starts at home with the installation and protection of your computer. When logging into your website or any other online website make sure you have installed quality antivirus software. Free antivirus software is better than no antivirus but often you do get what you pay for. When choosing antivirus software make sure that your chosen option protects the following items.
- Your computer connection to the internet.
- Your computer files.
- Your browser usage and file downloads.
- Your email software and incoming emails.
By choosing a quality antivirus solution you are mitigating the risk of items such as phishing attacks. We recommend using a paid antivirus platform such as BitDefender. If you are looking for a quality managed antivirus solution give our good friends as Time Out Computers a call on 1300 084 636 and tell them I sent you.
Tip 4 – Install security software on your website
There are many great WordPress security plug-ins available that can be installed on your WordPress website to better manage security. When your choosing a solution once again a free solution is better than no solution however if you are serious about protection then I do suggest looking at paid options. We recommend looking at plugins such as WordFence which has both a great and paid version or Sucuri which also has a great free and paid version. If you need to choose between these two platforms the only real difference is that WordFence has a web application firewall on it’s free version where Sucuri requires the paid version. Both platforms are excellent at what they do and worth investing in to protect your website.
Tip 5 – Install captcha or anti robot systems
It may not sound like much but the simple act of adding a captcha or anti robot challenge to your website can help protect you and your site. Robots that use injections and spam scripts that distribute phishing often cant work through these systems. This means that less email spam from your website and less attempts to inject code into your site. The re-captcha system provided by Google is free to use and fairly simple to add to most WordPress form software.
Whilst the internet can be a wild place for the general public with the above tips you can certainly improve your chances to mitigate risk. Your website, your data and that of your clients is important and often overlooked. If you would like a full security audit on your website or perhaps someone to do the above work professionally then reach out to your website developer. If you would like us to do this for you we are offering a discounted website security analysis of your WordPress website. Our usual cost for this is $199 but if you are one of the first 25 people to complete this form we will give you the special price of $100 saving you $99. You will get a full report including security improvements, options and costs to have the work done professionally.]]>
Martin is an experienced WordPress website consultant and lead generation specialist for small business. With over 20 years of experience in the website design and development industry, his experience leads to your online business success. Martin founded Conceptual Creative to assist Australian business owners to succeed online through quality online platforms, effective lead generation, and educational content.