Securing a wordpress site accessed through a gmail email
March 21, 2013 2:55 AM Subscribe
So. If you had a wordpress self-hosted website accessed through your name and an ok password and a gmail account associated with the wordpress admin login, what would you do to secure everything from fuckery?
Asking for a friend. Her popular website is getting a lot of login attacks. Most of them are from Russia and China (she's in NZ) and she blocks those IPs via a plugin. But some are from NZ itself and she has reason to think, due to her work and website, that disgruntled opponents are trying to crack her site.
What are the latest and best protocols for securing her site, email etc? The easier the better, she's not super IT skilled.
Asking for a friend. Her popular website is getting a lot of login attacks. Most of them are from Russia and China (she's in NZ) and she blocks those IPs via a plugin. But some are from NZ itself and she has reason to think, due to her work and website, that disgruntled opponents are trying to crack her site.
What are the latest and best protocols for securing her site, email etc? The easier the better, she's not super IT skilled.
Google Authenticator plugin and Android app.
The phone app generates a secret code every 60 seconds or so, and once the plugin is set up, WordPress will ask for the current code when she enters her login credentials. This way someone would have to have access to her phone and the right username/password to get into the site, which makes it nearly impossible for evil-doers to get in. (Assuming, of course, that she has an Android phone.)
She can also set this up for her Gmail address as well.
posted by aheckler at 3:28 AM on March 21, 2013 [2 favorites]
The phone app generates a secret code every 60 seconds or so, and once the plugin is set up, WordPress will ask for the current code when she enters her login credentials. This way someone would have to have access to her phone and the right username/password to get into the site, which makes it nearly impossible for evil-doers to get in. (Assuming, of course, that she has an Android phone.)
She can also set this up for her Gmail address as well.
posted by aheckler at 3:28 AM on March 21, 2013 [2 favorites]
Also, she should be careful to always update her WordPress installation and plugins to new versions as soon as they are released.
posted by aheckler at 3:29 AM on March 21, 2013 [1 favorite]
posted by aheckler at 3:29 AM on March 21, 2013 [1 favorite]
If I wanted to really lock a site down, I would:
Close off every port except 80 and 22
Lock down 22 to require a public key to log in
Use a write-to-html solution like WP Static HTML Output for the front-end
Use a client-side SSL certificate to authenticate admin logins
This answer is techie as hell, and many not be useful to you. The realistic answer, as empath mentioned, is "pay someone to take care of this stuff for you".
Also use machine-generated passwords. JK@8[{U=#,>4Vm^UtIO5dm'Vfq,[i{KuiG7.
posted by Leon at 4:09 AM on March 21, 2013
Close off every port except 80 and 22
Lock down 22 to require a public key to log in
Use a write-to-html solution like WP Static HTML Output for the front-end
Use a client-side SSL certificate to authenticate admin logins
This answer is techie as hell, and many not be useful to you. The realistic answer, as empath mentioned, is "pay someone to take care of this stuff for you".
Also use machine-generated passwords. JK@8[{U=#,>4Vm^UtIO5dm'Vfq,[i{KuiG7.
posted by Leon at 4:09 AM on March 21, 2013
I use Login LockDown on my site. And if you can install stuff on the server fail2ban helps.
posted by johnpowell at 4:35 AM on March 21, 2013
posted by johnpowell at 4:35 AM on March 21, 2013
Also, separate and tough passwords for both accounts (WP and Gmail). Google Authenticator is definitely worth while - 2 factor authentication is useful for any important accounts.
posted by backwards guitar at 4:37 AM on March 21, 2013 [1 favorite]
posted by backwards guitar at 4:37 AM on March 21, 2013 [1 favorite]
Note that the Login LockDown plug-in has this warning:
This plugin hasn't been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
A search for alternatives brings up a few potential ones, including the seemingly popular Limit Login Attempts and the exremely popular Better WP Security which has broader functionality and I personally always use.
Note that in addition to WP itself, plug-ins should also be diligently updated.
posted by Dansaman at 4:47 AM on March 21, 2013
This plugin hasn't been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
A search for alternatives brings up a few potential ones, including the seemingly popular Limit Login Attempts and the exremely popular Better WP Security which has broader functionality and I personally always use.
Note that in addition to WP itself, plug-ins should also be diligently updated.
posted by Dansaman at 4:47 AM on March 21, 2013
The Gmail account should also have 2-factor authentication turned on, so logging in requires a code from a text message.
Don't neglect the password(s) used to access the hosting account; if someone can get in that way, they can probably trivially reset MySQL passwords and have a field day with WordPress's backend.
posted by bcwinters at 5:12 AM on March 21, 2013
Don't neglect the password(s) used to access the hosting account; if someone can get in that way, they can probably trivially reset MySQL passwords and have a field day with WordPress's backend.
posted by bcwinters at 5:12 AM on March 21, 2013
The best advice is to keep it patched and to keep the amount of plugins to a minimum, since those usually introduce security holes. WP is a very popular platform to attack for many reasons. If the login attempts are the main worry, I'd look into doing some form of 2-factor authentication.
posted by antonymous at 7:58 AM on March 21, 2013
posted by antonymous at 7:58 AM on March 21, 2013
As well as all the above: use a password safe. Long, machine-generated passwords are now the only reliable ones, and provided KeePass rates them at more than 100 bits of entropy they're actually plenty reliable. Why use on an ok password when you can conveniently use a whole bunch of really good ones?
posted by flabdablet at 8:10 AM on March 21, 2013
posted by flabdablet at 8:10 AM on March 21, 2013
Your site will be hacked through:
* A weak password
* A vulnerability in Wordpress
* A vulnerability somewhere else in the stack (Apache, PHP, etc)
* Anywhere you enter a password being compromised
* MITM (man in the middle)
So:
* Set a strong password for all your Wordpress logins, and your gmail account
* Lock down admin logins to Wordpress to an ip address at the Apache level if you can
* Always upgrade to new Wordpress versions - don't forget plugins
* Keep your stack up-to-date, apply all operating system level updates.
* Only use trusted computers to login to Wordpress, and keep those up-to-date, use security software, etc. etc.
* MITM: if your Wordpress username and password is being sent in cleartext, i.e. not SSL, you should probably fix that.
posted by devnull at 8:11 AM on March 21, 2013
* A weak password
* A vulnerability in Wordpress
* A vulnerability somewhere else in the stack (Apache, PHP, etc)
* Anywhere you enter a password being compromised
* MITM (man in the middle)
So:
* Set a strong password for all your Wordpress logins, and your gmail account
* Lock down admin logins to Wordpress to an ip address at the Apache level if you can
* Always upgrade to new Wordpress versions - don't forget plugins
* Keep your stack up-to-date, apply all operating system level updates.
* Only use trusted computers to login to Wordpress, and keep those up-to-date, use security software, etc. etc.
* MITM: if your Wordpress username and password is being sent in cleartext, i.e. not SSL, you should probably fix that.
posted by devnull at 8:11 AM on March 21, 2013
I second blocking repeated logins - in Wordpress and ssh (fail2ban or denyhosts, not mentioned yet). I also like Cloudflare for some automatic detection and blocking of these bruteforce attempts.
posted by Pronoiac at 10:26 AM on March 21, 2013
posted by Pronoiac at 10:26 AM on March 21, 2013
Something else that works better than it has any right to is moving ssh to a non-standard port number (i.e. not port 22). I'm normally dead against security-by-obscurity, but in my experience running ssh on a high-numbered port (10000 on up) reduces the rate at which it gets probed to approximately zero.
Which is of course no substitute for key-only access and/or a very strong random password, but certainly makes the logs less noisy.
posted by flabdablet at 4:45 PM on March 21, 2013
Which is of course no substitute for key-only access and/or a very strong random password, but certainly makes the logs less noisy.
posted by flabdablet at 4:45 PM on March 21, 2013
but in my experience running ssh on a high-numbered port (10000 on up)
It's probably a bad idea to do this: running an ssh server on a port below 1024 ensures only root can start the process, i.e. it's probably legitimate.
Running an ssh server on a high port means that anything on the system can potentially open that port.
posted by devnull at 7:28 AM on March 22, 2013
It's probably a bad idea to do this: running an ssh server on a port below 1024 ensures only root can start the process, i.e. it's probably legitimate.
Running an ssh server on a high port means that anything on the system can potentially open that port.
posted by devnull at 7:28 AM on March 22, 2013
Good point. When I move ssh to a high-numbered port, I do it using port redirection at the firewall. Inside the firewall, ssh servers still accept connections only on port 22; but from the wider Internet's point of view ssh is only accessible via some random high port number. I can think of no reason why this should not be completely safe.
The other advantage of this scheme, for me, is that it lets me get to my ssh boxes from places where outbound port 22 connections are blocked (like one of my workplaces) but that's more about convenience than security.
posted by flabdablet at 8:07 AM on March 22, 2013
The other advantage of this scheme, for me, is that it lets me get to my ssh boxes from places where outbound port 22 connections are blocked (like one of my workplaces) but that's more about convenience than security.
posted by flabdablet at 8:07 AM on March 22, 2013
« Older He texts me everyday but has never asked me out | Blisters on my little toes and the balls of my... Newer »
This thread is closed to new comments.
posted by empath at 3:25 AM on March 21, 2013 [3 favorites]