by Lexi » 22 Oct 2016, 15:40
Wordpress is one of the most popular platforms in the world, used for blogs and websites, but keeping it safe from hackers and spammers can be a task. It’s one of the first things you should set up once you install your site, and there are plenty of plug-ins that can help keep your site secure and safe. While no site can be 100 percent secure, installing preventive measures can deter hackers, and spammers. Do bear in mind that some plug-ins may conflict with one another, can slow down your site, or aren’t compatible with your chosen theme, I recommend installing a couple of themes to try them out if something doesn’t seem to work.
•
Change the default settings in discussion. Go to settings and click on
discussion, which allows you to change the settings for comments. Many people choose
disqus instead, and while you can still moderate comments, you can’t delete them from the users account. I would recommend moderating all comments (default is to allow comments once one has been approved) because what some spammers do is post a general comment, and once they have an approved comment then spam the site. You can also add comment moderation words or blacklist them. Typical words that spammers use include SEO, and traffic, so you can choose to moderate or block them.
•
Use a plug-in such as Wordfence or Shield. These offer paid and free versions and have a host of features that you can use from scans, firewall protection, spam protection, blocking IP addresses, networks, and ranges, and country blocking.
•
Install and activate Askimet (anti-spam). There are free and paid versions, and many people choose the ‘name your price’ (you can put in $0.00) option which then gives you an API key to use on all sites, and protects your site from spam in comments and also wordpress contact forms.
- askimet.png (75.07 KiB) Viewed 108 times
•
Mask your username. Some themes automatically include an author page link with each post, and it’s a good idea to use a plug-in that replaces the username with an
author slug. Hackers will try to find the username in order to log into the account. This can be a bit of a hidden issue, as you can have a display nickname that you can change, but the username (can’t be changed) will be displayed if people search for the author in a URL search. Alternatively, use an author name that has no admin access if you still have difficulties and attribute all posts to that user.
•
Use a two-step authentication. Wordfence offers an email authentication, while other plug-ins may use a cellphone number to log in, or to input a generated code.
•
Change your login page URL. I recently did this and it’s a good idea if you are the only user.
Wordfence allows you do this easily in the free version.
•
Limit logins. If you do have several subscribers and users and don’t want to change the URL page, limiting logins with a
captcha will deter hackers and lock them out. Most plug-ins have options to lock out IP addresses, and to limit any retries.
Loginizer also allows you to whitelist or blacklist IP ranges, and you can set times for how long a user can be locked out.
•
Use captcha codes. You may need to install more than one captcha code if you want more security. Choose from alphanumeric, and capital letters and/or numbers, but don’t forget, you don’t want to deter real commenters. There are also the boxes to tick to prove you are human, and a comments cooldown option, which restricts spammers posting consecutively that you can activate.
•
Consider using a contact form and not an email address. Leaving an email address leaves that address open for spammers, trolls, and hackers to use. Some come with a
captcha option which I would advise using.
•
Ban IP addresses/networks/ranges. As many networks have thousands of IP addresses, it maybe better to block a network or range that has been reported as a known spammer. You can check with an internet search as several sites such as ‘Stop Spam’ will list blacklisted IP addresses.
•
Block countries. This is quite a drastic measure and many forums and sites do block countries where there are multiple threats. Don’t be fooled by the country of origin of the IP address, as the digital ocean is one that many spammers use. They will mask their IP easily and use a US location, when they are really in another country. The main hackers seem to be from Russia, Eastern Europe, and parts of Asia. Of course hackers, spammers, and trolls can be in all countries, so consider blocking a country only if you have a particular audience you wish to reach.
This isn’t a definitive guide by any means, but it can get you started. Look out for
spam harvesters, spam comments that look genuine, and
unauthorized login attempts. It goes without saying to keep your password safe, and check where your traffic is coming from. Another reason why you should block spammers is that they can be persistent, and can use up all your bandwidth and compromise your site by exceeding your limit. This can result in a slower site, and in cases of free hosting or those with limited bandwidth can end up with your site getting closed down.
If you ever wondered why people get paid to solve captchas, it’s more than likely that they are used to spam and hack sites. Protect your site, and don’t get involved in activities that enable hackers and spammers. You can encourage comments and people to get in contact without looking like Fort Knox, and I am still finding new ways to do this. If you have any other tips to keep websites free from the baddies, do share them, because there are always new threats that suddenly appear. The recent
DDos (distributed denial-of-service) attack affected major global sites, and is a timely reminder that protection and deterrents are better than a cure.
Some useful links:
https://wordpress.org/plugins/wordfence/https://www.wordfence.com/https://wordpress.org/plugins/wp-simple-firewall/https://wordpress.org/plugins/loginizer/https://wordpress.org/plugins/akismet/https://wordpress.org/plugins/captcha-c ... ntication/Wordpress is one of the most popular platforms in the world, used for blogs and websites, but keeping it safe from hackers and spammers can be a task. It’s one of the first things you should set up once you install your site, and there are plenty of plug-ins that can help keep your site secure and safe. While no site can be 100 percent secure, installing preventive measures can deter hackers, and spammers. Do bear in mind that some plug-ins may conflict with one another, can slow down your site, or aren’t compatible with your chosen theme, I recommend installing a couple of themes to try them out if something doesn’t seem to work.
• [b][u]Change the default settings in [i]discussion[/i][/u][/b]. Go to settings and click on [i]discussion[/i], which allows you to change the settings for comments. Many people choose [i]disqus[/i] instead, and while you can still moderate comments, you can’t delete them from the users account. I would recommend moderating all comments (default is to allow comments once one has been approved) because what some spammers do is post a general comment, and once they have an approved comment then spam the site. You can also add comment moderation words or blacklist them. Typical words that spammers use include SEO, and traffic, so you can choose to moderate or block them.
• [b][u]Use a plug-in such as Wordfence or Shield. [/u][/b]These offer paid and free versions and have a host of features that you can use from scans, firewall protection, spam protection, blocking IP addresses, networks, and ranges, and country blocking.
• [b][u]Install and activate Askimet (anti-spam).[/u][/b] There are free and paid versions, and many people choose the ‘name your price’ (you can put in $0.00) option which then gives you an API key to use on all sites, and protects your site from spam in comments and also wordpress contact forms.
[attachment=0]askimet.png[/attachment]
• [b][u]Mask your username.[/u][/b] Some themes automatically include an author page link with each post, and it’s a good idea to use a plug-in that replaces the username with an [b]author slug[/b]. Hackers will try to find the username in order to log into the account. This can be a bit of a hidden issue, as you can have a display nickname that you can change, but the username (can’t be changed) will be displayed if people search for the author in a URL search. Alternatively, use an author name that has no admin access if you still have difficulties and attribute all posts to that user.
• [b][u]Use a two-step authentication.[/u][/b] [i][b]Wordfence[/b][/i] offers an email authentication, while other plug-ins may use a cellphone number to log in, or to input a generated code.
• [b][u]Change your login page URL[/u][/b]. I recently did this and it’s a good idea if you are the only user.[i] Wordfence[/i] allows you do this easily in the free version.
• [b][u]Limit logins.[/u][/b] If you do have several subscribers and users and don’t want to change the URL page, limiting logins with a [i]captcha [/i]will deter hackers and lock them out. Most plug-ins have options to lock out IP addresses, and to limit any retries. [i][b]Loginizer[/b][/i] also allows you to whitelist or blacklist IP ranges, and you can set times for how long a user can be locked out.
• [b][u]Use captcha codes[/u][/b]. You may need to install more than one captcha code if you want more security. Choose from alphanumeric, and capital letters and/or numbers, but don’t forget, you don’t want to deter real commenters. There are also the boxes to tick to prove you are human, and a comments cooldown option, which restricts spammers posting consecutively that you can activate.
• [b][u]Consider using a contact form and not an email address.[/u][/b] Leaving an email address leaves that address open for spammers, trolls, and hackers to use. Some come with a [i]captcha[/i] option which I would advise using.
• [b][u]Ban IP addresses/networks/ranges.[/u][/b] As many networks have thousands of IP addresses, it maybe better to block a network or range that has been reported as a known spammer. You can check with an internet search as several sites such as ‘Stop Spam’ will list blacklisted IP addresses.
• [b][u]Block countries. [/u][/b]This is quite a drastic measure and many forums and sites do block countries where there are multiple threats. Don’t be fooled by the country of origin of the IP address, as the digital ocean is one that many spammers use. They will mask their IP easily and use a US location, when they are really in another country. The main hackers seem to be from Russia, Eastern Europe, and parts of Asia. Of course hackers, spammers, and trolls can be in all countries, so consider blocking a country only if you have a particular audience you wish to reach.
This isn’t a definitive guide by any means, but it can get you started. Look out for [i][b]spam harvesters, spam comments that look genuine,[/b][/i] and [i][b]unauthorized login attempts[/b][/i]. It goes without saying to keep your password safe, and check where your traffic is coming from. Another reason why you should block spammers is that they can be persistent, and can use up all your bandwidth and compromise your site by exceeding your limit. This can result in a slower site, and in cases of free hosting or those with limited bandwidth can end up with your site getting closed down.
If you ever wondered why people get paid to solve captchas, it’s more than likely that they are used to spam and hack sites. Protect your site, and don’t get involved in activities that enable hackers and spammers. You can encourage comments and people to get in contact without looking like Fort Knox, and I am still finding new ways to do this. If you have any other tips to keep websites free from the baddies, do share them, because there are always new threats that suddenly appear. The recent [b][i]DDos (distributed denial-of-service) [/i][/b]attack affected major global sites, and is a timely reminder that protection and deterrents are better than a cure.
Some useful links:
https://wordpress.org/plugins/wordfence/
https://www.wordfence.com/
https://wordpress.org/plugins/wp-simple-firewall/
https://wordpress.org/plugins/loginizer/
https://wordpress.org/plugins/akismet/
https://wordpress.org/plugins/captcha-code-authentication/
