Security has always been an issue since the internet was first introduced to the world. Just like anything else in life when something good forms there are those who take advantage and will exploit the system for their own benefits. Even though security technology has improved greatly since the old days of the internet we are still prone to hackers from accessing our computers to a accessing a WordPress website. Just like a virus when one solution is found for a specific method of hacking another will evolve to nullify that solution.
One method that has been used more and more in the hacking world is the method of targeting freshly installed WordPress sites that are not fully configured.
(See how you can install WordPress from our article here.)
“The attack itself is a well-known tactic. Web scanners have been configured to look for default install files and directories for years,” Weston Henry, lead security analyst at SiteLock, a service that carries out daily scans of websites to identify vulnerabilities, said Thursday. Henry points out that spiga.py, an old web scanner, could be used to sniff out unfinished phpMyFAQ installations. After finding one it’d be easy for an attacker to complete the installation and achieve admin access.
Credit to Solostream from their article
How to Defend Against the WPSetup Attack
As this method grows in popularity it is important to know what measures you should take to prevent this from happening.
- The first method is a bit tricky but perhaps the most secure. What you should do is before doing a fresh WordPress installation, create a .htaccess file in the public_html directory. The file should contain:
order deny,allow deny from all allow from <your ip>
-You may know your ip from running a DNS Leak Test
This method will allow only your IP address from accessing your website while your are installing WordPress. Remember to remove this rule from your .htaccess when you finish the WordPress install so others can have access to your site.
- The next method is pretty straight forward and simple. Basically just make sure you finish the complete setup of your WordPress install as soon as you begin it. So in other words do not keep any unfinished WordPress installs within your servers.
How about after a complete installation?
Hackers can exploit your website during the installation stage of a WordPress site and also after the installation. The good news is there are measures that can be taken to prevent them from destroying your website.
1) Make sure you always keep a backup of your website. This can be done within your cPanel of your hosting account
2) Install the “Jetpack” plugin and make sure the “brute force attack” security option is enabled
3) Use security plugins such as “Got MLS” which will act as a virus defending program such as Avast.
4) Make sure you have an SSL (Secure Sockets Layer) certificate on your website. An SSL certificate will make your website secure by changing the http:// to https://. In short what the https does is it adds a secure layer on the website preventing hackers from accessing the passwords or any other important data you may type out on your website. For example a hacker will have a much better chance of retrieving your password from your login page from an unsecured site vs a secure website.
Websites will always be prone from attacks from the beginning stage all the way to the later stages. It is important to stay up to date with the latest security methods as hackers are always finding new ways to perform attacks. If a website is hacked there are many steps that need to be done to prevent it from happening again. By taking preemptive measures to protect your website will help save you a world of trouble.
What are your thoughts on these methods given? Do you know a better way? Let us know in the comment sections below.