Spam sucks.. Unless it’s the canned variety.
You know, Spam does not get enough love. Neither does corned beef hash.. But that’s not what we’re here for. We’re here to discuss our latest site changes and how they impact you.
We’ll also discuss some things you can do to protect your WordPress self-hosted site.
We’ll keep it short and sweet so no worries!
Protect Your Account – Say Hello!
We had a lot of annoying spammers registering names (over 5k, to be exact). Most of these accounts looked like they were produced through random smashing of the head on keyboards but others were hard to weed out. It wasn’t a big deal until we realized it made it hard for our fellow geeks to find other legit community members. It ruined the leaderboards, messaging, and forums. No me gusta.
In response, we did some database clean-up and increased security on our servers, WordPress implementation, and registration forms. We basically deleted all accounts that had no activity, assuming they were spammers (or lazzers). If you were deleted, please re-register and post some activity to stay active. Here’s a good place to start:
We’re trying to keep our site as user-friendly and snappy as possible but, rest assured, we are more secure than the average web site. I personally find things like CAPTCHA really annoying and mostly unnecessary.. But sometimes they are a necessary evil. We’ll be dabbling with additional security layers so please stand by, folks!
Give The Site A Real Spin
Gang, help us out by really putting the site to work. There are great people to connect with, a wide variety of content to experience, and tons of shows to tune into. Click away and see if you can break something. This site is a work in progress so we’re constantly working to make it even better for you! Some areas to check out include Storytelling, Giveaways, and Forums.. Just for starters, of course.
There are some known issues we are working on such as select users getting server errors. These usually happens when there are repeat reloads or any activity that can be perceived as brute force hacking attempts. Usually, the site will stop loading all together if your network or IP address is seen as a threat. If this happens to you by accident, tweet us @GeekyAntics and we’ll get you fix0red.
Leaving comments is the easiest away to keep your account active (it would also help if you sign up for our G.A.N.G. mailing list). All it takes is one comment and less than a minute to keep your account safe from our automatic security pruning. Just make sure you are logged on first. When you are logged on, you’ll notice the top menu features additional options and your profile shows up on the sidebar.
Common WordPress Security Vulnerabilities
These days, I feel that WordPress is the best solution for web developers unless you have a very specific design or custom framework you wish to implement. That said, self-hosted WordPress (as opposed to WordPress.com) is not very secure or functional out of the box. You’ll want to tighten up server security, configure settings, and set up some plugins before you go live, ideally.
Here’s a quick run-down of what you want to address with WordPress deployments:
- User 0/1 – You usually want to avoid having adminstrative accounts enabled as user 0 or 1 because this is what typically be scanned for.
- Admin – Using “admin” as your root/administrator account is as bad as setting your password to “password”.
- Permalinks – Using default page slugs and URLs makes it far too easy for brute force attempts to work. Get a little creative where possible while not foregoing the user experience. If you’re worried that site visitors may get lost, implement a custom 404 error page or user-friendly site map.
- Login Lockdown – One of the simplest measures you can take is implementing a brief lockdown after several failed logon attempts. This prevents most brute force methods, such as password cracking.
- Signup Forms – Typically, people take at least 10 seconds to complete a signup form. Even with auto completion on, there are things that people need to manually fill out (e.g. bios and interests). There are plugins like Stop Spammers that automatically block people who complete signup forms too fast. 4 seconds is a reasonable limit to avoid false positives here.
- CAPTCHA – CAPTCHA images, even if supplemented with audio, makes things unnecessarily complex. Only huge sites REALLY need to implement this but, if you’re desperate, it’s worth a go. I’d recommend using CAPTCHA for registration forms but not for commenting because let’s face it: there’s already a barrier to entry there as it is.
- E-Mail Confirmation – Requiring e-mail verification/confirmation is a great way to stop the spoofers from running around freely on your web site and doing bad things.
- Tenure – There are countless methods available for rewarding your most active users with additional access and privileges. Typically, you don’t want freshly-registered accounts to be able to do much. The easiest opportunity for new users is to leave comments but those can be faked pretty easily with open platforms. This is an area of security hardening that you will have to tinker with quite a bit.
- Comment Platforms – If you don’t care about scaring away comments, you can try commenting platforms like Disqus and LiveFyre. Disable WordPress commenting all together or at least disable anonymous commenting. I am not a fan of restricting commenting because it’s already something people are not keen on but at least with third-party commenting platforms users can sign in with their existing accounts on other social networks and web sites.
Good security hardening is not about being 100% full-proof but, rather, protecting against the script kiddies and easy exploits. Another thing I would highly encourage is that you enforce strong passwords for anyone who has author access or higher. Heck, even contributors can be disruptive if they are compromised because they can spam your site with a bunch of drafts. YIKES!
If you have any other WordPress security hardening tips, feel free to share them in the comments section below!