Hacker prevention is a top priority with Copper Moon Media. But, let me start out by saying that all content management system applications (like WordPress, Drupal, Joomla and more) are susceptible to hacking if they are not monitored and updated regularly–and by regularly I mean at least once a week! It is also important to stay on top of new hacking schemes. As I use WordPress almost exclusively now, I work diligently to stay on top of my clients’ sites and news of the latest hack. Recently there were two conventions for internet security professionals, DefCon and BlackHat USA (don’t go to these sites if you tend to be paranoid, it’ll only scare you more) and among the presentations at DefCon was on a new way that hackers use to find new WordPress websites, giving them fresh sites to attack. Needless to say I found this information to be interesting, important and valuable to my clients and professional colleagues. So here is the breakdown:
- Hackers use the SSL certificate transparency standards set by Google (read here if you want to know more about this). Hackers use this transparency to find new websites.
- Someone orders a new website hosting package from a hosting provider and the order includes a free or paid SSL certificate.
- The SSL certificate is issued once the order completes.
- 30 minutes later attackers see the new website listed in the certificate transparency report.
- At the same time the user is halfway through completing website setup and starts to install WordPress.
- During this time the hacker continually monitors the new domain and as soon as they see the setup script, they run it, install a backdoor and then reset the site to the state it was in so that it goes unnoticed.
There are three ways to prevent this from happening, one is is more risky, the other two are safer. The first is to waste no time between installing WordPress and setting it up, most one-click installations immediately give you access to the setup script, but if you’re installing the site manually using a zip file it’s really important that you move as quickly as you can to the setup script by going to your site right away. The hackers are really quick and sometimes they can grab you setup script before you do, making this the more risky prevention. The other two options require creating an htaccess file in the website root directory on the server before you start the installation. Then you can use either of the following approaches to prevent hackers from accessing your site. I am only going to discuss the easiest method, preventing access using your IP address and adding a small amount of script to the htaccess file. The second method, setting up a basic authentication is more complicated and I recommend you ask your webmaster to do it, but here is a link to instructions (for Apache running on Ubuntu 14.04 – contact me if you’r server isn’t Apache) if you are a webmaster or would like to try it.
Hacker prevention using Your IP address
First google your IP address and then add the following script to your htaccess file
deny from all
allow from <your ip>
Either method should prevent anyone who is not using your IP address from accessing the website applications, in this case your WordPress application. If you want to allow other’s access to the application in the future you can remove the script from your htaccess file (just the htaccess file for method 2) and they will be able to access it – but a hacker will not be able to hijack your site because they will not have set up a backdoor.
A quick reminder that this doesn’t preclude the basic management practices that you or your webmaster should be doing regularly. You must still keep the core, themes and plugins up to date and monitor your website for security breaches. I happen to use a plugin called WordFence on all of my clients’ websites to monitor.
If you’re thinking of setting up a new website with an SSL certificate (which I recommend and many hosting companies are automatically including) and you want to prevent hackers from hijacking your site before you even get started, Copper Moon Media can help you with that. Contact us before you dig…er…begin!