I have many years of working with clients and one of the most common concerns that comes up after putting security in place is regarding the startling number of how many baddies are constantly attacking their site, especially on WordPress.
Over the years, I’ve been asked dozens of times questions like:
“I see hundreds of login attempts! Is someone trying to hack our site?“
“There are thousands of IP addresses in our spam log; we’re under attack!“
I can understand why this causes panic, but the first thing I tell them is that it’s not personal; you’re not specifically being targeted. In fact, all public-facing WordPress sites are constantly under “attack,” indiscriminately, at all times. The only real difference now is that we’re logging and blocking the behavior that always existed and so you’re just seeing what’s going on for the first time.
You might be wondering how is that supposed to be comforting to know that your site is under constant “attack,” but it’s just a normal part of the digital world that we have to accept. Just like junk mail is never going away, neither is it that spam bots will be sniffing around your site, looking for vulnerabilities. I put “attack” in quotations because it may be too strong of a word. “Sniffing” may be more appropriate.
What are these bots sniffing around for?
Try to think of it in terms of making passes, like a burglar casing a joint. If the burglar finds weaknesses in the security, they’ll keep going further, but if they find that it’s more trouble than it’s worth, they’ll move on.
First, these bots are crawling large masses of websites, looking for signs that a site is built on WordPress (there are dozens of signals that give away that a site is built on WordPress), and then the list is narrowed down.
Now that they know it’s a WordPress site, they’ll begin checking for known vulnerabilities (this is why us nerds are always telling you to keep your theme, plugins, and WordPress itself up-to-date). Aside from new features, more importantly, updates patch security holes that have been discovered.
Finally, even if everything is up-to-date and everything is good and locked down, they’ll probably go ahead and attempt brute force login anyway (like trying to pick the lock on your front door). This is where they try common passwords that people use to get in:
- password
- 123456
- iloveyou
- etc.
This is why security experts are like a broken record about reminding you to choose strong passwords. A good rule to follow is, if you can remember your password, it’s probably not good enough. Here’s what a real password looks like:
0pnOL0L[/&i!/lh}X_!|sEd+p5ezLAP~dWNtr4^2F,R~FsDfP{6ug6OI9CKq-)|j
What?! I know; you’re probably thinking that’s not very practical. But, if you’re using a password manager (I recommend using the one that’s built right into your favorite browser), you’ll never actually be trying to remember or manually enter these passwords.
Security is about layers. There are so many things you can do to keep your site locked down. And once you’ve got some confidence about the security of your site, you’ll learn to be comfortable with the fact that the bad guys are always just outside the walls, roaming around like zombies.
Even if everything is up-to-date, there might still be undiscovered WordPress vulnerabilities. That’s where our vulnerability scanner can be useful.