Are you keeping your WordPress site as secure as possible? In this episode of the Cybersecurity Insider podcast, hosted by Yigal Behar, the discussion opens with an alarming update about WordPress sites.
Yigal covers the latest security concerns and updates while offering key advice on how to protect your site from potential threats.
Urgent Update For WordPress Users
Yigal reveals that a whopping 75 million websites are currently under attack. The focus is on a recent update to the file manager, which includes an outdated version of jQuery. For those who might not be familiar with the technical details, Yigal assures them that it’s okay. The key takeaway is the urgent need to update WordPress to the latest version to avoid possible grief and loss of their website.
Yigal promises to share tips on protecting websites, but before diving into that, he recounts a recent incident.
Last week, their own website faced a deluge of attacks, specifically an overwhelming number of contact page submissions from unknown sources. Despite investigating, each submission appeared to come from a different location, which added to the confusion and challenge of addressing the security threat.
Limits Of IP Blocking
Yigal continues the discussion by explaining that IP blocking, especially by country, isn’t very effective because attackers can use proxy servers to bypass these restrictions. For instance, if a website is hosted in the U.S., attackers might use a U.S.-based proxy to bypass geographic blocks.
While blocking IP addresses might show some improvement in reducing the number of malicious submissions, this relief is often temporary. The issue is that the flood of emails can overwhelm the website’s email server, creating problems for legitimate users as well.
This overload makes it hard to tell the difference between harmful and legitimate traffic, which worsens the problem and makes it harder to manage the site.
Implementing CAPTCHA To Defend Against Denial of Service Attacks
Yigal then describes a specific type of attack: a denial of service. He notes that the recent flood of contact page submissions is essentially a form of denial-of-service, which is aimed at overwhelming the website.
To combat this issue, Yigal and his team implemented a solution known as CAPTCHA on their contact page. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a small code designed to differentiate between human users and automated bots. Yigal explains that CAPTCHA can be added to forms using plugins like Contact Form 7 or similar.
He then walks through the process of setting it up:
- Visit Google’s CAPTCHA service.
- Generate the necessary keys by providing your email address and domain name.
- Enter these keys into the plugin settings.
- Insert the CAPTCHA code into the form on your website.
Once set up, this additional layer of security helps to greatly improve protection against automated attacks.
Balancing Security & User Experience
Yigal also shares an additional step for optimizing CAPTCHA protection. On the Google CAPTCHA settings page, there’s an option to adjust the sensitivity of the CAPTCHA by moving a slider. Yigal advises setting this slider to the highest sensitivity level to help prevent spam submissions from overwhelming the website.
Yigal issues a warning about this approach, though. Increasing the CAPTCHA’s sensitivity can make the process more cumbersome for legitimate users, causing potential frustration and delays.
This is why his team initially avoided this measure, as they wanted to minimize the amount of information required from visitors to encourage more submissions. By adding a more restrictive CAPTCHA, users might face additional hurdles, such as solving more complex challenges or performing extra tasks, which could affect the user experience.
Leveraging Advanced CAPTCHA & Plugin Updates
Next, Yigal explains how advanced CAPTCHAs work. He describes the common CAPTCHA challenges, such as selecting all the images with trees or traffic lights, which are designed to block automated submissions. These CAPTCHAs might ask users to identify specific elements multiple times, which helps prevent bots from bypassing the form submission process.
Yigal shares that after implementing these measures, the constant flood of spam submissions finally ended. However, he mentions that this is just one part of their security strategy. He promises to cover additional steps they took to enhance their website’s protection.
Benefits Of Automatic Plugin Updates In WordPress
Yigal also reiterates a key point for maintaining security: keeping plugins updated. He points out that while updating plugins is key for maintaining security, it often involves costs, so it’s best to verify that updates are feasible within your budget.
Yigal notes a new feature in the latest WordPress update that allows for automatic plugin updates. With this feature enabled, WordPress will regularly check for updates on the developer’s site, automatically download them, and install them on your website. This hands-off approach ensures that your website stays current with the latest security patches and improvements without requiring manual intervention.
According to Yigal, automatic updates make it much easier to keep your site secure and reduce the need for constant checking.
Regular Backups & Firewalls
Yigal resumes to share his expertise in safeguarding a website. He urges listeners to back up their sites daily or weekly, depending on how frequently the website is updated.
For those who update their site daily, a daily backup is necessary. Yigal notes that there are plugins available that can automate this process so that you don’t lose important data if something goes wrong with the website.
Furthermore, Yigal asserts the need for a web application firewall (WAF) to protect the site. A WAF can be installed as a plugin, and there are various options available.
While he refrains from recommending specific plugins, he suggests choosing one reputable firewall plugin and avoiding the installation of multiple firewalls (as this could cause issues). The effectiveness of a firewall depends on the developer and plugin, so choosing a well-reviewed option is ideal for keeping your site secure.
For more security tips and the latest news, catch more episodes of The Cybersecurity Insider podcast via YouTube, Apple, and Spotify.