Author Topic: The Importance of Website Security  (Read 217 times)

Bill Hiatt

  • Epic Novel unlocked
  • ****
  • Posts: 1227
  • Thanked: 490 times
  • Gender: Male
  • Tickling the imagination one book at a time
    • Bill Hiatt's Author Website
The Importance of Website Security
« on: May 19, 2019, 03:28:28 AM »
Should an author have a website? I'd say yes, though I'm not sure I've sold that many books as a result of having a site. If nothing else, it's a way to have your own platform, a place where you have total control of content and layout--unlike Amazon author pages and Facebook author pages.

However, running a website can be more complicated than it at first appears. I'm sharing my experience in this area, particularly regarding security, because that's one area I didn't think about at first. I think I had the subconscious assumption that hackers were only after big companies. Turns out they're after everyone.

I've been running a website since December of 2012 and never had a security problem--until early April. At that point, I discovered my site was redirecting elsewhere. It turned out that someone had managed to install malware that was responsible for the redirection. The vulnerability that made this possible came from a plugin that was almost immediately updated--but just a little too late for me. (Oftentimes, vulnerabilities in Wordpress plugins aren't spotted until someone exploits them.)

The good news is that Sitelock got the malware cleaned out right away. However, in the time between my hosting provider reopening the site (3 am my time), and the time I got back to my computer, the site had been infected again. (I'd also contracted with Sitelock to set up a firewall, but whoever infected it jumped in before the firewall was active. Yeah, luck wasn't with me.

The second infection was not as thorough. Reinstalling Wordpress killed that one. By then I was behind an effective firewall and getting daily malware scans from Sitelock. However, there are other possible issues.

Sitelock doesn't have built-in protection against repetitive login attempts, so I got the Limit Logins plugin, and I made a discovery: dozens of bots were trying to log into my site every day. That's a waste of bandwidth and could lead to a brute force attack on the website. I'd made the mistake of commenting using my username. Wordpress gives you the option of using a different name when you post or comment, which is better from a security standpoint. Anyway, the LL plugin blocks a username if there are too many failed login attempts, so I found myself locked out of the website the day after I installed the plugin. I was able to get back in by deleted the plugin folder using the cpanel file manager. Then I went back in, created another admin user with a name that couldn't be easily guessed. (I should have done that in the first place.) Then I reinstalled the plugin. If my regular account got locked out, I just logged in with the less obvious one and unlocked my normal one.

Then I discovered another potential problem. Sitelock and other WAF (web application firewall providers) work by using DNS records to direct traffic to your site to their firewall first. Approved traffic then filters from the firewall to your site. Unfortunately, it's possible for a hacker to find out what your real IP address is and attack it directly, bypassing the firewall. Being paranoid by this point, I looked around for siteside solutions and ended up with Wordfence Premium. It firewalls any traffic hitting the real IP address, and it also has some other neat features, including the ability to double-check the Wordpress core files and any plugins in the Wordpress.org repository for any file changes. In other words, even if a hacker finds a way to hack those types of files with code that isn't yet known to be malicious, Wordfence will still find it and alert you. It also handles login security, so I could get rid of Limit Logins. Another neat Wordfence attribute is the ability to set up two-factor authentication for admin users on your site. Basically, that means only someone with your cell phone can log in as an administrator.

These precautions satisfied even my newfound paranoia, but they also gave it more food for thought. Sitelock reports several attacks per day, mostly bot-driven. So far, no one's tried to attack the local IP, so Wordfence hasn't had much to report on that issue--Sitelock intercepts attacks on the domain before they get to it. However, Wordfence does report several failed login attempts per day from all over the world. A lot of the attempts on the site wouldn't have succeeded even without SL and WF--but obviously one did.

It's a lot easier to secure your site in advance than to wait for it to be hacked. It's easier to do comparison-shopping, for example, prior to an attack rather than during or after. And I got off lucky--hackers can do far worse than just redirect site traffic.


Tickling the imagination one book at a time
Bill Hiatt | fiction website | education website | Facebook author page | Twitter
 
The following users thanked this post: KFaitour

LilyBLily

Re: The Importance of Website Security
« Reply #1 on: May 19, 2019, 06:08:38 AM »
My webmistress blocked an entire country when we discovered that I was getting login attempts every minute or so. Although they seemed at first to be from all over the world, they mostly were from one large eastern European country. The block calmed down the situation, but I've noticed that WordPress thinks it's cute to publicly show my user name. Why on earth? That reduces my privacy by 50% immediately. 
 

Bill Hiatt

  • Epic Novel unlocked
  • ****
  • Posts: 1227
  • Thanked: 490 times
  • Gender: Male
  • Tickling the imagination one book at a time
    • Bill Hiatt's Author Website
Re: The Importance of Website Security
« Reply #2 on: May 19, 2019, 09:07:51 AM »
My webmistress blocked an entire country when we discovered that I was getting login attempts every minute or so. Although they seemed at first to be from all over the world, they mostly were from one large eastern European country. The block calmed down the situation, but I've noticed that WordPress thinks it's cute to publicly show my user name. Why on earth? That reduces my privacy by 50% immediately.
It's certainly a vulnerability, though I realized after it was too late that I could have had my name displayed as something else.


Tickling the imagination one book at a time
Bill Hiatt | fiction website | education website | Facebook author page | Twitter