iWeb Communities: Blog

As a web hosting company, or even as a web company, iWeb has a long history with Wordpress. We have thousands of wordpress installs on our shared hosting and dedicated servers platform, and iWeb was also very early in using Wordpress, at the beginning to post status updates as well as important company news. We sponsored also WordCamp Montreal recently. No doubt it’s a compelling publishing platform, with its open-source development model, its powerful plugin and theming system, and its strong community of users and developers.

One of the direct consequences of the platform’s popularity is the constant attacks and hacker attempts. There are blog comments spam, but also bots and hackers who would try to take control of your website. For instance, we’ve had a security issue with Wordpress and the iWeb blog early this week, with a hacker logged to the dashboard. Fortunately, the issue was dealt with quickly, and we’ve introduced new measures that would prevent a similar issue, from technical measures to measures preventing social engineering.

It’s easy to overlook wordpress security, and the story above is a good example on how every Wordpress blogger should spend time on the issue. For instance, Wordpress released an update to their blogging platform last week. The 2.8.4 version fixes a vulnerability where a hacker could get access to the admin dashboard of a wordpress blog. If you haven’t updated your wordpress, you should do it now. Here are other tools which might help you:

• The Wordpress codex has an extensive resource on how to harden your Wordpress install
• The Wordpress Security Scan plugin scans your site for security issues, checks passwords, file permissions, database security. It also hides Wordpress version and secures the admin area.
• The login lockdown plugin allows you to control login usage. It prevents for instance scripts or bots doing dictionary attacks
• The Wordpress login logger plugin allows you to have logs on who tried to log into the admin area.
• WP DB Backup is a plugin which makes a copy of your wordpress database. Useful in the case a hacker went through your wordpress and publishes or deletes existing articles.

There also other efficient tactics such as preventing access to wp-admin apart from selected IP addresses, through the .htaccess file. Users or bots with an unknown address will be greeted with a 403 response.

Of course, the minimum you can do is upgrade to the most recent version, especially if it’s a vulnerability fix release, which is the case for the 2.8.4 release.