Currently, I am running two WordPress sites. One is my blog and the other one is the website of our bicycle/mountain bike club (www.vcvolketswil.ch). Securing them is part of the story for somebody like me, I guess.
Normally you keep them just updated. Part of my responsibility is WordPress, all the plugins and the Themes. It gets difficult, when it comes to the underlying servers as I host them with a hoster in Switzerland and they are then responsible for the updates of the operating system as well as PHP. Not in my control.
When I started my blog, I started to use the Sucuri Security – Auditing, Malware Scanner and Hardening plugin which I am fairly happy with. It delivers a good dashboard with important information. As an example: It showed files, which changed recently but should not have. I had three different files all with a similar content:
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /tags/4.3.1/php-cgi.core was not found on this server.</p>
<hr>
<address>Apache Server at core.svn.wordpress.org Port 80</address>
</body></html>
Spooky but for sure not genuine. Additionally, the plugin helps to strengthen access control on file-level and to implement good practice within my WordPress implementation.
Nevertheless, I lost one of the WordPress installations to a hacker (not my blog…). At the end we figured out that it was linked to a vulnerable plugin. The interesting thing was how I realized that something is wrong: The Sucuri plugin sends me a mail, whenever somebody logs in. I wanted to leave home, when I got a mail that somebody I did not know logged in to the WordPress installation. So, I checked and found some new plugins and some new users on my installation. I easily got rid of them but had to find out that they left some malware on the site as well – as I detected the breach immediately, I could clean the site without impact.
I think, it is time to add another level – I just wanted to introduce two-factor authentication to my website. Then I started to think… Well, yes. I started to think what I want to achieve. I am currently the only user and I have a long random password. The risk of a brute force is minimal. What I actually would like to see is, that certain actions need a second factor as a confirmation. Actions like installing a new plugin, adding a new user etc. But using 2FA just for authentication is useless in my setup. If the website gets compromised, the attacker can just add his/her authentication device to log on later but I do not expect my account being compromised.
I have to search for an add-on which would allow me not to get a second factor to authenticate but the confirmation being enforced on a second channel…
Interesting times