Protect Your CMS Website.
Picture the scene: you wake up one beautiful sunny morning, remembering the dream you had last night in which you created the most wonderful, insightful, SEO friendly article for your blog. Full of energy and creative spirit, you are determined to get this beautiful piece of work on your site before breakfast.
So you go to your log-in page and……
there’s a message where your login panel should be.
“Hacked by (add the name of your favourite hacker here)”
Thus begins the nightmare.
When did I last back up the site?
Have I got everything I need locally?
Can I restore the site to yesterday’s status?
How many hours of work have I lost?
You try to access the server using your trusty ftp client, but the password doesn’t work.
So you have to go to your host provider and open a support ticket…
…and so it continues.
Ever heard the saying “Prevention is better than cure”?
It’s one of the truest sayings there is, and it applies to this situation perfectly.
Let’s be honest here: there are several ways to hack a WordPress or Joomla site, but a ‘brute force’ attack is one of the most common and is very easy for bored hormonal teenagers to learn.
Sometimes your login combination is secure enough that the attempt doesn’t work, but your site is still under attack during the ‘brute force’ attempt and that alone can cause overload issues that can result in a server crash. If this happens and your site is on a shared server, your host provider might not be best pleased with you. Often though, login names and passwords are based on easy to remember information like names and birthdays, and these can be, and are, regularly hacked.
Choosing a secure login name and password is relatively straightforward and should be your first line of defence. There are many sites that offer random password generation – just look for them in Google.
Wouldn’t it be safer though, to stop hackers getting to your login page in the first place?
The problem with WordPress and Joomla, is that the admin login page always has the same URL. It goes like this:
It is technically possible to change the URLs, but these CMS beasts are so necessarily convoluted that the relationship between the various php files borders on the incestuous, and therefore the solution is unbelievably complicated. If you try it and get it right, you’re a genius. If you try it and get it wrong, well, when did you last back up your website?
Nip It In The Bud
There is an easy way to avoid brute force attacks, and that is by using a combination of hidden files to add a login sequence that you must get past in order to get you to the login page of your website.
It works like this: you go to www.yoursite.com/wp-admin or www.yoursite.com/administrator and you get a little box that pops up and asks for a username and password. Entering the correct combination takes you to your normal login page. This all happens as a result of a line of code in a hidden file which is stored within the main admin folder on your server that generates a pop-up login interface, which is immune from any software attempting a brute force attack. The username and password combinations that the pop-up checks against are kept in another hidden file which is stored in a separate location preferably above the root level of your website.
An extra layer of security at work here is that the password stored in the second hidden file is encrypted, so even if a clever little so-and-so DOES manage to get access to it (unlikely) all they will get is an encrypted version of your password, which cannot itself be decrypted.
It might sound like a straightforward process but you’ve got to get it right, and especially in a shared server scenario it’s not always easy to get the information that you need from your host provider to get these two files working together successfully.
‘Getting it right’ is where we can help.
All of the CMS sites that we publish are protected in this way, and so far we haven’t had a single instance of a brute force attempt.
If you think you need our help and expertise, then please do get in touch.
After all, it’s better to dream of award-winning articles than to have sleepless nights worrying about your site’s security, isn’t it?