Deerfield Hosting, Inc.

High Performance Web Hosting

Word Press Notes

WordPress – Attack Traffic

by

We have recently seen a huge increase in attacks on WordPress sites.  On some sites, the attacks are intense enough to run into resource limits.

The first thing to think about when fending off attacks is how to do so while consuming the minimum necessary resources.

The second thing to think about is how to make your site resource efficient.   Many themes and plugins are poorly written, driving up resource usage.  This is particularly true of commercial offerings.   Developers tend to include as many features as possible to increase sales.  Often, they haven’t thought about resource consumption.  On sites with low volume levels this doesn’t matter much.  But when volume goes up, driven by legitimate visitors or attackers – it starts to matter.  With plugins, less is often more.  Fast sites create the best impressions.

Always keep your WordPress site up to date.  Not doing so invites attacks.  This is much easier since WordPress 4 because it will automatically update itself.  Vulnerabilities are discovered frequently in WordPress itself and in plugins and themes.  It’s relatively easy for attackers to find outdated vulnerable sites.  Once a site is identified as a target, attackers swarm all over it.  And the attacks continue long after it is updated.  You want to stay ahead of this.

The only security plugins we recommend are Word Fence and Anti-Captcha.  Combined, they do everything you need with minimal resource consumption.  The vast majority of attacks are attempts to log in, trying different user names and passwords using scripts.  Anti-Captcha (or any other CAPTCHA) makes this much harder for them by discarding login attempts which do not contain the necessary tokens.  This happens before much code is loaded,  keeping resource waste way down.  A CAPTCHA will virtually eliminate comment spam as well.

Many security plugins are grossly inefficient.   Some work by adding IP addresses to your .htaccess file, which is a very bad idea.  Attacks come from many different IP addresses which  constantly change.  It’s a waste to block addresses which were attacking you for a few minutes or a few hours and then are never seen again.  You don’t want WordPress to try matches against thousands or potentially tens of thousands of addresses on every connection.  The thing to do is block attacking addresses for only an hour or a few hours.

Recommended Word Fence Settings – You may find additional settings useful or interesting.  This is not an exhaustive list.

  • Important: Alert on critical problems – This will send you emails when plugins and themes need updating.
  • Alert me when someone with administrator access signs in
  • Enable all scan options except outside WordPress, images, high sensitivity, word patterns.  Some of these are sometimes of use.
  • Immediately block fake Google crawlers
  • If anyone’s requests exceed 10 per minute: block
  • If a crawler’s page views exceed 60 per minute: block
  • If a crawlers pages not found exceed 5 per minute: block
  • If a human’s page views exceed 20 per minute: block
  • If a human’s pages not found (404s) exceed 3 per minute: block
  • If 404’s for known vulnerable URL’s exceed 1 per minute: block
  • How long is an IP address blocked when it breaks a rule: 1 hour
  • Enforce strong passwords: ALL
  • Lock out after how many login failures: 3
  • Lock out after how many forgot password attempts: 3
  • Count failures over what time period: 5 minutes
  • Amount of time a user is locked out: 6 hours
  • Important: Immediately lock out invalid usernames: Yes
  • Don’t let WordPress reveal valid users in login errors
  • Prevent users registering ‘admin’ username if it doesn’t exist.
  • Never use ‘admin’ as a user name.
  • Prevent discovery of usernames through ‘?/author=N’ scans
  • Hide WordPress version
  • Hold anonymous comments using member emails for moderation
  • Filter comments for malware and phishing URL’s
  • Check password strength on profile update
  • Important: Participate in the Real-Time WordPress Security Network
  • Important: Live traffic: OFF – when you are not actively watching it.
  • Cache: Disable all performance enhancements.  In our experience, they cause worse performance.
  • Scan schedule: use the defaults
  • Advanced blocking: use with caution and only if you have a specific problem to solve
  • Country blocking is a paid option and is generally not a good idea or necessary
  • Blocked IPs – use manual IP blocking only if you have a very good reason.

When you are under attack, immediately blocking invalid user names is extremely valuable to reduce resource waste.  It’s worth repeating that you should never use ‘admin’ as a user name.  Admin is the default user name and the first name attackers will try, which immediately identifies the connection as an attack.  Starting to block the source address immediately is a big win.

We offer highly optimized hosting for Word Press which includes additional security enhancements.  As of this writing it is not described on our website.  Please feel free to ask questions about this.

Search Engine Optimization and Blogs

by

This morning I was asked (slightly modified):

I noticed our blogs show up easily and on first pages on Google searches, however our new web site pages hardly show up (except for a few) on first pages.  Is that because it’s new and hasn’t been indexed by google yet? I have noticed if I modify a blog, Google searches find the new information within a few days or even overnight.

The Yoast SEO WordPress plugin shows many web site pages are now SEO [search engine optimized] friendly (green light status) yet they don’t show up.  I’m just curious if  there’s a logical reason my Word Press blogs get quicker Google attention than my SEO web site pages.

Google is very good at picking off certain kinds of search engine “optimizations” and will reduce rankings when it finds them.

When people do searches, Google attempts to differentiate when they are looking for information as opposed to looking for places to buy things.  In searches perceived to be for information, pages with the clear purpose of making sales are ranked negatively in order to drastically cut down the number of such pages returned in favor of pages with useful information.

They try to help people find what they are looking for, not help other people sell stuff. When it comes to serving interests, they are steadfastly on the side of the searcher.  They want people to like and use their service.  As a generality, the more closely you and Google share the same intent, the better your rankings will be.

Blogs which are written as information sources without “salesy” language do well in page listings because they parse as information. Lexicology, which studies word and phrase patterns, is an important part of how they do their rankings.  Using lexicology, it’s not hard to differentiate language meant to sell things, language trying to rank well or language meant to convey useful information.

As part of a course I took in artificial intelligence, I did a project to classify textual information into subject, relative content usefulness and reveal biases. It used a lexical database to analyze the documents. I fed it thousands of news and information articles. About 50 people read as many randomly chosen articles as they they were willing to and then answered questions derived from the analysis. That information was fed into a neural network to teach it how to classify articles using the lexical analysis. Later, when I asked the same people to rate results returned, I was able to show statistically that the vast majority of people would agree with the choices returned on searches which included not only subject but also the information value and biases contained in the results.  I found it fascinating and a bit startling that it was so easy to do this.

When you type in search terms, then click on results, then click on different results, Google records and uses the information to refine what it returns in subsequent searches. If you ignore the first three pages and click on the fourth page, that page may rank higher when other people do similar searches. But if you come back and click on something else without much time elapsed (meaning you didn’t like what you looked at) then the page is likely to rank lower next time. This information is collected and used in real time and changes constantly. Given the massive volume of pages analyzed and searches done, they are always going to be miles ahead of attempts to manipulate results.

That is just one aspect of how they rank results, but it’s an important one.  And it is essentially impervious to manipulation.

There is an entire industry devoted to search engine optimization, almost all of which is naive and worthless. Naive attempts to improve rankings are much more likely to do the exact opposite. The best way to get good rankings is to provide good content, to provide information people look for.  At this point common sense should tell you to be very careful how you link into sales pages from information pages.  If you are selling products, good product descriptions without overt sales language is probably the best way to do this.  For example, in an informational article you might say “for more information ……”.

Other aspects of how they rank pages include how recently added the information is and how active website changes are. The presumption is that an actively changing site is responding to its visitors and that in turn implies attempts to provide useful or interesting information.

I’m not an expert on this subject, but then neither are the vast majority of those who think they are or claim to be. What I do know from watching websites come and go for the last 10 years is that sites which are actively maintained and updated and have high quality content succeed far more often than others.  Blog software such as Word Press is a great way to do this because it allows you to concentrate on content rather than getting bogged down in the more technical aspects of web page design.

Most web site designers concentrate on the look and feel.  Certainly that’s important to create good first impressions, but its the words that attract visitors and sell things.

Word Press Plugins

by

Word Press plugins come in many flavors.  Because so many look interesting, it can be tempting to install a lot of them.  Remember – the more plugins you have active, the slower your site will run.  It can make a very big difference.   You may not notice a difference in speed, but web site traffic often consists of load spikes.  It’s when many people are accessing a site at the same time that you might see a difference.   Also, every extra plugin creates a new target for attackers.  Unless a plugin is providing functionality you regard as important, don’t install it.  Uninstall any you are not using.  Often, less is more.

  • Rule 1 – Less is more
  • Rule 2 – Keep them up to date!
  • Rule 3 – Delete plugins you are not using.  This is for security.
  • Rule 4 – Do not use plugins which are not actively maintained.  If a plugin has not been updated in a year or more, it is likely a security hazard.  I once lost a site because of this.

Highly Recommended Plugins

Akismet – This plugins is so useful it is automatically installed with Word Press.  What it does is filter out comment spam.  A busy site can get hundreds of such comments daily and it’s an annoyance to get rid of them.  Aksimet requires and activation key which is free for personal sites.  A donation is requested for commercial sites. 

Word Fence – This plugin provides firewall functions and site hardening.  In just a few seconds you can dramatically reduce the vulnerability of your site.  To install it, click “Plugins” -> Add New.  Search for “Word Fence”.  After installing and activating it, you need to do some basic configuration.  After installation, a dashboard menu choice will appear.  Click on that to configure and check things.

Database backup – Generally on our servers this is not needed as we do this automatically.  The danger with many of the settings is that they will interfere with other plugins.  For most sites, simply clicking on, “Secure My Site From Basic Attacks” is 98% sufficient.  Next, run through the options.  If you simply change everything in RED, your site will be about 1,000 times more secure than the usual WP site.  If you have a very busy or controversial site, you may want to take this further.  Most attackers are looking for low hanging fruit and there is plenty of that around.

Anti Captcha – This plugin is invisible to users, but stops automated login attempts.

Recommended Plugins

Jetpack – by WordPress.com – a highly useful collection of functionality.

Ultimate TinyMCE – This plugin adds a lot of useful editor features.  After you install and enable it, click on the new dashboard menu choice.  Some of the things which can be added are color backgrounds, fonts and styles, various buttons and media functions.  When you add features, be sure to select Row 3 or it can make a mess.

Shortcodes Ultimate – This plugin provides many additional visual features.  Among them are tabs, dividers, drop caps, fancy boxes and too many more to mention.  Many plugins include some of these features, but this one has a longer list.

WordPress SEO by Yoast – The developer is a senior Word Press developer so this is a really advanced plugin.  Search engine optimization is the tip of the iceberg.  It includes social media, XML sitemaps, permalink behaviors and many ways to modify a sites internal structure.  It also includes many buying opportunities which I haven’t tried.

NOT Recommended Plugins

Any Cache Plugin – Keeping a cache is far more likely to slow down your site than it is to speed it up.  Our servers are optimized to serve web sites.  This means that the server itself runs many kinds of cache simultaneously, mostly in memory, but also on disk in a raw form which outperforms the file system.  Memory is thousands of times faster than disk I/O.

A cache plugin has to analyze what is being requested, generate signatures and then search on disk for those signatures.  Paradoxically, the larger the cache is, the longer all this takes.  98% of the time it would have been faster to simply generate the content from scratch, partly because doing so takes advantage of the server cache.  The pieces are usually pulled from memory rather than requiring any I/O.

A good way to speed up a Word Press blog is to use a content delivery network like Cloud Flare.  We are partnered with Cloud Flare to offer this to you for free.  Be sure to enable railgun to take maximum advantage of Cloud Flare.  Contact us if you want to discus this.