WP Buffs and WordPress Security Hacks
So the other day I was browsing around the web and visited one of our partner company's website - WP Buffs and noticed something interesting.
WP Buffs by the way are a team of WordPress techies who provide support services for people running WordPress websites. That is nothing new as quite a few of these companies have been popping up recently but it was specifically this screenshot below that got me interested because I have not seen other companies in the space do this before.
Two things I noticed
- First it is very rare to get access to plugins that would normally cost you a yearly fee.
- One of the plugins they give you is iThemes Security Pro
That second point got me interested because WordPress and the security around it has been such a contentious issue for so long.
The amount of websites that have been hacked (primarily because of bad plugin management) is astronomical and embarrassing to say the least.
So I was pleasantly surprised to see WP Buffs giving this plugin for free to their clients when signing up. They also include the excellent WP Rocket and WP Smush Pro for improving WordPress page load times.
But for this article I want to focus on iThemes Security and what it means for you.
Let's talk about iThemes Security Pro
When you first install iThemes Security you are presented with a wizard that runs a number of best practice settings for your site security. You literally press a button and 10 seconds later your WordPress site has become a whole lot more secure.
It really was that easy -
After you have done that this is the dashboard you see. Click image for larger version.
And here are the pro options (You get Pro from WP Buffs)
One thing I like about the pro options of this plugin is 2FA (Two-Factor Authentication) - when you have this enabled it literally does make your WordPress website like Fort Knox as the WP Buffs say. You will need an app like Google Authenticator or LastPass Authenticator (what I use) for this to work.
And when it detects something abnormal like logging in from a different location you will get an email looking like this.
Bear in mind every time you give access to your website to someone else like a Web developer etc they will have to go through this process - If you have a permanent member of staff who needs access to your website it makes more sense for them to have their own login email where they would get this verification email sent to.
I only say this as I am currently testing out new employees and it can be a little frustrating to have to give them the code every time they want to do some work. But that will soon change if they get the job right.
But for me the most amazing thing about having this plugin happened soon after installing.
Literally within hours I had my first security incident!
I kid you not!
I received an email address to the admin email of my WordPress website which had the following subject line.
[imdiscountcodes.com] Site Lockout Notification
This immediately got me worried, wondering what the heck just happened and if I had lost access to my own website. Turns out it may have been more sinister and encouraging at the same time - somebody I don't know being locked out.
This is what the message looked like.
That IP address - someone in Paris!!! Or more likely someone pretending to be in Paris with IP manipulation.
Not long after this warning (a day) I got another warning where someone had been locked out.
Safe to say I was very happy that somebody who kept trying to login to my website (maybe with some password cracker) was eventually locked out!
I am sitting on about day two now after the last site lockout so rest assured I'm not getting these messages everyday, which would be very concerning.
These are just my initial thoughts after a few days of using iThemes Security but I will definitely update this post if anything else suspicious starts to happen.
Do you use iThemes Security? What has your experience been like?
And if you are interested in having this for your own website I would recommend using the WP Buffs service to get you started. We have some great bonuses for you if you do decide to sign up.
Isn't it time your WordPress website was managed by true WordPress experts?
From as little as $40 per month you can get started with WP Buffs + make sure to claim one of our exclusive bonus packs if you do. Find out more about this WP Buffs Promotion.