Many sole practitioners and boutique firms internally manage their law firm's or company's website. This week a Russian hacking group reported stealing over 1.2 billion email accounts and passwords and a dangerous Wordpress XMLRPC vulnerability was also announced. Perhaps not coincidentally, the number of unsuccessful hacking attempts on TheLaw.com noticeably increased. While most rarely ever check their server, website logs or administration area, doing so periodically could help save them much grief and make their web site and server more secure. In this article I will share with you a short list of practices we implement and plugins we use to protect our web server, TheLaw.com website and our Wordpress based installations.
Our website, TheLaw.com, is hosted on a dedicated server. This means that we control the entire server. We can install what we want and configure it how we wish. We also have the responsibility to keep the core software current and updated. Managed hosting means that, at an additional cost, a web hosting company will manage the server for you and perform periodic upgrades of the software to keep it safe, secure and in good operation.
If you're running a virtual private server (also known as a "VPS", which we also provide to highly experienced webmasters through Cheap VPS, LLC), you don't control the entire server, which is managed by your host. You are given a discrete, divisible and dedicated portion of the server that you own and control. You receive a guaranteed amount of hard disk space, RAM, CPU or processor usage and Internet bandwidth. Visualize a VPS like a condominium, where you own and control one unit in a building with several units. While the building will provide basic security and maybe a doorman, you will still certainly want to install your own private alarm system in your unit. For most professional businesses and law firms, I almost always recommend no less than a VPS since the cost, performance and security presents the best overall value and is a very small cost of doing business.
If you're on a shared server, you're sharing one web server indivisibly with numerous other people. There could be a few hundred or even a few thousand other websites using the same resources. Visualize a big cruise ship that features a deck with general seating. Your website is one of those seats. All of you sink or swim together, regardless of where you sit. But that doesn't mean you can't take measures to protect your own seat and website from being exploited. While many hosts will provide security for the server as a whole, you will certainly want to implement security measures and practices for your website and Wordpress software.
One of the essential tools we use to protect our Linux-based dedicated web server is the ConfigServer Security & Firewall by Way to the Web. If you have a VPS, you can also add this essential and indispensable security and firewall software to your VPS. In addition to a powerful firewall and security system, it provides webmasters with the ability to easily ban countries and IP addresses on the entire server. For the most part, it will work extremely well on its own, silently and efficiently in the background. Some setup will be required. If you or your webmaster don't possess the expertise, Way to the Web provides an installation and setup service that is well worth the investment. The cost is usually under $200 and, once set, it rarely needs further tweaking. If you're hosting your firm's website, a personal website and perhaps another firm's website who is sharing the cost of the server, you can ban malicious activity on all websites at once.
Virtually all server accounts come with a statistics package pre-installed. Webalyzer comes with many shared server accounts so we'll use that as an example. But what we will analyze and audit can and should be done with virtually any web analytics software.
If you look at the screen shot from Webalyzer, a very popular and basic server analytics package, you'll see two lists that I've combined in one graphic. At the top you'll see a short list of the top sites accessing our website by "hits" and the second, the sites which used the most data by hitting our website. The msnbot entries are Microsoft's search spider for its Bing search engine. Yandex is a Russian search engine. The log tells me that the Yandex search spider isn't paying attention to our robots.txt file and another directive, which tells the spider not to index our website. This isn't a security issue but one of bandwidth and resources. Since Russian users will almost never care to use our English language website, it doesn't pay for us to have our server working hard to keep up with requests from the Yandex search engine.
But take a look at the IP address 212.150.211.166 which has recorded 10,408 hits in what appears to be just one day. Looking up this IP address using a blacklist check at WhatIsMyIPAddress indicates that it appears on someone's blacklist. This usually signifies malicious activity or spam. I don't know who they are so I've decided to block them in the ConfigServer firewall. If you use CPanel, a very popular control panel for administrating Linux-based web servers, you can do ban IP addresses in the "WHM" area which controls the entire server. Alternatively, each website uses a Cpanel control panel which has a simplified security section where IP addresses and IP blocks can be entered for banning access to a particular website.
I noticed that in the "Total Sites by KBytes" Webalyzer chart there is a backlink checker website that keeps hitting our site called "SEOKicks." I'm not sure what they are seeking, perhaps trying to find backlinks of all the law firms whose outsourced SEO spammers have tried to drop. For the most part, we've deleted them and any "link juice" that they purported to provide to destination websites. (Recently I've been collecting examples as some law firms have simply ignored our repeated attempts to reach them to stop their SEOs from trying to spam our site.) Most of these IP addresses can be safely blocked since they provide nothing useful to your website. All you will lose are the ego visits and data that you'd see registering in your analytics package, such as Google Analytics. If your traffic seems to drop a little - don't fret. You're probably just removing useless bot activity from your overall statistics and improving your website's performance in the process.
I also check our server logs and error logs for IP addresses that keep hitting our website. The logs record the activity that takes place on the website, who is requesting a page and what page is being served. The error log lists errors, such as someone's web browser asking for a URL that doesn't exist on our website. Some errors appearing in the error logs are clear signs of hacking, especially when the error generated is by an unknown source that is automated and seeks a URL that is generally not requested by human visitors. For example, nobody should be trying to access your administrative area.
The image on the right represents the error log using a CPanel control panel. It will look similar whether you're using a GUI or using a command line interface - it will be a long list of dates, times, IP addresses and the URL that resulted in an error in the far right (not visible in the image.) In this instance I keep seeing the same errors occurring for a URL that does not exist on our website. Looking at the first IP address at Project Honeypot, which is a service that identifies spam and malicious activities. It helps webmasters in a collective effort (or site contributes information to their server when we identify spammers) and reveals that this bot is probably harmless. Its the magpie crawler from Britain. You can block it but at least it probably won't cause harm. Here's what is described:
This IP addresses has been seen by at least one Honey Pot. However, none of its visits have resulted in any bad events yet. It's possible that this IP is just a harmless web spider or Internet user.
The second IP address 117.26.117.208 is located in China. Glancing at the server log (which is a huge file to review and not readily accessible for novices), I can tell that this attempt is automated. The bot originating from this IP address keeps trying to access a file called "register.php" in a directory where our law forum does not exist. It is highly suspicious activity. This is typically the sign of a spammer trying to register an account to drop spam in our law forum.
Many malicious scripts are written to locate URLs associated with the administration or registration areas of popular server software. The hacking script determines whether an older and outdated version is still being used by the server. If it is, the script will attempt to exploit the outdated software and perform some mischief on the server. If this hacker's IP address hasn't been automatically added to our firewall, we will do so manually using ConfigServer to ban the IP address server wide or Cpanel to ban access to TheLaw.com website.
By default, many use "admin" as their administrator user name or for Wordpress or other content management software. Since hackers know this, they will frequently try to hack into your administrator password using "admin" as a user name. Changing an administrator user name for Wordpress software is not as obvious as you would expect. You cannot do so without the aid of a plugin or the creation of a new admin account. After creating a new administrator account, you should be able to delete your current "admin" account. Wordpress will ask you which account to assign all the posts and content, which would be the new admin account you created. Note - this process will depend upon the content management system you are using. Backup your entire website and database before making any major changes to your website.
I also suggest using a strong password that uses some mixture of capital and lower case letters, at least one "special" character that is non-alphanumeric (like the "@" or "^" sign) and numbers that are not in sequence. It should be a given that using a proper word is not advisable and a memorable made up word is more appropriate, such as "KolumBenz^2856" as an example. Many hackers use "brute force" attempts to hack into your accounts such as utilizing a dictionary to guess passwords.
I cannot emphasize how important it is to update your Wordpress installation, your Wordpress plugins and your templates at earliest convenience. Hackers are very quick and their attacks are automated. You should make it a priority to upgrade your core Wordpress. Frequently vulnerabilities are found in plugins and exploited. In addition to making sure that you're using secure plugins, keep them current. Wordpress templates and themes can also be hacked, especially when they contain custom functions and javascript. Make sure that your webmaster has locked down all accessible areas on your installation, such as making sure that temporary directories, caching directories and others that are used for uploading and downloading files have the correct permissions. The Wordpress Codex contains detailed permissions instructions.
In order to prevent spam and provide limited incentive to hack our site, I've performed the following on our website:
uncheck "allow link notifications from other blogs"
If you don't know what it is, you should consider disabling it. Keeping it open can result in your website being prone to a number of crippling attacks in addition to spam. There are plugins like Wordpress JetPack that will do this (which I consider a little too bloated) as well as numerous other Disable XMLRPC plugins if you search for them. You can also add the following code to the functions.php file in your Wordpress theme if you're handy.
Make sure every article you publish has this option unchecked. If you don't know what it is, don't worry. It was a way of notifying others and being notified on your articles who linked to an article. If someone cited your article and provided a link, a mention and link would appear underneath your article to the website linking to it. At present, trackbacks and pingbacks are primarily used for spam and artificial backlink building, neither of which are beneficial. You can mass edit all your posts and turn it off in your Wordpress Admin in the "Posts" section of the admin area. But you can also globally disable it by adding the following to your functions.php file in your Wordpress theme or template.
One of the plugins we use on TheLaw.com to protect our Wordpress multisite is Wordfence. The free version is an essential level of protection against the hacking and scraping of your Wordpress site. It is preventative in nature, protecting you against attack and exploitation. It generally is not a "scanner" which identifies existing exploits. It also notifies you periodically when your Wordpress installation and plugins are out of date.
Word of warning - after installation, you will shocked at how often Wordfence will notify you of attempts to hack into your website. We receive several reports hourly on a slow day. The plugin will lock out hackers after a certain number of unsuccessful attempts to login as an unauthorized Wordpress administrator. It will also throttle or completely block bots and spiders looking to scrape a website's content or potentially commit some other malicious act. For a fee, Wordfence also provides additional controls, which can be very useful for novices, such as country blocking using an easy to use Wordpress interface. If you're an English based website focusing on a United States specific audience, you may benefit by blocking countries such as China, Russia, Ukraine and other primarily non-English speaking countries.
Another effective Wordpress security plugin is Ban Hammer. While Wordfence bans IP addresses too, Ban Hammer also allows webmasters to ban users trying to register from certain domains. By far, the worst offenders and attempted spammers registering on our website were from gmx.com, a free email service provider also known as mail.com. Using the Ban Hammer plugin we can ban all registrations from gmx, mail.com and all of their long list of free email addresses that they provide. There are numerous additional tools in Ban Hammer that are too long to list, but it's worth investigating and installing in my opinion.
Akismet is the de facto standard for comment spam protection foryour Wordpress site. I won't go into detail as this is not really a security plugin per se. I'll just mention it in passing since it's an important Wordpress plugin and not mentioned above.
I've had the pleasure of working with the good people at BestWebSoft and discovered they have a very popular Wordpress captcha plugin that works quite well at stopping automated scripts from exploiting your registration system. While the captcha plugin created some css styling conflicts and its function is covered by other plugins we use at the moment, it is an excellent and highly flexible captcha system. For example, you can thwart bots by having simple math questions presented, generated at random, requiring a different answer with every page load.
I have used the following Wordpress security plugins sparingly, and they do bear mentioning since they are popular among other webmasters:
This article has already exceeded 2,500 words! I hope that I've been able to keep your attention and leave you with a useful takeway too. While we also secure our website using a special file called the ".htacess" file on our server, this topic is far beyond the scope of this article and an art in itself. But the takeaway I can provide you with a list of IP addresses we've banned on our server and which you can as well using the techniques described above.
If you have any questions or wish to contact me, please don't hesitate to do so. If you're curious about my background, I've been a webmaster and site administrator for over 20 years. I'm extremely visible in webmastering and search engine optimization forums if you look very closely! Wishing you the best of luck with your websites and safe webmastering!
192.95.12.170
178.32.187.52
117.18.73.66
85.25.242.250
178.33.11.32
78.170.199.167
178.32.187.52
95.167.0.0/16
107.20.0.0/14
184.72.0.0/15
23.20.0.0/14
50.16.0.0/14
54.72.0.0/13
54.80.0.0/12
54.176.0.0/12
54.192.0.0/10
115.49.53.25
62.50.189.162
219.101.244.11
62.210.73.169
Protecting Dedicated, Shared and Virtual Private Servers
Our website, TheLaw.com, is hosted on a dedicated server. This means that we control the entire server. We can install what we want and configure it how we wish. We also have the responsibility to keep the core software current and updated. Managed hosting means that, at an additional cost, a web hosting company will manage the server for you and perform periodic upgrades of the software to keep it safe, secure and in good operation.
If you're running a virtual private server (also known as a "VPS", which we also provide to highly experienced webmasters through Cheap VPS, LLC), you don't control the entire server, which is managed by your host. You are given a discrete, divisible and dedicated portion of the server that you own and control. You receive a guaranteed amount of hard disk space, RAM, CPU or processor usage and Internet bandwidth. Visualize a VPS like a condominium, where you own and control one unit in a building with several units. While the building will provide basic security and maybe a doorman, you will still certainly want to install your own private alarm system in your unit. For most professional businesses and law firms, I almost always recommend no less than a VPS since the cost, performance and security presents the best overall value and is a very small cost of doing business.
If you're on a shared server, you're sharing one web server indivisibly with numerous other people. There could be a few hundred or even a few thousand other websites using the same resources. Visualize a big cruise ship that features a deck with general seating. Your website is one of those seats. All of you sink or swim together, regardless of where you sit. But that doesn't mean you can't take measures to protect your own seat and website from being exploited. While many hosts will provide security for the server as a whole, you will certainly want to implement security measures and practices for your website and Wordpress software.
ConfigServer Security & Firewall
Review Website Statistics Information Periodically
If you look at the screen shot from Webalyzer, a very popular and basic server analytics package, you'll see two lists that I've combined in one graphic. At the top you'll see a short list of the top sites accessing our website by "hits" and the second, the sites which used the most data by hitting our website. The msnbot entries are Microsoft's search spider for its Bing search engine. Yandex is a Russian search engine. The log tells me that the Yandex search spider isn't paying attention to our robots.txt file and another directive, which tells the spider not to index our website. This isn't a security issue but one of bandwidth and resources. Since Russian users will almost never care to use our English language website, it doesn't pay for us to have our server working hard to keep up with requests from the Yandex search engine.
But take a look at the IP address 212.150.211.166 which has recorded 10,408 hits in what appears to be just one day. Looking up this IP address using a blacklist check at WhatIsMyIPAddress indicates that it appears on someone's blacklist. This usually signifies malicious activity or spam. I don't know who they are so I've decided to block them in the ConfigServer firewall. If you use CPanel, a very popular control panel for administrating Linux-based web servers, you can do ban IP addresses in the "WHM" area which controls the entire server. Alternatively, each website uses a Cpanel control panel which has a simplified security section where IP addresses and IP blocks can be entered for banning access to a particular website.
I noticed that in the "Total Sites by KBytes" Webalyzer chart there is a backlink checker website that keeps hitting our site called "SEOKicks." I'm not sure what they are seeking, perhaps trying to find backlinks of all the law firms whose outsourced SEO spammers have tried to drop. For the most part, we've deleted them and any "link juice" that they purported to provide to destination websites. (Recently I've been collecting examples as some law firms have simply ignored our repeated attempts to reach them to stop their SEOs from trying to spam our site.) Most of these IP addresses can be safely blocked since they provide nothing useful to your website. All you will lose are the ego visits and data that you'd see registering in your analytics package, such as Google Analytics. If your traffic seems to drop a little - don't fret. You're probably just removing useless bot activity from your overall statistics and improving your website's performance in the process.
Review Server Logs and Error Logs
The image on the right represents the error log using a CPanel control panel. It will look similar whether you're using a GUI or using a command line interface - it will be a long list of dates, times, IP addresses and the URL that resulted in an error in the far right (not visible in the image.) In this instance I keep seeing the same errors occurring for a URL that does not exist on our website. Looking at the first IP address at Project Honeypot, which is a service that identifies spam and malicious activities. It helps webmasters in a collective effort (or site contributes information to their server when we identify spammers) and reveals that this bot is probably harmless. Its the magpie crawler from Britain. You can block it but at least it probably won't cause harm. Here's what is described:
The second IP address 117.26.117.208 is located in China. Glancing at the server log (which is a huge file to review and not readily accessible for novices), I can tell that this attempt is automated. The bot originating from this IP address keeps trying to access a file called "register.php" in a directory where our law forum does not exist. It is highly suspicious activity. This is typically the sign of a spammer trying to register an account to drop spam in our law forum.
Many malicious scripts are written to locate URLs associated with the administration or registration areas of popular server software. The hacking script determines whether an older and outdated version is still being used by the server. If it is, the script will attempt to exploit the outdated software and perform some mischief on the server. If this hacker's IP address hasn't been automatically added to our firewall, we will do so manually using ConfigServer to ban the IP address server wide or Cpanel to ban access to TheLaw.com website.
Best Practices and Security Plugins
Change Your Admin Username, Use a Strong Password
By default, many use "admin" as their administrator user name or for Wordpress or other content management software. Since hackers know this, they will frequently try to hack into your administrator password using "admin" as a user name. Changing an administrator user name for Wordpress software is not as obvious as you would expect. You cannot do so without the aid of a plugin or the creation of a new admin account. After creating a new administrator account, you should be able to delete your current "admin" account. Wordpress will ask you which account to assign all the posts and content, which would be the new admin account you created. Note - this process will depend upon the content management system you are using. Backup your entire website and database before making any major changes to your website.
I also suggest using a strong password that uses some mixture of capital and lower case letters, at least one "special" character that is non-alphanumeric (like the "@" or "^" sign) and numbers that are not in sequence. It should be a given that using a proper word is not advisable and a memorable made up word is more appropriate, such as "KolumBenz^2856" as an example. Many hackers use "brute force" attempts to hack into your accounts such as utilizing a dictionary to guess passwords.
Upgrade Wordpress Templates and Plugins Immediately
I cannot emphasize how important it is to update your Wordpress installation, your Wordpress plugins and your templates at earliest convenience. Hackers are very quick and their attacks are automated. You should make it a priority to upgrade your core Wordpress. Frequently vulnerabilities are found in plugins and exploited. In addition to making sure that you're using secure plugins, keep them current. Wordpress templates and themes can also be hacked, especially when they contain custom functions and javascript. Make sure that your webmaster has locked down all accessible areas on your installation, such as making sure that temporary directories, caching directories and others that are used for uploading and downloading files have the correct permissions. The Wordpress Codex contains detailed permissions instructions.
Suggested Wordpress Settings to Prevent Spam
In order to prevent spam and provide limited incentive to hack our site, I've performed the following on our website:
Wordpress Admin: Settings >> Discussion
uncheck "allow link notifications from other blogs"
- check "users must be registered" (this is optional)
- check "automatically close comments" if there is a date which your articles probably become stale
- check "comment must be manually approved"
- uncheck "comment author must have a previously approved comment"
Disable XMLRPC
If you don't know what it is, you should consider disabling it. Keeping it open can result in your website being prone to a number of crippling attacks in addition to spam. There are plugins like Wordpress JetPack that will do this (which I consider a little too bloated) as well as numerous other Disable XMLRPC plugins if you search for them. You can also add the following code to the functions.php file in your Wordpress theme if you're handy.
Code:
add_filter('xmlrpc_enabled', '__return_false');Uncheck "allow trackbacks and pingbacks on this page."
Make sure every article you publish has this option unchecked. If you don't know what it is, don't worry. It was a way of notifying others and being notified on your articles who linked to an article. If someone cited your article and provided a link, a mention and link would appear underneath your article to the website linking to it. At present, trackbacks and pingbacks are primarily used for spam and artificial backlink building, neither of which are beneficial. You can mass edit all your posts and turn it off in your Wordpress Admin in the "Posts" section of the admin area. But you can also globally disable it by adding the following to your functions.php file in your Wordpress theme or template.
Code:
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} ;Wordfence Wordpress Security Plugin
One of the plugins we use on TheLaw.com to protect our Wordpress multisite is Wordfence. The free version is an essential level of protection against the hacking and scraping of your Wordpress site. It is preventative in nature, protecting you against attack and exploitation. It generally is not a "scanner" which identifies existing exploits. It also notifies you periodically when your Wordpress installation and plugins are out of date.
Ban Hammer - Ban Wordpress Registrations and IP Addresses
Another effective Wordpress security plugin is Ban Hammer. While Wordfence bans IP addresses too, Ban Hammer also allows webmasters to ban users trying to register from certain domains. By far, the worst offenders and attempted spammers registering on our website were from gmx.com, a free email service provider also known as mail.com. Using the Ban Hammer plugin we can ban all registrations from gmx, mail.com and all of their long list of free email addresses that they provide. There are numerous additional tools in Ban Hammer that are too long to list, but it's worth investigating and installing in my opinion.
Akismet - Comment Spam Protection
Akismet is the de facto standard for comment spam protection foryour Wordpress site. I won't go into detail as this is not really a security plugin per se. I'll just mention it in passing since it's an important Wordpress plugin and not mentioned above.
Captcha Plugin
I've had the pleasure of working with the good people at BestWebSoft and discovered they have a very popular Wordpress captcha plugin that works quite well at stopping automated scripts from exploiting your registration system. While the captcha plugin created some css styling conflicts and its function is covered by other plugins we use at the moment, it is an excellent and highly flexible captcha system. For example, you can thwart bots by having simple math questions presented, generated at random, requiring a different answer with every page load.
Other Notable Wordpress Security Plugins
I have used the following Wordpress security plugins sparingly, and they do bear mentioning since they are popular among other webmasters:
- Sucuri - Security, Auditing and Malware Scanner Plugin for Wordpress. This is probably one of the most popular diagnostic software plugins for Wordpress. It can be useful to audit your website for malicious software and activity.
- iThemes Security (Better WP Security) Wordpress Plugin. This popular plugin appears to have been purchased by a popular Wordpress themes developer. I haven't used it but other webmasters call it a lightweight plugin which features 2-factor authentication, malware scanning, backup and other useful features to help secure your website.
.htaccess Files and IP Address Ban List
This article has already exceeded 2,500 words! I hope that I've been able to keep your attention and leave you with a useful takeway too. While we also secure our website using a special file called the ".htacess" file on our server, this topic is far beyond the scope of this article and an art in itself. But the takeaway I can provide you with a list of IP addresses we've banned on our server and which you can as well using the techniques described above.
If you have any questions or wish to contact me, please don't hesitate to do so. If you're curious about my background, I've been a webmaster and site administrator for over 20 years. I'm extremely visible in webmastering and search engine optimization forums if you look very closely! Wishing you the best of luck with your websites and safe webmastering!
192.95.12.170
178.32.187.52
117.18.73.66
85.25.242.250
178.33.11.32
78.170.199.167
178.32.187.52
95.167.0.0/16
107.20.0.0/14
184.72.0.0/15
23.20.0.0/14
50.16.0.0/14
54.72.0.0/13
54.80.0.0/12
54.176.0.0/12
54.192.0.0/10
115.49.53.25
62.50.189.162
219.101.244.11
62.210.73.169
- Legal Practice
- Practice - Office Facilities, Management
- Jurisdiction
- Other
