Joseph Herbrandson of Sucuri published an excellent article listing the most common attacks today’s websites are facing. Herbrandson does a good job of explaining the attacks without inundating the reader with technical jargon. He also links to WordPress items that are relevant to each type of attack.
I’ve spoken to Herbrandson at a few different WordCamps and one question I’ve asked him is “what does this all mean to the average user?” He answers the question in his post:
All software, old and new, follows the same concepts that made computers work decades prior to now. The only difference today is the number of complex layers that have been added to make the process seem confusing.
The only ones confused though, are the people for whom the complexity was implemented to protect in the first place: the users. The continuous pattern of cyber-assault on everything from banks to bakeries, and across the board from Target to Apple, is showing that this world requires users to break the expectation of confusion and understand how Internet instigators are really coming after us.
Herbrandson and others in the field have the difficult task of informing the public without scaring it. I’ve sat in sessions at WordCamps where he educates users on website security and most of the attendees realize they have to take website security seriously. There’s only been a few times where attendees have become scared, but it’s good to be scared.
However, a poor reaction to being scared is to install several different security focused plugins thinking you’ll be protected from every threat. In most cases, this will end up doing more harm than good as plugins lock down potentially useful features such as XML-RPC. I’m all for securing websites, but I also believe in such a thing as too much security. Unfortunately, there’s no such thing as a silver bullet to protect against every threat without being an inconvenience in some way.
Definitely check out his article and consider the questions asked at the bottom of the post. If you’ve never seen Herbrandson present on WordPress security fundamentals, here is a recorded presentation from WordCamp Orange County 2014. In the session, he covers simple principles everyone can implement to keep the risk of attacks as low as possible.
Sucrui is great and we use it on a higher-traffic website that gets hack attempts constantly. Sucrui and the Simple Firewall plugin does a decent job, but Fail-2-Ban and ZBBlock help to alleviate problems that plugins don’t catch, http://www.spambotsecurity.com/zbblock.php
WordPress is WordPress.. Server Security isn’t the same! Properly configured servers, software and firewalls are not even covered in most articles.. Takes 5 minutes to secure WordPress.. But it can take hours to properly secure a server..