When I last wrote about the site at the end of January, I mentioned that I’d installed an activity monitor. Logging is not a standard feature of WordPress, so you’ll need a plugin. The one I chose is the Aryo Activity Log. It’s now been running for two months, and I have drawn a number of conclusions. The information below uses data gathered since January 31st 2016. The conclusions are:
Updates are frequent, so don’t ignore them
In two months there have been two core updates, and 16 plugin updates. If we extrapolate that out to cover a three year period, it means there will be 36 core updates and 288 plugin updates. The reason for quoting a three year time period is that many WordPress sites are created and then never updated. If we conservatively assumed that 10% of patches fix a major security flaw, then after three years, there will be over 30 major vulnerabilities that can be exploited.
It would appear that the WordPress developers have considered this too. One of the core updates was automatically installed. Plugin updates though remain at the control of the site administrator, so it is your responsibility to log in on a regular basis – at least once per week, and install them. If your site is particularly heavily used, then you should have a mirrored test domain where you can try the change out. Finally, don’t forget to implement a maintenance window, as the updates may impact on the availability of your site.
Strong passwords, or multi-factor auth is critical
In two months, the log has recorded 6500 failed logins. Of those, less than 50 are genuine incorrect passwords by a valid user. The rest are people or bots attempting to log in using a variety of usernames, most of which appear to be common administrative names, or variants of the site name or author names. While obscurity should never be your only line of defence, you can help by not using usernames such as admin, or in my case, callam. Make sure you use strong passwords, if you’re not sure what this means, take a look at a previous article I wrote on the subject.
Here’s probably a good time to say that doing backups of the site should be a routine activity. The frequency of backups depends on the site. CallamMcMillan.com is backed up once a month. If you want to post several articles per day then you’re going to want to consider backing up the site daily or weekly. Depending on your hosting setup, you may do the backups in different ways. As a small low-traffic site. I perform a regular full backup of the server which includes the files and databases. On bigger sites this won’t be practical, so instead you’d back up the database only and the file system when you apply updates. Remember though, it’s the database you can’t lose. If you had to rebuild the site from an old file copy, all you would lose is the updates applied.
On the subject of multi-factor authentication, if you can, get it and use it. I would love to recommend a plugin, but it depends on the needs of your site. Not all of them are the same and every website has slightly different needs. So pick one that works how you need it to.
An Activity Log is a crucial addition
I am surprised that WordPress does not come with built-in logging. The ability to understand the actions being taken on your site is a crucial tool in ensuring that the site runs well. An activity log can give you advanced notification of security attacks and a general history of how your site is running.