Anyone who’s operated a site on a popular CMS knows the difficulties with security and spam that undoubtably occur. WordPress sites in particular are pursued relentlessly by hackers and spammers. Despite the advances with it’s built-in security and spam blocker Akismet, there is still a lot of trouble that can arise. Here are some ways that I make sure that my site is really, really secure (aimed at WP, but certainly some good tips for other websites / CMS).
To get started, let’s take a look at what I think is the best thing to happen to websites ever. It’s called CloudFlare, and it’s awesome.
Not only does this secure the hell out of your site, it also makes it a helluva lot faster. Plus, with the auto-minify features (just turn them on!) you boost your YSLOW/Page Speed performance ratings quite a bit without even trying. A quick list of features: killer security analytics, tracking of outbound links, keeps your website up even during blips of downtime, manages your google analytics and tools, helps to protect against DDoS attacks, e-mail address obfuscation, challenge pages for compromised visitors, hotlink protection, and plenty more. Best thing? Totes free. But if you want to sign up for their Pro version (which is even awesome-er), then you get some more advanced security features. If it’s what you need, do it, but the basic free plan should be more than enough for most.
Next, let’s talk about spam. It’s annoying. Really annoying. It’s easy enough to prevent on blog posts (almost every CMS offers some sort of spam blocking plugin or feature). On WP, that’s Akismet, and it works really well. But what about your contact forms? Unless you run those through something like Akismet (which requires either a plugin or some code work on your end), you’re going to get hit. There’s two options I would say that you could take:
- Use a Captcha (IMHO, very annoying)
- Use a reverse-Captcha (IMHO, very awesome)
The Captcha is this:
…you may recognize this from a previous post. As for a reverse Captcha, it’s something a bit more subtle. You essentially setup a hidden input on your form, and then (either through javascript or server-side validation) reject the form if the hidden field is filled. That’s it! The trick is to make it a field that won’t get filled easily by people’s browser autofill, yet make it enough of a ‘honeypot’ to attract spammers. So I tend to name it something like ‘Linkz’ or ‘Addrezz’, or something that’s just off enough from a legit form field to take care of both requirements. This has been, in my experience, the best way to prevent spam via a contact form. See here to read about how to implement this with the WP Contact Form 7 plugin.
So, those are two VERY easy ways to get a whole lot of protection very easily. If you’re on WP, there are a whole bunch o’ plugins that you can use to add WP specific protection. Right now, I’m using BPS Security, but I also recommend changing the prefixes on your SQL tables from ‘wp_’ to almost anything else.
Finally, I recommend adding a little protection to your .htaccess file, if you have an Apache server. If you use the HTML5 Boilerplate (HIGHLY RECOMMENDED), it has a lot of great added protection already built in to their .htaccess file, so you will be on the right track.
Anyway, that should be enough to get you fairly secure and spam free. I’d love to hear any other suggestions people have.