In the last few weeks there has been a rise in brute force attacks on WordPress sites. These illegal botnets troll WordPress installations looking through directory names, passwords and IP addresses to gain access to unsuspecting websites. Maybe you’ve heard about this or maybe you haven’t, either way, it’s important to pay attention and minimize the risks by implementing a few simple safety measures to protect YOUR WordPress website.
What’s the big deal?
If the attacker is able to guess the user login to your site and if the user has an administrator role, you might as well be handing the keys to a malicious burglar to rob and destroy your home. Once in, they can add new files, modify existing ones, change user passwords, inject malware and even exploit your site to attack others. It isn’t known exactly what the purpose is behind these attacks, but they can compromise numerous servers that host these websites. It’ll be a really big deal if your site is compromised.
“An ounce of prevention is worth a pound of cure” –Benjamin Franklin
Increasing WordPress security:
Change your login name
The default username is “admin” and it’s strongly recommended to change the username to something more unique. This will make it more difficult for hackers to crack your login credentials. Go ahead and change your “admin” right now and do avoid usernames such as “editor, administrator, moderator, or test.”
Basic Steps to create a new administrator user
1- Go to “Users” and “Add New”
2- Log out and login as the new user
3- Delete the “admin” user and attribute all posts to the user created in step 1
Use a strong password
Make sure you use a strong password that’s difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. Don’t use passwords like these: password, user, admin, admin123, 123456, welcome, etc.
Is this enough?
The reality is you can take control of security for your WordPress websites, but bear in mind no solution is 100% effective, yet certain precautions, such as changing your administrator username and using a stronger password will deter this particular botnet. If you want to further secure your website, do the following:
Upgrade WordPress and plugins
The latest version of WordPress contains bugs fixes for security vulnerabilities. It’s important to keep yourself updated at all times to limit hackers’ access to your site through older versions of WordPress and out-of-date, or unsupported plugins. So if you haven’t, go to your Dashboard to update WordPress and the plugins you need, and then delete the unused or unsupported ones.
Backup your wordpress database
No matter how secure your site is, you should prepare for the worst and set up a backup system for your website. I’ve written about the importance of keeping backup copies of your files and database in a previous post. Read it here: Saving the Goods.
Install Limit Login Attempts
(Limits the number of retry attempts when logging in)
Install Better WP Security
(Improves the security of any WordPress site)
(creates scheduled backups of your WordPress site)
Scan your WordPress site
(http://sucuri.net – let’s you know if malware is present)
ounce of prevention
The time it takes you to implement security measures is a fraction of the time it will take to rebuild or restore your website following an attack. So, make sure you change your username, update WordPress and plugins regularly and please do change your passwords! Let me know if you have any questions or if you need help securing your WordPress website.