WordPress Security Best Practices against Brute Force Attacks and Hacking
There is a current security/performance risk for all WordPress blogs. There are a large number of WordPress “brute force attacks” and hacking happening that are both hacking into WordPress web sites and also causing DOS (Denial of Service) to many sites, even if they are not successfully hacked.
Why This Is Happening: A few years ago, the default user name for WordPress sites was “admin.” Since then, hackers have used bots to repeatedly try to hack into a site using its default user name (admin) and a software program to guess the password.
It simply tries over and over until it gains access, then the hacker is able to enter the site, hack it, and install back doors so they can come back and keep doing their mischief.
How WordPress Responded: Subsequent versions of WordPress have changed to allow each WordPress installation to choose their own unique user name, thus greatly reducing the risk of hacking by no longer using the user name, “admin.”
Why The Risk Still Exists: Many older WordPress installations still have at least one user log-in of “admin,” placing them at risk. So that needs to be changed. There is a technical process to changing it involving the database. Doing this is usually at ‘expert level’ as far as the technological aspect of it. So most will want to have a professional or a techie friend do this for them.
Additionally, even if you don’t have a user name of “admin,” your site can still be seriously affected by this brute force attack in a DOS (Denial of Service) vein! That is because, even if you don’t use that user name, the hacker bot can still send repeated, automated requests using the “admin” name and password attempts. Even though they will never be successful at hacking your site, the thousands of requests per hour will tax your database and slow your site down to a crawl, making it virtually unusable.
The solution to that is installing a couple of different plugins. The first I recommend is called ‘WP Activity’. It not only logs log-ins and activity on your site, it logs LOGIN ATTEMPTS. And it can be set to automatically deny IP Addresses after a few tries – i.e. 4 unsuccessful attempts – thus blocking the Denial of Service aspect of this attack.
The other plug-in, which I recommend to GO ALONGSIDE the ‘WP Activity’ plug-in, is a plug-in that requires Captcha at the log-in screen. That will prevent the bots as well.
Here are my WordPress security best practices that I heartily recommend:
- Keep your WordPress software and plugins up-to-date to the most recent version
- Back up your posts, database, theme, and uploads regularly (at least once per month – more if you blog very prolifically)
- Install and configure the ‘WP Activity’ and Log-in Captcha plugins mentioned above
- Choose a unique user name that is difficult to guess – never use any variation on the word admin
- Choose a complex password with at least 8 characters, at least 1 number, and 1 special character (such as ‘!’ or ‘#’)
- If your site is using ‘admin’ or ‘Admin’ as a user name, change that immediately (or have it changed for you)
- When employing anyone to work on your site, do not give them YOUR WordPress log-in credentials. Create a separate user name and password for them that you can revoke yourself at any time.
I have cleaned up many hacked WordPress installations and databases! It is a horrible, sticky mess and, by FAR, my least favorite way to make money. If you have a WordPress installation, do yourself a favor and tighten up your security and follow the WordPress Security Best Practices outlined above.
Stay safe and have fun with your blog!