As you may be aware, WordPress sites worldwide have been inundated with brute force hack attempts over the last 10 days or so. Here’s a post at Securi that goes into details about the attacks.
Because WordPress is the most installed and most supported Content Management System in the world, it also is the most attacked. And while there are some security measures inherent in WordPress, you really should take steps to further protect your installations. Here are a few tips to ensure that your WordPress site is as secure as it can be.
This should be obvious, but it is quite important. Make sure you use a password that has a combination of upper- and lowercase characters, numbers, and special characters such as $, !, (, or &. Making a password that doesn’t have a dictionary word in it is the first and easiest way to prevent a brute force attack that attempts to try dictionary words over and over again.
By default, the main administrator account in WordPress is named “admin”. This fact is utilized by this brute force attack and the bot keeps trying to login with the user name “admin”. The easiest way to prevent unauthorized access from these types of attacks is to NOT have a user name “admin”. When installing WordPress, you may have the option to name the default administrator. If you do, choose a different name. You can still use “admin” in the name, but make it harder to guess, such as “adminjeff” or “admin987”.
If you do have an account named “admin”, you can get rid of it this way:
- Log into your account named “admin”
- Create a new user with a unique name; this will be your new site administrator
- Make sure you give it a hard-to-guess user name
- Make sure you give it a good password
- Give it “administrator” rights
- Log out of your “admin” account
- Log into your new administrator account
- Delete the account named “admin”
When doing this, you will be required to use a different email address than one currently in use. You can always use a different address and then once you delete the “admin” account, update your new account with your preferred address.
There are several WordPress plugins that address these types of attacks. The two we use the most are Limit Login Attempts and WordFence.
Limit Login Attempts is a free plugin that alerts you of failed login attempts. There are two levels of lockout here: you can temporarily lock users out after a number of failed attempts. We set this to lockout a user for 20 minutes after 4 failed attempts. After 20 minutes, they can try again. The second level is a longer lockout. We set this to lock the user’s IP address out after 2 temporary lockouts, for 24 hours.
You can change the amount of time for the temporary lockouts (in minutes) and for the longer lockout (in hours). Limit Login Attempts will also alert you via email of lockouts and failed attempts.
While the developer hasn’t released a new version in 10 months as of this writing, it still works with WordPress version 3.5.1. Hopefully the developer will continue to support this plugin, and keep it updated.
WordFence is another free plugin, but with a premium paid version as well. The free version includes a malware scanner for your WordPress installation and includes some IP blocking features, some of which require manual intervention. You can set it to automatically lockout users that attempt to sign in with a non-existent username, and will receive an email after these lockouts. The paid version allows you to block users based on the country their IP address traces to, or for a range of IP addresses.
While the arms race of hackers vs. security measures continues, no solution will guarantee that your site is safe. However, if you take the precautions outlined in this article to protect your WordPress site, it will make unwanted access much, much harder.
Albany Digital Services, LLC is a full-service web and technology solutions provider based in Albany, NY. We use these tools and more to make sure every site we create is as secure as it can be.