If like many small businesses you use WordPress then you may have been concerned by a recent report stating that, “Hosting providers around the world are seeing a massive increase in brute force attacks against WordPress and Joomla sites”. It certainly prompted me into action, to ensure my website was as secure as possible.
I’ll take you through the precautions you can take to protect your site.
For those that don’t know, a brute force attack is where an attempt is made to access a secure area of a website, in this case the admin area of WordPress, by trying combinations of usernames and passwords multiple times until they find one that works.
This isn’t performed by one person sitting at a PC and manually typing usernames and passwords into your login page. No, the perpertraitors use somehting called a Botnet, a group of computers controlled remotely and working automatically to attempt a login.
You maybe interested to know that Botnets are largely created from unsuspecting PC’s, normally Windows based, infected through malware or other types of virus. It could possibly be your own!
You’re Not Alone
It must be said that WordPress is not alone in terms of vulnerability. Many websites and web based applications are potentially at risk from attack. If you have a custom built CMS (Content Management System), then you should check with your developer how they update against new vulnerabilities.
Strength & Weakness
One of WordPress’s strengths as well as it weakness is its popularity. Very much like the Windows operating system sees far more virus’s than its counterparts Mac and Linux.
One thing WordPress has in its favour is the volume of people working to identify and close those vulnerabilities.
Learn to Protect Yourself
There are some simple steps you can take to protect your WordPress website:
1. Change your username
Make sure your username is not the default, admin. You can’t actually change the username via the WordPress dashboard, but there are a couple of solutions.
The first is to create a new user and swap over control from the old admin user. My preference though is to alter as little as possible and use a plugin called Admin renamer. This allows you to change the admin username directly in the database using a user friendly interface.
2. Change your password
It still amazes me the amount of people that use ordinary words or dates of birth in their passwords. If you website is your business, then please treat it the same as you would your house of car. Protect it adequately.
A strong password consists of 8 or more characters ideally random in upper and lowercase, including numbers and symbols. These type of password are infinitely more difficult to crack. Read this article if you want to see just how easy it is to crack even an encrypted short password that is a common word.
I use an application called 1Password to create and store my passwords, it is cross platform and works on mobile too. So I always have access to my totally randomly generated passwords wherever I go.
3. Keep it updated
Probably the easiest of all is to keep your website updated. WordPress release around 4-6 major security updates in a year. There will also be updates for your plugins. Backup your website before updating, maybe with a plugin like BackupBuddy and ensure you apply updates on a regular basis.
I had an old unused WordPress installation that had been on a server I owned since 2007, and through this install the whole server was infected.
So make sure you delete any plugins or WordPress instances you no longer require and keep the rest up to date.
4. Install some protection
During my update process I came across 2 plugins that can help protect your WordPress site from attack.
The first is Wordfence Security, a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more. This is a substantial, yet easy to use plugin that scans your website for infection, and then locks it down from attack.
Then install BulletProof Security, recommend by a friend Simon at SoCreative, which provides website security protection against: XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection hacking and many more.
It’s Not Personal
If someone does attempt to hack your website, most likely it is the work of a randomly generated bot working from an infected PC. They are not necessarily after your website information but looking to use your server to help them create bigger and better Botnets to wreak further havoc.
Don’t give then the opportunity and protect your website and your business proactively!
If you have any further security tips for WordPress please feel free to mention them in the comments below – no bots allowed…