The front door of the beach cottage had a large old horseshoe directly over the door.
We were struck by the size of it. Must have been a huge horse. Curious, we checked with the owner later that day and learned that the horseshoe was put there when the cottage was built, over 100 years ago, for protection and good luck.
I’ve been thinking a lot about protection lately; because several friends have had their WordPress sites hacked recently.
It seems that there’s a brute force attack going on at the moment designed to gain access to WordPress sites by targeting the “admin” account that every WordPress site sets up by default.
Using some 90,000 computers they aim to find the password of these accounts. Once they break into a site they do such a lot of damage that many have to be completely rebuilt.
One friend’s site was broken into but she discovered them in the act. She contacted her host immediately and they blocked the hackers. The ISP determined that it was a brute force attack by a botnet (a group of computers that are banded together to perform tasks).
She got her site cleaned up and changed all the passwords and user names. Within 24 hours the botnets were back at it, attacking her site again. They didn’t succeed the second time but it was a very scary 48 hours until the attacks stopped.
Since then I’ve been on a mission to get everyone I know to take a look at the security and backup on their WordPress site. In this case an ounce of prevention could be worth a lot to you.
3 ways to protect your WordPress site
- Very Strong Passwords and unusual user name
- Plugins that limit logins and boost security
- Regular backups of your site
Step 1: Strengthen your passwords and avoid using “admin” as your user name
If you have an “admin” user on your site with administrative privileges now is the time to change it to something less obvious. These brute attacks and previous WordPress attacks targeted those sites where one of the admin users is using the user name “admin.”
If you’re still using “admin” for a user name, here’s how you can change it.
- Go into your WordPress account
- Create an account for an additional administrator using a more complex and unusual user name
- Log out and then log back in again with your new user name and password – just to check that everything is OK
- Delete the old “admin” user.
You may have posts assigned to this user that will need to be reassigned but that’s a small problem compared to having to recreate an entire site.
Next strengthen your password. Even if you’ve already got a good user name, make sure your password is strong enough to sustain an attack and can’t be easily doped out. Using letters, numbers and symbols in a longer string, 10 characters for example, makes it far more difficult to hack into your account.
Step two: Use WordPress plugins to strengthen your site’s security.
Go to the WordPress Plugin Directory http://wordpress.org/plugins/ and do a search for Security to get the list of all the security plugins.
Login Lockdown limits the number of times an IP address can log into your account. This slows any would-be hackers away from your site since with a more complex user name and password they’ll need multiple tries to land on the correct combination.
Two other security plugins we’ve used on client accounts are:
- Better WP
- Bulletproof Security
Both of these plugins have good documentation. There are some things you’ll need to do to configure the plugin for your site. A security expert at the Seattle WordPress Meetup told a group of us that the #1 reason that security plugins fail is not because of the plugin, but because they were installed and never configured.
There are overlaps among the programs so read the installation instructions and FAQs to learn which will be the best for your site.
Step 3 Regularly backup your website.
Backup Buddy http://ithemes.com/purchase/backupbuddy/ is the current favorite among the bloggers I talk to regularly. What everyone likes about it the most is that you not only backup your database but also your WordPress Theme and other Programming Files. This isn’t a free plugin. But it’s a reasonable one-time charge when you consider how much time you would spend recreating your entire site.
Some hosting companies do regular backups of their sites; check with yours to see if that’s the case.
You can also check out all the free plugins at the Plugin Directory and see if one meets your needs.
There are so many happy WordPress users that we’re a natural target for large scale attacks. Even though everyone in the WordPress community does what they can to keep the community safe, there are bound to be future attacks – we’re just too big a target.
Be safe…put a virtual horseshoe over the door to your website. Since the botnets are looking for easy sites to break into, make yours unattractive to them by:
- Bolstering your password to something long and complex and at the same time removing that “admin” user name if you have one.
- Increasing security with a security plugin
- Finding a backup program you like and use it at least weekly to back up your data.
How do you handle security and/or backups on your WordPress site?