Fact or Fiction?
If you are on WordPress like I am, some of the reports that I’ve seen about the increase in hack attempts can be alarming. I received a notification yesterday from my host that there have been a significant increase over the past month.
Because WordPress powers close over 20% of the websites on the internet, it is an easy target. Since the core of every WordPress site is the same, there are obvious areas of attack. Upon installation, WordPress defaults to “admin” for the username and since users tend to use simple passwords, brute force attacks are not incredibly difficult to do.
So how do you protect your site from being hacked by a brute force attack? Here are two things to do immediately that will significantly reduce your vulnerability.
Get Rid of ADMIN
If you are still using the user ‘Admin’ for your administrator access, change that immediately. Create a new user with a different username and delete the previous user. Make sure you create a user with admin rights before deleting the ‘Admin’ user. Also, do not use admin, Admin, administrator, test, or root as an admin user name. These are the 5 most frequently used names to brute force attack a WordPress site.
Change Your Password
We tend to use passwords that are simple to remember. The problem is they are easy to guess. If you use 1234abc or some variation as your password, you are vulnerable. There are easily accessible known password list that can be collected online. The majority of the passwords on these list are alpha-numeric with 1234 and abcd in some combination. Create a password that is unique to you and contains upper and lower case letters. If you can include symbols, it will help with security.
One recommendation is to create a passphrase and use numbers, letters and symbols to represent the phrase. For example, I am a Georgia Bulldawg fan. Hunker down! So I could create a password that might look like this: Bu11d4wG! It is using numbers, letters, symbols and I can remember the password.
Additional Steps to Protect
Once you have made created a more secure account for your site, there are a couple things to do that will help secure your site against this and future attacks. In a previous blog post, I talk about 8 ways to improve the security of your WordPress site.
Let me highlight two here.
If you are not using Cloudflare for your site, I highly recommend it. When you connect your site to Cloudflare, you get an added level of protection. All of your site traffic funnels through their network. It is aware of this brute force attack and is able to block the attacks based on known IP addresses. It is a free service and well worth the setup.
I have talked about BackupBuddy on this website several times. It is a premium plugin that allows you to generate backups on a scheduled basis. You can ensure that your site database and directories are properly backed up and stored. If you do find that your site is hacked, using a backup is simple to use and your site will be restored to its pre hacked condition.
How are You Protected?
What steps are you taking? What have you done to prevent this brute force attack from effecting your WordPress site?
Share what you have done in the comments below. Help the WordPress community with what you have done to protect your website.