I woke up on Saturday morning to news that there was a world wide attack on WordPress websites. The initial report I read was on the PCWorld blog. After reading this I popped over to the Securi website to see if they were reporting it as an issue too and yes they were.
This “brute force” attack is trying to login to your WordPress website by guessing your username and password. The more generic your username and password, the more chance you have of them making a correct guess and taking over your website.
So how do you protect your WordPress website from such attacks?
1) If you are using the username “admin” – change it!
First of all they need to guess your username and will try a range of typical usernames such as “admin”, “root”, “administrator”. Therefore the easiest way to help protect your WordPress website is to not use any of these usernames.
Don’t forget to check the usernames of all users on your system – just go to your Dashboard and Users to see a list.
If you are using one of the above high-risk usernames then you need to change it to something unique to you. You can either use a plugin such as Better WP Security (which will also do a number of other security changes) or do it manually – here’s how:
- From your Dashboard go to Users and click Add New.
- Fill out the form using a new username and temporarily a different email address.
- Don’t forget a strong password
- Change the Role at the bottom to Administrator.
- Logout (top right next to where it says Howdy).
- Log back in as the new user and check you can see everything.
- Go back to the Users dashboard and hover over the admin account link and click Delete.
- At the Delete Users page select Attribute all posts to: your new user and click Confirm Deletion.
- Go back to your new user and reset your email address to the one you were using.
2) Use a secure password
Please tell me that you are not using any of these passwords on any of your WordPress user accounts:
I know passwords are a pain but the harder it is to guess your password the safer your website will be.
Here is WordPress’ own guide on setting a secure password.
Make sure you have a backup of your site. In addition, ensure your backup provider allows you to access a number of previous backups so if your site becomes infected you can restore a pre-infection one. For simple ease of use, I use BlogVault (affiliate link) which takes a backup of your site every 24 hours and costs $9 per month.
But there are loads of other options, including:
- VaultPress by Automatic, the creators of WordPress, costing $15 per month but checks your site regularly to backup any changes.
- Backup Buddy, one off cost of $75.
- WordPress Backup To Dropbox – a free plugin but you need to have a (free) Dropbox account.
Make sure all WordPress core files, all your plugins and themes are up to date. Deactivate any plugins you are not using and delete any deactivated plugins – they still pose a security risk even if they are deactivated.
You’ll find once you have a good backup and restore process in place that doing updates is not as scary as it used to be.
5) WordPress security plugins
Just like backup plugins there are loads of security plugins.
- Better WP Security (free) – checks for the common vulnerabilities on WordPress website and plugs the holes.
- Securi (from $89.99pa) – malware detection, alerting and cleanup.
- Wordfence Security (free) – firewall, virus scanning and checking malicious URLs.
- BulletProof Security (free) – protects your important WordPress configuration files.
6) Protect Your Computer
Don’t forget to protect your own computer from keystroke loggers and other malware with good anti-virus, firewall and anti-spyware software.
Finally if you think you are infected then contact your web host
If you think you are infected, your dashboard access is denied or your site is very slow, then contact your web host and let them know.
Use Securi’s free website scanning service to check if it can detect any infections – you only have to pay to have Securi to clean up the website.
Today’s Micro Action
Take the security of your website seriously and run through the above suggestions and implement any you do not currently have in place.