July 31, 2013
It’s no accident that WordPress has become the 800 lb gorilla in the web publishing field. As of March 2012, 72.4 million sites were running on the CMS, amounting to 25% of all websites operating on the Internet. With that gaudy figure in mind, it should come as little surprise that hackers have flocked to exploit the weaknesses of WordPress.
Last April, a massive army of botnets were created to infiltrate WordPress sites using the “admin” user name via brute force attacks. Every day 30 to 40,000 attacks take place because owners allow their sites to become easy prey for these nefarious individuals.
It’s time to ensure you aren’t one of them. Let’s take a look at some easy ways to protect your WordPress site, helping you sleep a little easier at night.
As with any significant changes you make to your WordPress installation, I strongly recommend you back up your files and databases prior to making any of the changes listed below.
1) Update the admin user name: If the botnet example above didn’t put the fear of God in you, it really should have. Brute force attacks (programs nailing a website hundreds of times a minute by plugging in common user names and passwords) have become increasingly common. Using “admin” or other common user names like “administrator,” “test” and “root,” put a large target squarely on your back.
During the initial WordPress installation, you are prompted for your default user name. Change this to something unique to you. I wouldn’t recommend your name, but maybe something for you to easily remember (Mary526 for instance as a name/birthday combo).
If you’ve already installed your version of WordPress, you can go into mySQL and update the user name. In the wp_users table, you’ll find records of all the users setup on your installation. Just update the user_login for the admin account, and you are golden.
2) Create strong passwords: Having a unique user name is critical, but don’t neglect that other piece of the pie. Those brute force programs are regularly exploiting the most commonly used passwords like “admin,” “password,” “123456,” “111111” and “qwerty.” Don’t make the hackers job easier by serving up one of these juicy passwords. Pick something that has letters (upper and lower), numbers, special characters and over eight characters to really lock down your account. You say you can’t remember all these crazy passwords, much less which one belongs to which account? Consider a free program like Keypass to store all of your user names and passwords, allowing you to login to any site with a quick copy and paste. It can even generate 20 digit random passwords for you. Remembering complex passwords for your email, banking, and WordPress will officially become a thing of the past.
3) Update Your wp-config Security Keys: Tucked beneath your WordPress database settings in your wp-config file are your site’s unique keys and Salts. These are a random array of letters, numbers and special characters you’d likely never run across unless they were pointed out to you. Making a new set is very easy with this handy tool WordPress has provided.
4) Limit Login Attempts: This free WordPress plugin is a very handy addition. About three months ago, I replaced the Login Lockdown plugin on one of my sites with this one. In that time, 3968 users (or more likely bots) have been locked out. Not a single one of these incorrect logins was me.
Basically, this plugin locks a user out for 20 minutes if they have tried to login unsuccessfully more than four times. If they have been consecutively locked out four times, then the time period grows to 24 hours. You can alter these time and chance variables to loosen or tighten your login security. It also has helpful features like logging offender’s IP addresses and emails when a lockout happens. It can be unnerving when those emails start rifling in every minute over an hour long period, but you should feel comforted knowing your site guard is on high alert, earning its keep.
5) Secure WordPress: This is another free WordPress plugin I wouldn’t do without. Basically, it just patches a lot of common holes that exist in the basic WordPress install. It will do things like removing the version number of WordPress throughout the site or blocking malicious URL requests. The plugin allows you to toggle these options on and off to customize the settings for your security needs.
6) Always Have a Timely Backup: If a hacker did breach your site and proceeded to wreck havoc, could you recover? If you have a current file and database backup on hand, you could wipe the site clean and start over if needed.
One option is to just download your files to your local machine, but I’d recommend talking to your web host about backup options. Usually they are fairly inexpensive, and they can schedule them to go every night, once a week or whatever interval makes sense for your needs. Never assume your web host is making backups regardless of how much you are ponying up for your monthly hosting bill. I found this out the hard way.
Also make sure you are backing up your database. There are a ton of good options out there. I have used WordPress Database Backup which emails me zipped data files on a daily basis so I always have my data regardless.
There are other methods to constructing a wall around your WordPress website, but these six quick fixes will put you ahead of 99% of the sites out there. I know most readers will say that can’t happen to me, but I assure you it can. You can take an hour to setup your security correctly, or you can connect with your inner sadist by spending days or weeks repairing the damage, not to mention the potential financial impact inflicted by a savvy hacker. Its your choice.
Mark Runyon is a programmer, project manager and CEO at the web and applications development firm, Vandelay Web. He regularly writes on WordPress, Microsoft.Net and web marketing topics. Follow Vandelay Web on Twitter and ‘Facebook.