There’s a botnet on the loose now that is attempting brute-force login attempts on WordPress sites around the world. Here are the steps you need to take to secure your WordPress site.
Note: these are just a few basic security measures against brute-force login attempts, they’re not guaranteed to keep determined hackers out of your site.
1. Get rid of “admin” as your user name.
- Go to Users/Add New
- Create a new user profile with something other than “admin” or your domain name with a role as Administrator
- Add a STRONG password (more on that in a bit)
- Log out
- Log back in using the new user info
- Delete the ‘admin’ user (check the box next to the user profile, click the arrow next to Bulk Actions and select Delete. You can select the “Attribute all posts and links to” option and move all posts from ‘admin’ to the new profile)
[UPDATE 07/08/2013: Don’t use your domain name as your user name, either. My logs of recent login attempts by hackers show they are using both ‘admin’ and the domain name to try to get access.]
2. Use strong passwords – instead of playing a lot of memory games, what we use is LastPass as our password manager. It’s free for all your desktops and a minimal fee for mobile devices – I’ve posted about this before…
This way all you need to do is remember one strong password to access all the others.
3. Limit login attempts. On all of our (and our clients’) sites I use a WordPress plugin called Better WP Security, but it’s an extensive and highly configurable plugin that may take you a while to learn. Another option that I came across that will just limit brute-force attacks is called Limit Login Attempts. Install it and activate it.
As I said, this is not a guarantee against all types of hacking, but it will sure slow down any brute-force attacks on your WordPress site.
HOSB RSS Feed