Last Updated on August 5, 2020
Protecting WordPress against the recent (and massive) brute force attack has been a popular subject on online newswires lately. While security attacks on open source platforms (like WordPress) are nothing new, this latest barrage has become truly sensational. Let me clear up what’s really happening and, more importantly, what you can do to protect your WordPress website.
WordPress Security & Recent Brute Force Attacks
High-profile web hosting firms are taking on the brunt of the attack. If your site is hosted by HostGator, LiquidWeb or GoDaddy, you’ve probably received an email reassuring you and providing advice on how to prevent a breach. Even if hackers haven’t infiltrated your site, it’s probably affected your hosting service. The onslaught has been overloading servers, affecting administrative access and site up time.
While your hosting provider is doing what it can behind-the-scenes, the best offense is a great defense. And your best defensive move is to implement robust and complex passwords that aren’t easily hackable. It’s also recommended to have unique passwords for each system. That way you are spreading out the access risk. For example, have a password for your banking site that’s different from your Groupon or Facebook login. Protecting yourself takes a little common sense and ongoing diligence.
Protecting WordPress: Practices to Implement
Are there other measures you can put into place to protect your WordPress website? Yup. Here are our top 6:
1. Don’t Use Admin As a User Name
2. Implement Strong Passwords
If you are your website’s Webmaster, we recommend installing Force Strong Passwords. This is a five-star rated plugin; it will guide your users to build robust passwords for WordPress administration access. A good password has the following elements:
- A minimum of 8 characters
- A combination of upper and lower caps (min: 2 upper case)
- At least two numbers (0-9)
- At least one special character
- The password must not be a word you can find in the dictionary (there is such a thing as a dictionary attack)
- If you can remember your password it’s not a good one
3. Block Hackers at IP Source
We use IP Blocker to blacklist hackers. While this isn’t foolproof — and it is not a defense against the recent brute force attack — it permanently blocks hackers at the IP address level. For our maintenance clients, we keep on top of black listing hackers as they alter IP locations in their repeated attempts to break in.
4. Limit Login Plugin
Blocking the bad guys is unfortunately part of “business as usual” for any type of website. It’s not a matter of “if” a bad guy will come knocking on your WordPress door, it’s just a matter of “how many times they will try to break in.” That’s why we recommend a plugin that limits the number of login attempts. Blocking at the IP source plus limiting attempts is an effective combo in protecting WordPress. Sadly brute force hacking software is easily available, complete with how-to videos on YouTube.
With that said, we want to be absolutely clear. The combo of IP Blocker and Limit Login plugins are effective general security measures. They are ineffective against the recent brute force attack. Again, the best way to protect yourself is with robust passwords.
5. Hide WordPress Version
Protecting WordPress starts a the database level. We use a plugin to hide the WordPress version and ensure that default prefixes (“wp_”) have been altered (another layer of protection). Hackers that use brute force software zero in on websites where these defaults are used.
6. Keep Core Up to Date
Automattic, curators of WordPress’ core, regularly update the code with WordPress security updates. Keeping your version up to date takes advantage of changes they implement to address new threats and trends. Same goes as to security plugin updates/upgrades.
Brute force attacks are unfortunately increasing and becoming more common place. The good news is that there are several security features that make protecting WordPress websites easier. Not sure if your site is vulnerable? We offer an affordable audit where we analyze your WordPress installation. You’ll receive specific recommendations on how to safeguard your website.