WordPress is a wonderful CMS for websites and blogs alike and we highly recommend it. Because of it’s ease of use however, sometimes we fail to remember to secure our sites as best we can. In some cases that’s due to an inexperienced site owner installing WordPress on their own, and sometimes it’s because of a web developer who simply forgets or is…*gasp* lazy.
Whatever the reason, this last set of alerts about WordPress botnet attacks resulted in a lot of frantic emails and phone calls this week and it is indeed a serious threat, especially to the hosting companies. Hostgator announced on their blog that the brute force attach was involving over 90,000 IP addresses. That’s bad for everybody. I’ll share here what we told all of our clients.Let me first say that doesn’t mean if you take these steps you’ll NEVER get hacked. It happens all the time and sometimes it’s not a bot or a hacker but a disgruntled former staff member who still has your admin password! Honestly if you’re not getting spam and attention from the robots it probably mean nobody knows your site exists….
Update your version of WordPress
This is the most obvious, but if there are holes in WordPress security they patch them up as quickly as possible. But if you haven’t updated recently you’re a lot easier to hack into. Backup your files first. Then check the plugins too. If they haven’t been updated in a long time you might need to look for newer ones. Plugins can be a way to get into your WordPress install AND they take up load time. If you don’t need them delete them. If you simply deactivate them they can still be sued by a hacker to get in.
If you use “admin” as your main login you’re asking for trouble!
This is the default for many, but it’s an easy fix.
- Log in as admin and create a new account with your own user name. Give the new user name admin access.
- If you’ve already created a lot of posts using admin and want to keep the name on the posts in the author box, change the “nick name” on admin to whatever you want it to be.
- Now log out and log in with your new account name. Change the access level of admin to “Subscriber”. Now anyone who logs in with that Admin password won’t get any further than the login screen.
Really…. you’re using your daughter’s full name and birth date as your password?
This latest bot is simply running dictionary words and common names until it finds one that works. Stay away from these kinds of things. Passwords need to be harder to figure out. Use a password keeper app like OnePassword to help you remember it on your devices if you can’t remember but use at least some of these tips to make your password stronger.
- Don’t use real words or names
- Mix character types
- Include random numbers and special characters.
- Think of phrases and then create acronyms. For example “Really? You can’t remember this?” could be “R?Yc’Rt?” or a similar combination. (no that’s not my password so quit trying).
Lock down your login screen
Many of these bots just keep hitting your login screen until they get it right. Stop them after a few attempts with a plugin like Simple LoginLockdown. You set the number of failed attempts you’re willing to allow and then the user is locked out of the login for a specified amount of time and most bots will move on to easier pickings.
Don’t use default WP_** as your database table prefix
The bots are scanning the web for references to WordPress. If they find the prefix WP in the database tables then they’ve hit gold. Here’s a quick tutorial on how to fix this, but please BACK UP first. Many of our favorite web hosts allow you to chose the username and the database name when you install now. Be creative and avoid this in the first place.
Use a monitoring system
We set up Sucuri site monitoring for many of our clients. Sucuri constantly monitors the site for bot type behavior and they will clean up malware insertions, get you removed from blacklists after you’ve been hacked, and alert you when there is an issue. I have personal experience with this company and they’re top notch. If you don’t want to use an outside service, use a security plugin like Better WP Security to clean up some of the obvious “tells” that your site is built in WordPress.