Fighting a wordpress brute force attack
A brute force attack involves trying infinite combinations of commonly used passwords to gain access to your account or access to the administration section of your WordPress or any CMS site. WordPress is one of the most commonly used frameworks for building websites today. Therefore, it should be no surprise that it is also one of the most commonly hacked as well. The following article provides a list of tips, that when used, can thwart any attempts to gain access to your website. How can you protect yourself against these type of attacks on WordPress?
1. DELETE THE ‘ADMIN’ USER FOR YOUR WP SITE Once you have installed WP on your account, you will want to log into it by visiting http://www.yourdomain.com/wp-login. Here you will be asked for your username and password to access the administration section. Navigate to the ‘Add New’ User section found at http://www.yourdomain.com/wp-admin/user-new.php. Although the WordPress minimum requirement is only 7 characters, a passwords of at least 12 characters is highly recommended. You will also want to be sure to select Administrator as the role for this new user from the dropdown menu at the bottom. Once you have created this new user, navigate to http://www.yourdomain.com/wp-admin/users.php, hover over the original Admin user and select ‘Delete’. If you have posts that were created by the ‘Admin’ user, you will be asked what you want to do with them when you are deleting this user. These posts are commonly re-assigned to the new user you just created.
2. CHANGE YOUR PASSWORDS REGULARLY You will want to update your new user’s password every 90 days. Be sure to keep a record of passwords used, and do not repeat them. Always create new passwords when updating. We list deleting the admin user and updating passwords regularly as the most important factors since these are the main focus of a brute force attack. Do not use passwords like: admin, admin123, administrator, pass, password, password1, passwd, root, qwerty, q1w2e3, 000000, 123456, 987654321. If you are having trouble creating a strong password, consider a service such as those found at http://www.random.org/passwords and http://strongpasswordgenerator.com. Additionally, if you have multiple users on your website, either set up a schedule for all to see that requires regular updates to passwords or let them know that you will be making the updates and will provide them with new ones regularly.
3. INSTALL SECURITY PLUGINS ON YOUR WP SITE There are a number of quality plugins that you can take advantage of for free from WordPress.org. Here is a short list to get you started:
- Limit Login Attempts (http://wordpress.org/extend/plugins/limit-login-attempts)
- WP Login Security 2 (http://wordpress.org/extend/plugins/wp-login-security-2)
- Login Security Solution (http://wordpress.org/extend/plugins/login-security-solution)
- Bulletproof Security (http://wordpress.org/extend/plugins/bulletproof-security)
- 2 Factor Authorization by Duo Security (https://www.duosecurity.com/docs/wordpress)
4. PASSWORD PROTECT YOUR WP-LOGIN PAGE Found in all control panels or by opening support requests, password protecting your login page is another secondary effort that you can make. Look for the following icons in your control panel. More information on how to read Webalizer stats view this.