It has come to my attention that WordPress is currently under the largest brute force attack in its history.
What is a brute force attack? Well, it’s pretty simple… It’s when a botnet is created that uses thousands of computers that repeatedly try password and username combinations to gain access to your WordPress control panel and, therefore, your entire website. Once they have access to your site, they can do pretty much anything they want with it, including the addition of malware (the most common goal) or simply breaking/deleting your site.
I’ll get right down to it. Here are a few methods of protecting your site and this entire list should take you no longer than an hour to complete. Really, it’s dirt-simple stuff.
1. Update WordPress.
Seriously, just update the damned thing. Yes, it will occasionally break your site but the repairs rarely take longer than a few minutes to fix. On the other hand, a malware attack will take an experienced developer 4+ hours to fix, not to mention the time you lose while your site is down or, god forbid, if you’re blacklisted by Google as a malware site (something I recently had to fix for a client whose site I did not develop). I cannot stress just how many problems this will solve in the longterm. It takes time for exploits to be discovered and targeted by hackers. If you’re constantly updating your core software, you stay ahead of the curve against 90%+ of these attacks.
2. Change your username and password.
Are you using “admin” as your WordPress username? Go change it. Right now. Brute force attacks usually target the default username. Change that and, again, you’ve protected yourself against the vast majority of hacking attempts.
Is your password “god”? Get rid of it and use something that will take more than a couple minutes to crack. A good password should be one of two things: it should be short and complex with loads of special characters, changed case, and numbers (E, e, 3, #, $, &, etc) or it should be very long (12+ characters). Either is fine but if your password is eight undercase letters, change it right now. A complex password (using special characters) should be no less than eight characters. A simple password (all undercase, no special characters) should be 12 characters or more.
3. Backup, backup, backup.
There are a slew of WordPress backup utilities. The one I currently employ is WordPress Backup to Dropbox. All you need is a DropBox account and ten minutes to set this up and you’ll always have a reliable backup should your site go down.
4. Avoid bad plugins and, again, update.
Plugins are great. They do all sorts of cool stuff that enhance your WordPress experience. I make extensive use of plugins. But plugins often have exploits unwittingly built into them, like the WP-Super Cache fiasco from last year. Check your plugins, use only the plugins that you need, and only use plugins that are currently being maintained by the developer whenever possible. Old plugins often have known exploits. Letting them sit active in your WordPress install is only asking for trouble, particularly if it’s a popular plugin.
5. Use a security plugin.
There are a bunch of security scanners available for WordPress. I’ve used Sucuri SiteCheck in the past and it works great, letting me know at a glance if any files have been compromised.
6. DNS level protection.
I use CloudFlare, a *free* service (you can also pay for a more robust feature set) that will thwart many DDoS and brute force attacks at the DNS level, which means that the bad guys never even get to your site. They’re stopped by CloudFlare, which redirects domain traffic through their service before anyone reaches your site. It’s a ten minute signup and involves changing a couple of settings with your domain registrar.
I’ve been using WordPress for a half decade now and I’ve never had a site hacked. One hour following these simple steps will give you peace of mind, increased security, and a backup should anything catastrophic happen to your site. Should you wish to add further security, there are certainly ways of achieving that and I encourage you to pursue other articles that go more in-depth into protecting a WordPress install. But if you only have a few minutes, these tips will protect you from the overwhelming majority of attacks.
So why are you still reading this article? Get to patching up that site!