Is your WordPress website safe from the threats of the internet? Have you implemented the necessary security measures to ensure that your site remains online, even in the face of a cyber-attack? If the answer is “no” or “I’m not sure,” then keep reading.
Despite the internet being littered with posts about WordPress security, I wanted to write something too; especially as I know many of you use WordPress to power your own websites. After all, brute force attacks come without warning and I highly recommend that you’re suitably prepared.
Photo courtesy of Nikolay Bachiyski(CC Attribution)
For some time now, I’ve had a plugin called Limit Login Attempts installed, which emails me after a certain number of login lockouts occur. This has been fine for the odd malicious login attempt but one evening last week, after being away from my computer for 15 minutes, I came back to over 200 email notifications! My website was under another brute force attack and I needed to lock it down before it collapsed under the weight.
My first port of call was my hosting company – TSO Host – who were fantastic as always. I got an immediate response and they suggested that they add a ‘deny from all’ to my wp-admin directory and whitelist my IP address. This sounded like a long-term solution, so I went ahead and gave them my IP and asked them to do this on all three of my WordPress websites.
Unfortunately, this morning, I decided to do some checking to make sure I could login to my websites, but guess what… No I couldn’t! It turns out that my IP address is not static and it had now changed overnight to something else. After doing some Googling, I found that my ISP wanted money for a static IP! Well after the lack of service from them over the last 6 months, I had no plans of giving them anymore of my money. Therefore, I needed another solution…
I had the restrictions lifted so I could now login again and decided to look into some different plugins – if you scroll down this link you will see the ones I investigated: http://codex.wordpress.org/Brute_Force_Attacks – it also provides you with a lot of other solutions if you’re more tech-savvy.
While looking through these plugins, I noticed that the one I had been using and, more importantly, relying on, hadn’t been updated in more than 2 years! This was a little worrying, so I decided to deactivate this one and try something new. I chose BruteProtect – it has some good reviews and is up to date.
I have installed it on all three of my websites, and will keep a close eye on it over the coming weeks. However, it already seems to be working well and blocked some malicious attempts immediately after installation.
Other Suggestions
There are some important steps you should ALWAYS take when using WordPress, which will reduce the likelihood of brute force attacks. So if you don’t plan on installing a plugin or locking down your directories, you should be doing the following at the very least:
- DO NOT use ‘admin’ as your username – if you have an admin username, then create a new administrator user and delete the ‘admin’ one. Most bots will try to get into your website by using ‘admin’ as the username. Other usernames that have cropped up for me have been ‘test’, ‘writersblockadminservices’ and ‘user’. Don’t choose something obvious to outsiders, use something obscure.
- Use a VERY STRONG password – you can generate difficult passwords from various places, I use LastPass on a daily basis and you can even choose the length. My WP passwords are around 15/20 characters in length.
- Keep WordPress, Themes and Plugins all updated – when new updates come out it’s a good idea to install them. By not updating them, you leave yourself vulnerable and run the risk of potentially being hacked. As I work with many client sites and my own, I use ManageWP to keep my websites all updated at the click of a button. As a result, I have never had any problems with updates on any of the websites I manage. The longer you leave updates ‘unupdated’ (is that even a word?) the more problems you will encounter when you finally do decide to install them – I speak from experience of a client site crashing because it hadn’t been updated in so long.
- Remove deactivated plugins and themes – if you’re not using (or you don’t plan to use) deactivated plugins and themes, then delete them. Keep your WordPress website organised and updated and you shouldn’t encounter too many problems.
- Delete spam on a regular basis – if you get a lot of spam comments, then try to keep them under control. You can get some great spam plugins (I use Akismet) that will do this for you – there really is no excuse. If you have a buildup of spam delete it; all of these elements lend themselves to an unstable WordPress website.
Photo courtesy of Stiftelsen(CC Attribution)
If you would like peace of mind that your WordPress website is secure and kept regularly updated, why not take a look at my WordPress Maintenance Plans.
