Yesterday (10 Feb 2014), our friends at Wordfence, the WordPress security specialists, detected a large scale attack against WordPress based websites across the globe.
The attack is a distributed brute force attack – which means an organised effort to compromise websites by repeated and automated guessing of passwords.
With around 20% of the world’s website thought to be built on the WordPress platform – and a popular choice for many small business sites – this is a significant threat.
We’ve noticed a surge in attempts to compromise some of our sites and those of our customers – all thankfully blocked by the security measures in place.
To give you an idea, here’s a screenshot from one of our sites. It’s a new site, without any significant content – so we hadn’t tightened the security down as much as normal. Yet, even with basic measures in place – we stopped (in the end) over 50,000 attempts to breach security.
If your site is built on WordPress – you need to make sure it’s secured. There are many more complex strategies to
beef up security – but here’s our recommended top five must do’s:
1. Get rid of the user called Admin
Out of the box WordPress installs with a default user named Admin. Hackers know this and many attacks use Admin as the user name when trying many permutations of password. If you still have Admin as a user – you’re doing half the hacker’s job for them – Get Rid of It! [Here’s How]
2. Use Strong Passwords
The more complicated the password the harder it is for a hacker to crack.
Having a simple password might be easy for you to remember – but you’re leaving your site vulnerable to attack.
Passwords should contain a combination of upper and lower case letters, numbers and symbols and be at least eight characters long. (I use at least 12, mainly 16)
You can use a Password Manager application such as LastPass to securely store and keep track of your passwords – or you can adopt my ninja password memory trick – for instant recall of secure passwords for any of your sites.
3. Install Security Plugins
One of the great things about WordPress, is that is can be enhanced and expanded with a plethora of third-party add- ons called Plugins.
There are a number of security related plugins, but the one I prefer and install on all our sites comes from WordFence. There are both free and paid versions and it will help protect your site from all sorts of nasties.
The second Plugin I recommend is called “Stop User Enumeration”. Even when you get rid of the Admin user, a hacker can still easily discover the usernames in use on your WordPress site. This plugin is designed to prevent them being able to.
Edit: Current versions of Wordfence now prevent User Enumeration too.
4. Backup your Site Files and Database
This is just common sense – rather than security specific advice – but you’d be surprised how many websites are not backed up properly. Your host may back up the entire server in their data centre – but if something happens to your site – how long will it be before they can restore it?
If you are unfortunate enough to have your site hacked – having a clean backup ready to restore once the breach has been resolved can have you back up and running again in minutes.
5. Keep up with the Housekeeping
The WordPress platform is constantly evolving and being updated. What was current when your site was built is likely out of date by now. If nobody is keeping it up to date, you’re leaving yourself open to any security vulnerabilities that have been identified and fixed in later versions.
I deliberately put Updates after Backups in this list. Sometimes things break when they’re updated, and can render your site useless. If you have a backup – you can generally roll back to the last known good version.
These are just the basics – but they’re infinitely better than leaving your site wide open!