There are individuals who are ‘out there’ looking to hack into your WordPress site. WordPress Security is at risk not just occasionally, but on a daily basis.
We are acutely aware of security especially since the recent ‘ransomware’ super-hack. This attack appeared to affect multiple government organisations as well as individuals. If we learn nothing else from this, we need to realise that security should be second nature. This applies to wordpress security in the same way that it applies to our workstations and devices.
The majority of users are aware of the need for at the very least, an anti-virus program for their computer. Many will also load up a security App for their ‘phone and tablet. The second lesson we need to take from this event, is keeping everything up to date. The hacking world is constantly evolving, so the security world has to keep up. You should have a strategy for updating your security. If you have professional software, you will most likely have automatic updates. However, some free programs require more diligence and constant updating.
So how does this impact on WordPress?
WordPress, being such a widely-used platform is under attack. The good news is that there are steps you can take to reduce the risk. Note that no-one can guarantee the safety of your site. You can, at least keep yourself somewhat protected by following a few simple steps. I plan a series of posts on security, but in this initial post, I am going to suggest protection from ‘brute force’ attacks using a plug-in called ‘Loginizer‘.
‘Brute force’ attacks are common for WordPress sites, and a while ago, had a widespread impact on thousands of sites. They still continue to this day, and consist of a constant ‘battering’ of your WordPress login using randomly generated passwords, or commonly used passwords. One easy way to limit the effectiveness of a brute force attack is to change your login from ‘admin’ (default) to something unique. This will lower the risk, but definitely not eliminate the more persistent attack.
Loginizer makes it easy to tweak your login setting to ‘lockout’ failed logins, it also lets you know if your WP-CONFIG & HTACCESS files are writable – more on this in the next post in the series… You can use Loginizer to get a report of recent attempts to login, and the IP addresses that the ‘hacker’ was using. Additionally, it also allows you to block these addresses from logging in at all.
Looking at the results from the last 24 hours, I saw that there were two separate individual attempts to login, but the third most recent record had registered 10 login attempts. I decided to add the IP address from this record to the ID blacklist. I then noticed that the attempts had risen from 10 to 11. ‘He’ was trying to ‘bruteforce’ the site while I was actually logged in…! I guess after that he hit a brick wall because I blocked the IP. This highlighted to me how real the threat is…
So, my first suggestion for WordPress security is to get yourself a plugin such as Loginizer that can detect attacks. My second tip is to make sure that ANY plugins you use are:
- Current – ie. frequently updated so that you can be sure they are kept secure from current threats – easiest check is that they are compatible with the latest version of WP.
- Trustworthy – free plugins CAN be a security risk, so check the ratings/ feedback and number of users as a preliminary test of trustworthiness
More tips to follow, for which I will use the tag ‘wordpress security’