WordPress is the biggest content management system around, The good thing about this is that there is a wide array of themes and plugins that various people have developed. The downside is that it makes WordPress a giant target for hackers. Security is paramount if you are going power a website with WordPress.
Currently, WordPress websites are under attack. A network of 90,000 compromised sites are performing brute force attacks to try to gain access to WordPress websites. (To those who don’t know, brute force attacks attempt to learn your password by trying many common passwords in a rapid manner. The more power behind the brute force attack and the shorted the span of time that it would take to guess your password and get in.) If your site is compromised, it will be added to the network and used to hack other sites. In other words, as the brute force succeeds, it becomes stronger and more capable to add other sites.
How can you prevent this? Over at TypeAParent, I shared some WordPress plugins to help prevent spam and strengthen security. One plugin in particular would be helpful with this attack: Apocalypse Meow.
The first thing that Apocalypse Meow can do to protect you is remove the "generator" tag that WordPress adds to the website. This tag doesn’t display, but notes that WordPress created the website and even the version number that you are running. This might not be something you see, but to a hacker it is a flashing neon sign telling them just how to attempt to hack your website.
The second thing that Apocalypse Meow can do is rename your administrative account. By default, WordPress suggests the name "admin" for your admin username. Most people don’t change this and so millions of sites are administered by "admin." Hackers need just guess the password (not a hard proposition in many cases) and they have full control of the site.
Last week, there were over 7,000 login attempts made on TechyDad.com and TheAngelForever.com. That is about 2 attempts every 3 minutes. Of those attacks, 98.8% were trying to log in as "admin."
As a side note: These stats were recorded by Apocalypse Meow, It records all successful and failed login attempts. If one user tries and fails too many times (user defined, but starts at 5), then you are locked out of logging in for awhile. Usually, this thwarts brute force attacks, but in this case the attackers wisely assault sites from many different compromised WordPress installations.
Still, why not make things more difficult for the hackers? They are mainly looking for "admin", so rename the Admin account to something else. Make sure it is something you can remember, but nothing obvious like "admin1" or "administrator". Apocalypse Meow can help here too. It provides an easy method for renaming the admin account.
In a matter of seconds, you can thwart 98,8% of attacks, keep your site safe, and help make sure that your website doesn’t unwittingly get conscripted in the hacker’s brute force army.
NOTE: The computer image above is by DTRave and is available from OpenClipArt.org.