One of the easiest content management systems to set up and use is WordPress, the largest self-hosted blogging platform in the world, powering more than 60 million websites worldwide.
That fact may be a key reason why WordPress is in the news right now as the subject of a large-scale attack from a huge number of computers from across the internet – known as an automated botnet attack – attempting to take over servers that run WordPress.
Some are saying that this current attack is the precursor of a botnet of infected computers vastly stronger and more destructive than those of today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.
WordPress’ popularity comes at a price in a situation like this, as a perceived vulnerability in the platform’s ease of use is weak security by users.
That weak security typically means continuing to use the word ‘admin’ as a user name – this is the default administration account that’s created when you first install WordPress – along with a password that brute-force attempts to guess are likely to succeed, which is what’s happening with this attack.
If you’ve disabled the default ‘admin’ account in your WordPress installation – or, even better, you’ve deleted it – and have something else in its place as the main administrator of your WordPress dashboard, that will likely take you out of the immediate target area of the attackers.
And if you’ve set a strong password – at least eight characters and in a combination of upper- and lower-case letters along with numbers and extended characters – you’re in a good position to be passed by if or when a botnet comes calling at your WordPress front door.
Don’t be complacent, though – this attack serves as a great reminder that securing your WordPress blog or website so that no one can get into it unless they’re invited is something you do need to be sure about.
So what can you do to make your site secure enough right now to deter such attacks in the future?
First, make sure you have the latest WordPress version installed. As of today, that version is 3.5.1.
If you still have an administrative user called ‘admin,’ there are two steps to take:
- Create a new admin account with a different name and give it a strong password.
- Delete the ‘admin’ user account; during that procedure, you’ll be asked by WordPress which other account should you assign posts, pages, etc, created by ‘admin’ to. Choose the new admin account name you just created.
Next, enable two-step verification for each user in your WordPress account. The simplest such service for a WordPress user to install and implement is the open source Google Authenticator. If you have that enabled for your Google account, or other services such as Dropbox or Amazon S3, then you’ll be familiar with how it works.
And you’re in luck for your self-hosted WordPress site as there’s an excellent plugin that sets it up for you – Google Authenticator plugin for WordPress.
Grab it now, either by downloading it from the WordPress plugin repository or installing it via the ‘add new plugin’ function in your WordPress dashboard.
You’ll need the free Google Authenticator app for your smartphone in order to use this security feature. There are versions for Android, Blackberry and iOS.
And if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a WordPress site that will give you more peace of mind than you had before.
In my view, this is the bare minimum you should have set up in your self-hosted WordPress site that gives you a good level of security for your peace of mind. It would make it more difficult to hack into your site.
There’s a lot more you can do as well including steps to take to better secure the server on which your WordPress platform is installed. There’s a great tutorial on the WordPress Codex that can tell you more.
Don’t let spammers, hackers or botnets mess up your presence on the web. You can be secure.
This post was first published on the Official WebHostingBuzz Company Blog on April 16, 2013. Founded in 2002, WebHostingBuzz is a web hosting company based in Auburn, MA, USA and in the UK. It offers web hosting, reseller hosting, VPS hosting, and dedicated hosting services from data centres across the United States and in Europe. WebHostingBuzz is a sponsor of NevilleHobson.com.
If your WordPress site runs at WordPress.com – it’s hosted by that service, not on your own server – follow this guide to set up two-step authentication: Greater Security with Two Step Authentication.
See also:
- WordPress Sites Targeted by Mass Brute-force Botnet Attack – April 15 notification from the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT).
- Further Steps To Combat The World-Wide Brute Force Attempts Against WordPress – advice on server protection from the WebHostingBuzz tech support team on April 13.
- WordPress botnet attack: Improve your security – tips in plain English from small-business marketing expert Jim Connolly on April 13.
39 responses to “How to secure your WordPress site against hacker attacks”
RT @jangles: How to secure your WordPress site against hacker attacks: One of the easiest content management systems to set up… http:/ …
How to secure your WordPress site against hacker attacks http://t.co/gfpoa9CmAQ
How to secure your WordPress site against hacker attacks: http://t.co/T7lkQ6iDS2 via @jangles >simple clear advice – thks Neville #mipaa
“Don’t be complacent”. Quite. Useful article. RT @jangles How to secure your WordPress site against hacker attacks http://t.co/bGOZnAb3p4
Thanks Neville, great advice.
Now, having solved the WordPress issue, if you could apply your straightforward, common sense approach to the situation in North Korea and the European economic crisis, and have a solution before lunchtime, then you could take the afternoon off and consider it a good day’s work!! :-)
I really appreciate your no-nonsense insight to communication issues.
Best
Al
Thanks, Al, appreciate it.
Now we just need a cool redirect procedure so that all those visits from the botnet of 90,000 IP addresses go to North Korea…
RT @jangles: How to secure your WordPress site against hacker attacks http://t.co/gfpoa9CmAQ
RT @jangles: How to secure your WordPress site against hacker attacks: One of the easiest content management systems to set up… http:/ …
How to secure your WordPress site against hacker attacks http://t.co/jcxH5uHfkz
Hobson: How to secure your WordPress site against hacker attacks: One of the easiest content management system… http://t.co/r6zOIbYF6M
RT @jangles: How to secure your WordPress site against hacker attacks: One of the easiest content management systems to set up… http:/ …
RT @jangles: How to secure your WordPress site against hacker attacks http://t.co/gfpoa9CmAQ
How to secure your WordPress site against hacker attacks http://t.co/ldPMlXEy7U
Must read for wordpressers: “@jangles: How to secure your WordPress site against hacker attacks: One of the easi… http://t.co/GsxYFpaxRU”
RT @jangles: How to secure your WordPress site against hacker attacks http://t.co/CQCXoimaE8
RT @Spiderworking: RT @jangles: How to secure your WordPress site against hacker attacks http://t.co/CQCXoimaE8
How to secure your WordPress site against hacker attacks: http://t.co/Mg1CTtrvET via @jangles
How to secure your WordPress site against hacker attacks http://t.co/fBfTqCl6LV @jangles
RT @dianarailton: How to secure your WordPress site against hacker attacks http://t.co/fBfTqCl6LV @jangles
Invaluable RT @jangles: How to secure your WordPress site against hacker attacks http://t.co/tTc74EksU2
Paolo Tosolini liked this on Facebook.
RT @dianarailton: How to secure your WordPress site against hacker attacks http://t.co/fBfTqCl6LV @jangles
RT @jangles: How to secure your WordPress site against hacker attacks: One of the easiest content management systems to set up… http:/ …
Stefano Paganini liked this on Facebook.
Useful RT @dianarailton: How to secure your WordPress site against hacker attacks http://t.co/v8lAijaPAO @jangles
[…] in case you hadn’t heard, WordPress had its servers attacked by over 90,000 botnets that have been targeting site ‘admin… Neville Hobson offers easy to follow advice on what you can do to make your site more secure. […]
How to secure your #WordPress site against hacker attacks
http://t.co/kjSXULDn2Z
RT @Darcy1968: How to secure your #WordPress site against hacker attacks
http://t.co/3twKFpJbgP
RT @jangles: How to secure your WordPress site against hacker attacks: One of the easiest content management systems to set up… http:/ …
How to secure your WordPress site against hacker attacks http://t.co/q37uVFDHrU
@citizenscoop were you all able to resolve your site issues? You might have fallen to the recent wave of WP hacks: http://t.co/t6WJeMfhd8
RT @barryfurby: Must read for wordpressers: “@jangles: How to secure your WordPress site against hacker attacks: One of the easi… http …
How to secure your WordPress site against hacker attacks http://t.co/ptaKq98qV0
[…] How to secure your WordPress site against hacker attacks (nevillehobson.com) […]
Unfortunately I have seen a number of WP courses for beginners that do not warn of the perils of the Admin password, I have seen one that suggests using it. A lot of owners will never see this kind of post, this is the kind of article or reporting that should appear in the general media. I have strong passwords but still one of my sites got hacked recently, luckily I had it all backed up but still took many hours to resolve.
[…] Comments […]
[…] How to secure your WordPress site against hacker attacks. […]
[…] There are many ways to secure your WordPress website, and one of them is by installing the latest version of WordPress, as well as the latest released plugins. By upgrading your website, you are also updating your security system, which of course only means that you are effectively eliminating any risk of hacker invasion. […]
very informative and helpful, ty http://www.wowthemes.net/