Just last week, this site and many other sites powered by WordPress and hosted on such popular webhosts like Hostgator, Inmotion, Arvixe, etc, were hit by a widespread brute force attack. I couldn’t log into my Admin Dashboard or do anything at the backend. When I first noticed this, I thought it was an error from WordPress core, and i posted a support request in the support forums. But according to the buzz around the web, it seems I was just one out of many wordpress sites targetted by a general brute force flood attack.
As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.
The main force of this attack began last week, then slightly died off, before picking back up again yesterday morning. No one knows when it will end. The symptoms of this attack are a very slow backend on your WordPress site, or an inability to log in. In some instances your site could even intermittently go down for short periods.
We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause. Hostgator.com
But thankfully, due to the many wordpress security options i have activated on my site, it was not compromised. In this article, I will be showing you the steps and plugins i have used to make my site much more secured and how you too can do so on your site.
Steps to Protect your WordPress Site
1. Change the default Admin user
When you install wordpress newly, it creates a default user with administrator powers named ‘admin’. This poses a serious security risk. You should create a new user with administrator powers and delete the ‘admin’ user. Most of the brute force attacks targeted the ‘admin’ user.
2. Use a strong password
This is very important. A strong password is made up uppercase and lowercase letters and some symbols and should not be less than 12 characters in length. If you find it hard to remember passwords, you can use a password management program. There are so many of them, I recommend and use LastPass. It is free and is availaible on several platforms, both desktop and mobile. Change your password NOW!
3. Always keep WordPress Core Files and your Plugins Updated
This cannot be over stressed! Keeping WordPress updated can help you stay ahead of the hackers and the vulnerabilities their discover in WordPress. The WordPress core team is always working to keep the software ahead of the curve, so always ensure to that you update regularly. This also extends to your plugins.
4. Make Regular Backups of your WordPress Site
Having backups of your site can help you if your site goes down. With a backup at hand, you can easily come back online and get your site running again as soon as possible. I backup my site automatically to my Dropbox account. You can also back it manually via your cPanel.
5. Use WordPress Security Plugins
WordPress by itself is quite secure but you can still extend its security with the use of some very powerful and useful plugins. On all my wordpress sites, i use BulletProof Security and Limit Login Attempts wordpress plugins. BulletProof Security helps to make my wp-admin folder much more secure by creating a .htaccess file in the root of /wp-admin, why Limit Login Attempts does not allow more than 3 login attempts from any single IP(you can change this number in the plugin’s settings).
6. Use the 5G Htaccess blacklist from Jeff Starr
This is a .htaccess file containing hundreds of bad IPs and rules on how your site should handle them. The 5G blacklist is meant to replace your normal .htaccess file in your wordpress root. It also logs unauthorised attempts to log into your site. You should check it out.
7. Use a Good Webhost
I wonder what could have happened if my site was not hosted on a strong server that could withstand the attack. You should make sure that your site is hosted on a secure and strong web server. This site is currently hosted on Arvixe Webhosting and am not complaining.
There are so many other things you could do to protect your wordpress site from brute force attacks and other hacks, but the above tips are the ones I have implemented on my sites. The WordPress Codex has a nice article on WordPress Brute Force attacks and there is also another on the Securi blog if you still need more info on how to protect your wordpress site.
Please share this article with your friends to alert them on the current security risk so that they too can protect themselves.
Do you have any other tips you use to protect your wordpress site? Please feel free to share with us in the comments.