Is your WordPress Website Secure?
Recently the “botnet” has been running wild on WordPress sites along with the providers that host those sites. For those who haven’t heard, the “botnet” aside from having a cool super villain type nickname, is password guessing attack specifically designed to take advantage of sites like WordPress by punching them in the face until the door opens.
After getting in this very unfriendly bot cracks open a backdoor that allows the villains to access the site and control it later. Then the infected site is made to attack other sites. All in all it sounds very much like a Borg assimilation, or for the non-nerds who don’t follow Star Trek, a WordPress Zombie Apocalypse. So far estimates have the infection approaching 100,000 sites.
So what can you do if you are running this popular content management and blogging system? Obviously a double-tap to the server would end the threat, but then your site would be down. Instead of that extreme response might we suggest a few alternatives?
Ways to Upgrade WordPress Security
- Change the Password – First thing first is to change your admin password and actually make sure it is more complex than DerekJeter2. Instead it should be at least eight characters with upper and lowercase (preferably a random mix and special characters. For example you might instead use ‘JETer@God#2!’. It is something you can remember and yet still is not very common. If you use Firefox or Google Chrome you can utilize the password remember option which allows you to go even more crazy and complex.
- Change the Username – Most people leave a default “admin” username. They often do this for their networks as well. What that means is that you have effectively cut in half the amount of work a hacker has to do. You can install the Admin username changer plugin and then utilize a more complex name.
- Limit Logins – Installing the limit logins plugin is a great way to shut down bot attacks. After a certain number of attempts the plugin will block their IP address.
- Keep it Current – Make sure you update WordPress regularly. Yes it can be a pain because nobody likes dealing with updates, but current updates and patches often can close small holes that people have discovered.
- Trust Sources Only – Just like you don’t drive through certain neighborhoods at night (or ever), you don’t want to use themes and plugins that aren’t from a trusted site. Keep it safe and clean to ensure there aren’t any backdoor surprises from what you just picked up from that shady site.
- Malaware Scanner – There is a cool little plugin called Sucuri SiteCheck that will check your site for malware, spam and other nasty things that you want to remove faster than a wart on your nose.
- Security Scanner – The last step is to add the WP Security Scan plugin to your toolbox. This little gem looks for vulnerabilities and then suggests improvements. Think of it as a security consultant. Ideally if you have done the previous items this baby won’t find much else that needs to be tweaked.
- Setup Scheduled Backups – How is this security you ask? It really isn’t. But if your site gets hacked and you have to revert to something it is better if it is recent. How often you backup depends on how often you change content.
There you have it; really that is pretty painless when you think about it. You might spend an hour or two adding a few plugins and making a few adjustments that will save you days of headaches and embarrassment if your site gets hacked.