Blog  Subscribe to our RSS feed RSS

WordPress Security: How and Why You Need to Step Up Your Game

WordPress’s overwhelming popularity makes it a target for hackers. Specifically, it’s seen thousands of attacks by botnets (networks of computers infected with malicious software) trying gain entry into these sites by brute-force.

Most of these attacks are using the simplest method possible to gain access to a site: trying username and password combinations until they can login. This method relies on user error in that a lot of WordPress users are unaware of their responsibility to keep their site secure.

When that’s the case, the botnets can try to log in to these sites countless times, since there’s simply nothing to stop them from it.

image1-updated

botnets are networks of computers infected with malicious software

Why is WordPress being targeted?

The fact that WordPress is so ubiquitous makes it a constant target. 22 out of every 100 new active domains in the US are running WordPress, and it’s the CMS (content management system) for 14.7% of the top million websites in the world.

Users that aren’t proactive in protecting their site or don’t update old plugins/WordPress versions, can unknowingly be exposing potentially major site vulnerabilities. Here are some tips to help you better secure your site against attacks.

wordpress-pie-chart

22 out of every 100 new domains are set up with wordpress (showing 11 out of 50 above)

Security tips for a safer, more secure WordPress install

1. Change your admin usernames

Do not use Admin as a username for your site. This is the most targeted username these attacks use. Other usernames to avoid are administrator, manager, root, support, test, and user. To change a username in WordPress:

  • login with your administrator account and add a new user, with administrator privileges. Make sure your display name is different than your username.
  • Once done, logout and login as your new user. Delete your old administrator account.
  • You’ll be asked about what should be done with posts owned by this user, choose ‘attribute all posts to’ and select your new username.
admin

The main point of attack for botnets, the wp-login page. Avoid having ‘admin’ as your username.

2. Make sure you have strong password

By having a password that contains numbers, symbols, lower and uppercase letters, and lots of characters, you’re making it a lot harder for those nasty botnets to guess your password. Here’s a list of passwords that you should definitely avoid (from the Worst Passwords of 2012)

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball

We would also suggest staying away from passwords like ‘WordPress’ and ‘admin’ – you get the idea.

3. Add a server-level layer of authentication

Having anybody being able to access your /wp-admin login screen makes it easier for hackers and bots to do their damage.

Adding an additional level of security on the server-level ensures that you are the only one who has control of who can and can’t access /wp-admin in the first place.

There are a few ways to do this:

IP Restrict /wp-admin

White-list only your IP (and those you trust) in your .htaccess file to ensure /wp-admin is only accessible by authorized people.

Add these lines to your .htaccess file:

# ALLOW USER BY IP

 order deny,allow
 deny from all
 allow from YOUR.IP.GOES.HERE

Find out your IP address here http://www.whatismyip.com/

Add HTTP authentication to /wp-admin

Add an additional username/password credential via .htpasswd to /wp-admin. Users can’t even view the WP login page until they provide the appropriate username and password on the .htpasswd level.

wordpress-security3

http authentication popup

 

 

Your hosting company might have a special setup for this (via control panel) – if not, here’s a great resource to get htpasswd up and working for you:

  • Create htaccess authentication prompt: http://www.htaccesstools.com/htaccess-authentication/
  • Create htpasswd for username and password: http://www.htaccesstools.com/htpasswd-generator/

4. Update update update!

WordPress is updated every so often and with that, problems are fixed. Security issues which come to light are addressed, and by not updating you are creating vulnerabilities. It’s important to keep your WordPress installation up to date, and especially true for plugins and themes. Since this is the case, it’s also a good idea to remove all of the plugins that aren’t used on your site. Always make sure to backup your site before installing new plugins, if your website is hosted with gt.net then you don’t have to worry about this, it’s done automatically every 24 hours, and is saved for 7 days. This means at any point and time you will have 7 backups of your site, one from each day of the past week.

5. Plugins to improve your site security

Wordfence

Wordfence is a very straightforward and easy to use plugin. It acts as a firewall and anti-virus, as well as suggests how to improve your site’s security. Make sure to check out the ‘Live Traffic’ section, you can see all the failed login attempts to your site, it’s surprising.

Better WordPress Security

This plugin will give you a more detailed review of what you can do to protect your site and more intricate security options. Be careful when activating settings that could conflict with other themes or plugins. These are highlighted in blue in System Status.

6. Think about Hosted/Managed WordPress Services

Hosting your WordPress platform on cheap, shared servers may put your site at more risk – you have no control over what other users on that same server will do, and that can potentially compromise your site.

In addition, performance can degrade over time as the hosting provider adds more users onto that server, having you fight amongst each other for resources.

A good hosted/managed WordPress service can help keep your site fast and secure by:

  • Providing constantly updated servers/up-to-date security patches
  • Offering a firewall (software or hardware) – also with up-to-date security patches
  • Monitoring system performances for unusual activity (database requests, login attempts, etc)
  • Having technicians that can understand the situation and provide instant help
  • Backing up and restoring services in the event of a compromised site

Our Hosted WordPress service offers all the above PLUS: 24/7 e-mail support and direct access to our engineers (no level-1 support) for a speedy fix, whenever you need it.

Conclusion

Although WordPress has seen a huge increase in attacks from botnets, with a few adjustments and some awareness you can keep your site safe from botnets. Matthew Mullengweg, the founding developer on WordPress notes in his blog that if you change your admin username, ensure you have a strong password, and keep your site up to date, “you’ll be ahead of 99% of the sites out there and probably never have a problem.”

Nice try botnet, nice try.

Keep your site safe from botnets with these simple adjustments. Nice try botnets, nice try.

If you want to check out some more advanced WordPress security options, check out these resources: