WordPress is in the news this week because sites built with it have been targeted by a brute force botnet attack. In plain English, that means a massive automated attack on websites using lists of default usernames and easy-to-guess passwords.
If you practice good security, you won’t have anything to worry about. If you use ‘admin’ as your username, and a weak password, your site will always be a potential target.
This type of attack happens fairly regularly, but never before has there been one on such a scale and if your site fails to address common security measures, it will be displaying a green light for those who get pleasure out of hacking websites.
Having this type of attack in the news doesn’t mean WordPress is insecure, it just highlights insecure practices, and at Canary Dwarf, we are very aware of how these attacks happen and how they can be avoided. We have built over 80 websites on WordPress, and none have ever been compromised.
Security as standard
Some of our customers choose not to have administrative access into their WordPress system, and so they are protected by our own security measures as standard.
Once we pass administrative access to a customer, it is up to them to follow our guidance on security best practice, but we would normally only pass the site over with essential security measures already in place.
WordPress is installed on over 100 million websites around the world.
In the real world, houses with windows are similarly vulnerable to robbers. The inhabitants of such houses understand that to protect their possessions, they need to take steps to secure them with locks, alarms, etc. It’s no different with WordPress, but millions of people don’t think security is important, and those are the site owners who will wake up one morning with a problem.
How to protect your site from any brute force attack
If your login name is ‘admin’, log in, and go straight to ‘Users’, and add a new user with administrator capabilities, you’ll need a different email address for this and WordPress will tell you the strength of your password as you enter it. If it’s not strong, change it until it is. Use a combination of upper and lower case letters, numbers and symbols such as the dollar sign, the pound sign, exclamation mark, question mark etc. These all make guessing your password more difficult in a brute force attack. NEVER use a dictionary word, a portion of your username, your date of birth, postcode, or anything like that.
You don’t have to confirm the account, you can log out and log back in with your new username and password, then go straight to ‘Users’ again and delete the ‘admin’ user account.
These two measures are the very basic essentials of WordPress security, as advocated by the developers at WordPress themselves.
Please note though, that if your site has already been hacked, you will need to cleanse your site before doing the above.
Over the years, many people have come to us with hacked sites, and we offer a 25-point security audit and will fix any security holes we find.
We can help
No site we have ever secured has ever been comprised by a brute force attack or any other type of attack, and we are confident that the site we lock down have adequate protection against day-to-day threats.
If your site has been attacked, or you just want security advice, please email us at firstname.lastname@example.org
You can also get security and other tips by signing up for our newsletter or following us on Twitter and Facebook