By now, unless you've been living under a very big rock, you have heard about the worldwide brute force attack on 90,000 (plus) WordPress websites. (In all honesty, 90,000 is a small number when you compare it to the number of actual WordPress installations – Forbes ran a story in 2012 about the total number of WordPress installations and it's BIG – 60 million.)
What is a brute force attack?
The “hackers” doing the ugly work in this case are using perhaps the least sophisticated approach to hacking a website. What they're doing is sending automated bots out to attempt to log into WordPress sites they find. They use the typical “admin” username and common passwords like “password.” They can also use “dictionary” terms that cycle throughout the login attempts (using “dog,” “cat,” and hundreds, even thousands, of different common words). Further, they can even put other “clever” variants into their bots to try many different variations of login attempts.
They try multiple versions of those common passwords, in all permutations. In several minutes, they can try to login to a single website dozens or even hundreds or thousands of times. This alone can overwhelm some servers, rendering your site unreachable.
These bots were sent all over the web, hitting multiple web hosts all at once, bringing their infrastructure to a screeching halt as well. So even if your site was untouched, you could have still gotten affected by this surge in traffic.
Because this is a numbers game to the hackers, they don't really care how many times they fail; they only care when their brute force logins work. When they are able to login using simple, easily guessed passwords and usernames, they can wreak a lot of havoc on your website. For example, they could install malware on your server so that when visitors drop by, they pick up viruses, adware, or keyloggers. Other nefarious things can be done, too, but we won't get into that…
WordPress Security Best Practices
So what can you do? Well, there are 3 immediately obvious things you can do, right now, today, that can keep your site immune from brute force hack attempts.
- Change your username from admin to something else.
- Change your password to something hard to guess.
- Install a WordPress plugin that limits login attempts.
You can accomplish #1 in a couple of different ways. The easiest, non-techie way is to install a WordPress plugin called “Admin Renamer Extended.” Change the admin name and then uninstall this plugin. You wouldn't want somebody to be able to get into your site (like a disgruntled employee, for example), change your administrator username, and then LOCK YOU OUT.
Another way is to log into your WordPress dashboard, create a new administrator user, re-assign any posts/pages to the new administrator that had been created by the first administrator, and then delete the first administrator account.
A “higher tech” way is to login to your cPanel, find “phpMyAdmin,” and go change the username for your administrator account in the User table of your WP database. Use this with caution: You can screw things up when you're mucking around in the database. It's not a huge deal…but a typo can screw you up. So, beware.
You can fix #2 simply by going to the User section of your WP dashboard and change your administrator password. Simple. Just use a very strong password. Use a password-generation tool like LastPass to help you with this. In general, the more character types (alpha, uppercase, lowercase, numeric, and special characters) and digits you have in your password, the more difficult it will be for a brute force attempt to be successful.
Finally, to address #3, you can use a plugin for WordPress like “Limit Login Attempts” which will simply “kick out” anybody (or anything, in the case of a bot) who has tried x number of times in y number of minutes. There are other parameters you can set, but you get the point.
These are NOT the ONLY things you can do to harden your WordPress security. However, they are things you can do right now to prevent brute force hacks on your WordPress website.
If you want a full-blown course in locking down your WordPress installations, go check out WP Secure Pro. It's a course I put together for Jason Fladlien and Wilson Mattos of Rapid Crush that goes through the above and a whole lot more.