Recent WordPress hack attempts spreading all over the internet these days calls for serious concern. Recently there have been reports of brute force botnet attacks on WordPress, users with “admin” and “wordpress” usernames are most targeted. Every day I receive reports of failed login attempts on Netmediablog.
So many of my fellow bloggers have complained of their blogs being hacked and others have also complained of WordPress hack attempts on their blogs recently. Blogs vulnerable to the recent WordPress brute force botnet attacks are those with admin or wordpress as default login username. Getting hacked will result into loss of income, downtime, disappointed visitors, etc. Restoring and fixing the damage done can only be easy if you have a regular backup of your entire blog. Read my article titled “Top 5 Cloud Backup Plugins for WordPress” and learn how to backup your entire WordPress site to the cloud.
Prevent WordPress Hack
You may not know how many times your site has faced hacking attempts because you may not have seen anything unusual, you’d be surprised when you find out. Now let’s see how we can be safe from the recent WordPress hack attempts.
Change your administrator username: If you are still using “admin” or “wordpress” as your administrator username, change it now. The recent WordPress brute force attacks are targeted on blogs with such usernames. Most hacking attempts are auto-generated and knowing that most users who install their WordPress from Fantastico use such usernames as admin, wordpress and test, it is easy to target such usernames.
Change such usernames to something more complex and difficult; add some numbers and special characters make it at least 10-characters long. There are two ways to change your WordPress username, first you can create a new users on your dashboard with administrator’s privileges and delete the old user (admin) and attribute all it’s posts to the new user you created. Remember to use something complex only you can remember as the new username. Secondly, you can read Babanature’s blog post titled “Changing your WordPress Username/login Name”.
Install Login Limiter WordPress Plugin: The Login limiter WordPress Plugin is indeed an awesome plugin, it helps you lock out IP addresses that are attempting unauthorized logins into your site. With this plugin you can limit the number of login retries on your site, limit the number of attempts to login using auth cookies in same way, report such failed login attempts and source IP address, logging of all login attempts, and handles server behind reverse proxy.
Click here now to download the Limit Login Attempt Plugin, it’s also free.
Must Read: Necessary WordPress Security Plugins every blog should have.
Change WordPress Database Table Prefix: Do not install wordpress database with the default WP_ as table prefix, instead of “wp” use something else for example ABC, TTT, XOXO etc, use something complex that won’t be easy to guess.
Always Update your WordPress: Of course every update fixes bugs and hackers can exploit bugs to hack your site. Always ensure you have the latest WordPress version installed that way you will always have the best security measures in place.
Use Strong Passwords: You just have to read my earlier blog post titled “Tips to creating strong passwords”. A strong password, even with automatic program that guesses at several blazing speed, still need lifetimes to crack.
Protect Wp-Config File: Sometimes protecting your WordPress site is not totally your responsibility, your host should also play it’s part in it. If you are on a shared hosting then you may be facing a greater danger. WordPress sites on shared hosting can get hacked by a method called Symlinking. A Symlink is a virtual link pointing to a file in a directory, in a shared hosting environment hard disks are divided in several parts for different accounts, if proper security measures are not in place, a shared hosting account can be taken over by another shared hosting account on same server by launching a symlink attack.
What the symlink attack does it to get full source code of your Wp-config file to reveal your site details. The Wp-config file contains all the sql database connectivity which means your usernames and password are in it. So the best way is to protect this file. Login to your cpanel and edit your .htaccess file with the following code;
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Add it anywhere in the file. Remember to backup your .htaccess before editing it. Now you can go to your browser and check http://domain.com/wp-configure.php (replace domain.com with your website address), it will show 404 error page.
Allow access to the Wp-admin folder from your computer alone: You can simply edit your .htaceess file to allow only certain IP addresses to access your admin folder. You can use the code below;
order deny,allow
deny from all
allow from paste.your.ip.here
Just add the code above into your .htaccess and you are done. No other IP address can be able to login to your site. Note you can always change the IP through SSH.
Note: I may not totally advise this especially if you may need to use another network or computer to access your blog somewhere someday.
Update: You can even go ahead and change the privilege of the wp-config.php and wp-config.php.bbk to 0444 so it can not be edited.
Conclusion:
Even if you ensure all security measures discussed here, there is no way you can assume a 100% security for WordPress. Most security measures can only amount to 80% – 90% and the rest may not depend on you. Most WordPress hack attempts are automated as I said earlier and if you can ensure your WordPress security to even 80%, they may leave you and decide to turn to easier targets except they have a good reason to get in.
WordPress developers are also working round the clock to close up any exploit they can find and most hacking attempts are done with old exploits which may not be effective to your WordPress especially if it is updated and you have ensured the security measures discussed above.
So all I can advise you is to do your part and most importantly always BACKUP your WordPress site so that even if you get hacked, you can always recover everything. I hope you find this post interesting, let me hear your views and contribution about the recent WordPress hack attempts and how to stay safe. Remember to subscribe to my RSS feed.
Scan WordPress for Vulnerabilities with these tools
How to enable Google 2-step verification on WordPress
Necessary WordPress Security Plugins every blog should have
WordPress 3.9 Features and Release Date
6 Types of Backlinks You Should Avoid
Great post about securing your WordPress blog and I really appreciate the huge insight you have shared. I’m particularly interested in “Allow access to the Wp-admin folder from your computer alone”, but problem in my case is that my IP address keeps changing every time I connect to the Internet. It would be more effective if I could specify my MAC Address but I wonder if it is possible.
Neeful information and the timely post for the bloggers to protect their WordPress Account.
Am new to WordPress, so have to check these plugins to add.
Nice suggestions to keep the WP account safe, will do it!
Thanks for writing and sharing :)
If you are not on a static IP address there is a way around it, you can simply use whatismyip.com to find you IP address every time, then use an FTP client to login to your account and edit your .htaccess file and add more IP whitelists like this;
order deny,allow
deny from all
# whitelist Your First IP address
allow from xxx.xxx.xxx.xxx
#whitelist Your Second IP Address
allow from xxx.xxx.xxx.xxx
#whitelist Your Third IP Address
allow from xxx.xxx.xxx.xxx
After you have edited and saved your .htaccess file, you can now login to your wp-login using the new Ip address, remember to remove such IP from your .htaccess when you are done with it. That is a bad idea because MAC addresses can easily be spoofed. Over the Internet the MAC address is not visible, it would only be possible inside your own network.
I don’t think it’s easy to use a MAC address for this purpose since you can only access any server with an IP address, your MAC address may not matter much.
Thanks Nirmala for visiting netmediablog, you can find other useful posts about securing wordpress blog on my site.
Hi mate ,
Good post . In recent days , there have been lot of brute force attacks on WordPress blogs . You are awesome . Thanks for these tips . Another tip is to have both one online and offline backup . One last tips is adding a plugin called SABRE that prevents fake registrations who can worm your site . Installing Antivirus plugin is also not a bad idea . Great Post . Liked it :)
Regards,
Navneet
Thanks for your contribution to the post…..SABRE is an awesome plugin and i use it on my site to block fake registrations though i already set my blog to assign contributor status for new registration because i allow guest posting but if you dont the best will be subscribers.
Hello Mavtrevor,
This is one interesting and most valuable post that every bloggers should know. Many newbie bloggers that start blogging without coaching or advice will always use that Username called “Admin” and these are the names that always get hacked. From start i don’t like the name admin because i love thing that are unique.
I just installed the plugin “Limit Login attempt” i have been seeing tones of hacking attempts. i change my password every time so it’ll be hard to brake the shell.
thanks for mentioning my post i do appreciate it bro. God bless and do have a lovely week ahead :D
Thanks Babanature, i am glad you found this post interesting enough to comment on it, and i must say your post actually inspired this article coupled with the tonnes of failed login attempt (reports) i have been receiving on my blog.
Hi,
Thanks for sharing this post with us.
Recently, My Blog had got Hacked and the hacker had installed some virus on it. Luckily, I had made some backup of blog. Every blogger should follow the steps you provided in this post.
My tips to save WordPress blog:
1) Deactivate and remove the plugins that you rarely use.
2) Always have a backup of your blog on some cloud file storing sites such as Dropbox, Google Drive.
3) Make use of the plugin called “Bullet Proof Security”, it helps to protect your .htaccess file and many more..
4) Update your themes and plugins, if the update is available.
5) Avoid installing free themes, as it may contains some malicious codes.
Thanks,
Sriram
This is a great addition to the article especially avoiding free themes and read every plugin reviews before you install it on your site. Thanks for the comment.
Hacked WordPress is one of the worst things could happen to a blogger. I use Limit Login Attemps plugin as well – pretty good
Thanks for your comment
HI Desmond,
This is really a very interesting post on WordPress security man. I wonder what those people gets from hacking these blogs, its not as if there is any money inside the blog so, what’s in it for them?
I was a victim of that some days ago and that incident nearly killed my blog because after I restored my site, it started having many issues.
I’ve already applied most of the security tips you shared here, will also try the ones I haven’t done.
Thanks for sharing man and thanks for your comment on my blog.
I am glad your bog is back, when i read the article you published about the hack i felt bad but just as you do not know why they hack these sites i don’t know as well. All the same i hope the guide on this article will help you fortify your blog more and keep away such thieves.
Hey Bro,
Nice tips regarding security of our blog but need to convey that people are updating the plugin which is out of wordpress database as many vulnerable one available in online make sure to update the valid and be safe also change your passwords frequently every 3 or 6 months can avoid meanwhile thanks for post
Thanks for your comment…
Ya! Security is very necessary now a days. All the points you have mentioned are very helpfu. Thank you for it.
Thanks and sure security is very essential these days.
I’ve received a lot ot of hack attempts but thanks to login attempt plugin.
Hackers are even trying my passwords with ‘going’.
I’ll simply be damn to use ‘going’ as password.
Thanks for bringing that up.
Hi,
Thee information was really useful to me.!! Since very new to wordpress These kind of posts helpes me a lot!!
Thanks!!
I agree Nwosu, MAC Address won’t be technically possible. This is a good workaround to edit .htaccess file and gain access. I hope it will be more secure though very troubling to manage blog. I will need to edit .htaccess file every time my internet connection is reset.
Anyway, thanks for this insight. I learned a lot through your post and discussion.
Thanks for your comment please follow the guide to secure your wordpress site.
Glad you found it useful. Thanks for your comment
Thanks Suresh Khanal for your contribution to the discussions.