Recent WordPress hack attempts spreading all over the internet these days calls for serious concern. Recently there have been reports of brute force botnet attacks on WordPress, users with “admin” and “wordpress” usernames are most targeted. Every day I receive reports of failed login attempts on Netmediablog.
So many of my fellow bloggers have complained of their blogs being hacked and others have also complained of WordPress hack attempts on their blogs recently. Blogs vulnerable to the recent WordPress brute force botnet attacks are those with admin or wordpress as default login username. Getting hacked will result into loss of income, downtime, disappointed visitors, etc. Restoring and fixing the damage done can only be easy if you have a regular backup of your entire blog. Read my article titled “Top 5 Cloud Backup Plugins for WordPress” and learn how to backup your entire WordPress site to the cloud.
Prevent WordPress Hack
You may not know how many times your site has faced hacking attempts because you may not have seen anything unusual, you’d be surprised when you find out. Now let’s see how we can be safe from the recent WordPress hack attempts.
Change your administrator username: If you are still using “admin” or “wordpress” as your administrator username, change it now. The recent WordPress brute force attacks are targeted on blogs with such usernames. Most hacking attempts are auto-generated and knowing that most users who install their WordPress from Fantastico use such usernames as admin, wordpress and test, it is easy to target such usernames.
Change such usernames to something more complex and difficult; add some numbers and special characters make it at least 10-characters long. There are two ways to change your WordPress username, first you can create a new users on your dashboard with administrator’s privileges and delete the old user (admin) and attribute all it’s posts to the new user you created. Remember to use something complex only you can remember as the new username. Secondly, you can read Babanature’s blog post titled “Changing your WordPress Username/login Name”.
Install Login Limiter WordPress Plugin: The Login limiter WordPress Plugin is indeed an awesome plugin, it helps you lock out IP addresses that are attempting unauthorized logins into your site. With this plugin you can limit the number of login retries on your site, limit the number of attempts to login using auth cookies in same way, report such failed login attempts and source IP address, logging of all login attempts, and handles server behind reverse proxy.
Click here now to download the Limit Login Attempt Plugin, it’s also free.
Change WordPress Database Table Prefix: Do not install wordpress database with the default WP_ as table prefix, instead of “wp” use something else for example ABC, TTT, XOXO etc, use something complex that won’t be easy to guess.
Always Update your WordPress: Of course every update fixes bugs and hackers can exploit bugs to hack your site. Always ensure you have the latest WordPress version installed that way you will always have the best security measures in place.
Use Strong Passwords: You just have to read my earlier blog post titled “Tips to creating strong passwords”. A strong password, even with automatic program that guesses at several blazing speed, still need lifetimes to crack.
Protect Wp-Config File: Sometimes protecting your WordPress site is not totally your responsibility, your host should also play it’s part in it. If you are on a shared hosting then you may be facing a greater danger. WordPress sites on shared hosting can get hacked by a method called Symlinking. A Symlink is a virtual link pointing to a file in a directory, in a shared hosting environment hard disks are divided in several parts for different accounts, if proper security measures are not in place, a shared hosting account can be taken over by another shared hosting account on same server by launching a symlink attack.
What the symlink attack does it to get full source code of your Wp-config file to reveal your site details. The Wp-config file contains all the sql database connectivity which means your usernames and password are in it. So the best way is to protect this file. Login to your cpanel and edit your .htaccess file with the following code;
# protect wpconfig.php
deny from all
Add it anywhere in the file. Remember to backup your .htaccess before editing it. Now you can go to your browser and check http://domain.com/wp-configure.php (replace domain.com with your website address), it will show 404 error page.
Allow access to the Wp-admin folder from your computer alone: You can simply edit your .htaceess file to allow only certain IP addresses to access your admin folder. You can use the code below;
deny from all
allow from paste.your.ip.here
Just add the code above into your .htaccess and you are done. No other IP address can be able to login to your site. Note you can always change the IP through SSH.
Note: I may not totally advise this especially if you may need to use another network or computer to access your blog somewhere someday.
Update: You can even go ahead and change the privilege of the wp-config.php and wp-config.php.bbk to 0444 so it can not be edited.
Even if you ensure all security measures discussed here, there is no way you can assume a 100% security for WordPress. Most security measures can only amount to 80% – 90% and the rest may not depend on you. Most WordPress hack attempts are automated as I said earlier and if you can ensure your WordPress security to even 80%, they may leave you and decide to turn to easier targets except they have a good reason to get in.
WordPress developers are also working round the clock to close up any exploit they can find and most hacking attempts are done with old exploits which may not be effective to your WordPress especially if it is updated and you have ensured the security measures discussed above.
So all I can advise you is to do your part and most importantly always BACKUP your WordPress site so that even if you get hacked, you can always recover everything. I hope you find this post interesting, let me hear your views and contribution about the recent WordPress hack attempts and how to stay safe. Remember to subscribe to my RSS feed.