Botnet, ‘brute force’ attacks and keeping WordPress secure

There has been a lot of attention this week on a global botnet attack targeting WordPress websites.   Many web hosts are seeing an increase in attempts to breach  WordPress with a fairly basic dictionary attack.  A botnet is a program that runs from thousands of infected computers looking for vulnerable websites.  The current ‘brute force’ attack attempts to login to the  ‘admin’ user name   using variations of common passwords or dictionary based words.

Get rid of your admin user name

By default WordPress sets up a ‘admin’ user name.  Create a new user name with administration rights and then delete the ‘admin’ one.  When asked remember to allocate all your posts and pages to the new user name, rather than deleting them along with the user name. Here is a great video from Lynda.com that explains how to do this.

Use secure passwords

If you can remember your password it is probably not secure enough.  A ‘dictionary attack’ basically works its way through common words based on the dictionary, hence the name.  If your password does not contain a real word then you are already more secure than most WordPress websites.  There is a great post from WordPress.com about creating secure passwords.

 

Security Plug-ins

There are a few interesting security  plug-ins for WordPress that can also help to protect your website.

Bad Behaviour – a free plug-in that helps to secure your website and blocks known blacklisted IPs. I use this one on all my WordPress websites.

Better WordPress Security –  also has consistently good reviews.  However, it is not one I have personal experience of.

Keep WordPress up-to-date

There are regular updates to help combat any security vulnerabilities. Always keep up-to-date. This includes updating your plug-ins.

Use good quality themes

A theme is the design and layout of your WordPress site.  A good theme will be flexible enough for you to insert logos and change colour schemes to reflect your brand.  It will also be built with security in mind.  You can download new themes from directly inside the dashboard of your WordPress site.  Always click on the ‘details’ link before installing a new theme to check out its credibility and compatibility with your site. There are a lot of free themes of varying quality.

 

  • Check how many people have downloaded it
  • Whether there are any good reviews
  • Be aware that a distinctive free theme maybe used on a lot of other sites
  • If you decide to go for a commercial theme do some research on the designer
  • You need a theme that is regularly updated
  • Check  the theme is designed for your version of WordPress
  • Ensure your theme is flexible enough to accept Plug-ins
  • If possible visit the designer’s home page and to do some research.

It is worth spending some time as this will control the design and have major control over your visitors experience while visiting your site.

What’s a plug-ins and how do I know if they are any good?

Plug-ins are extensions to the functionality of WordPress. They can range from inserting code for Google analytics, linking to your social media accounts or even a shopping cart to turn your site into a fully functional on-line shop. There are a lot of free and commercial themes.

  • Do your research and make sure the plug-in you are going to install is created by a reputable developer
  • How many times has it been downloaded
  • Are there any favourable reviews
  • Is it supported by your current version of WordPress
  • Is it still being supported and upgraded regularly
  • Visit the developers home page.

Back up your site regularly

Before you update you site, always backup your files and database.   Back-ups can be done manually or by using a plug-in.   Regularly backing up your website will also ensure if you are ever hacked it is easy to return to a clean version of your website.

Learn more

These are just a few of the resources that I find useful.  I’m sure as you research you will find many more.

Hardening WordPress –  Slightly technical but well worth a read

WordPress Backups – Covers manual backups as well as linkes to some automated solutions
10 Steps to a Secure WordPress Websites – Some good advice on specific security measure against malware

 

Line and Form are Nottingham based WordPress Experts

Don’t hesitate to get in touch via email at [email protected]