Guides By Eshop Hosts 10.6.2013 No Comments

Is Your WordPress Secure?

There have been many recent reports of what appears to be a well organised attack on websites using WordPress. The attack tagets WordPress installations with very weak and common Administrator usernames and passwords used to log into the WordPress administration area.

securing wordpress against brute force attacks

This type of attack is commonly referred to as a Brute Force attack and the recent one is very widespread utilising a ‘botnet’ network in various locations and reportedly eminating from over 90,000 IP addresses.

In laymans terms the ‘botnet’ (the word stems from the words robot and network) is a group of internet connected programs that are coded to perform certain tasks over the internet and in this instance the the ‘botnet’ is a program that crawls the internet and vistits websites it identifies as using WordPress that then makes multiple attempts at logging into the administration area using an extensive list of commonly used Usernames and Passwords.

If the WordPress installation is then successfully hacked, the attacker has gained access to the web server that the website is hosted on which would then allow the hacker to create an even larger and more powerful ‘botnet’ due to the hosting servers having much larger processing power than the home computers that hackers usually target for this purpose. The ‘hacked’ servers can be then used collectively within a large network to perpetrate massive Denial of service type attacks or be used to send large amounts of spam email or click fraud and so on.

Securing Your WordPress

WordPress is one of the most commonly used blogging software on the internet, there are reportedly around 64 million WordPress sites online that are visited by an estimated 371 million people every month and because of its popularity there are many developers that create useful plug-ins that are available to install and use for free or low cost including some very good plug-ins that will increase the security of your WordPress installation.

Some Recommended WordPress Security Measures and Plug-ins

The first steps to increase your WordPress security is to ensure that your site administrators use a username that is something other than the default ‘admin’ username that is often set automatically during the installation of WordPress and to create a strong password thatinludes upper and lower case letters as well as numbers and special characters. You should also ensure that your WordPress installation and installed plug-ins are always up-to date.

We have compiled the following short list of available WordPress Plug-Ins that can further increase your WordPress security that will reduce the chances of your website being hacked by a Brute Force attack:-

WP Security Scan

WP Security Scan is a plug-in that checks your WordPress website/blog for many security vulnerabilities and also suggests the corrective actions you can take to fix them such as changing your Passwords, changing your File permissions, increasing your WordPress Database security and more.

Limit Login Attempts

Limit Log In Attempts is a useful plug-in that blocks IP’s from making multiple attempts after a specified limit on retries that you set is reached which makes a brute-force attack difficult or impossible.

While this plug-in isn’t as effective for the ‘BotNet’ attack due to the number of IP address used as part of the Brute Force attack it is still good to have to deter the many manual attacks that take place.

Duo Two-Factor Authentication

The Duo Security WordPress plug-in provides two-factor authentication to log into your WordPress administration area that will protect against account takeover and data theft.

By installing and having the Duo plugin you will be required to sign up for one of Duo’s free or low cost plans and then you can set which user roles you want to enable two-factor authentication for eg admins, editors, authors, contributors etc and how you they are authenticated.

AntiVirus for WordPress

AntiVirus for WordPress is an easy and safe tool to install on your WordPress website that will protect your site against many exploits, malware and spam injections.

The plug-in creates a virus alert in the admin bar, it cleans up unecessary files or database tables after you remove unwanted plugins, carries out a daily scan of database tables and your theme templates files with email notification on completion.

Need Advice About Securing Your WordPress

Contact Us for a WordPress Security Audit

Comments are closed.