19/03/2018 by EAC Directory 1 Comment
How to protect WordPress from intrusion
If you have a self installed WordPress website then Botnets around the world have turned their attention from sending out spam emails to systematically hacking into WordPress installs; it’s a lucrative business given that WordPress powers 40% of all blogs.
They usually make use of brute force attack method on your admin page using the username admin. If you usually leave your default WordPress username as admin and make use of a simple password susceptible to a dictionary attack, then you are at a high risk of having your WordPress installation hacked into by one of these numerous bots.
There exists a number of ways to protect your WordPress site against these forms of attacks, and here they are:
Limit login attempts
You can make use of this incredible yet free plugin called Limit login attempts that enables you to set the limit of the number of log in attempts one can make over a given period of time on a given IP. With this plugin, you can limit the number of failed log ins to any desirable number and even set an IP ban for a specified time when a set number of failed log ins is triggered from that IP.
You can even configure it to automatically email you a notification when any given IP is locked out a number of times and gets a ban. A log of all failed log in attempts is also saved by this plugin and it might surprize you just how many times automated bots try to carry out a brute force attack on your WordPress site once the log file begins to accumulate.
Install Google two-step authenticator
If you already have two-step authentication enabled for your Gmail account or other services, you can use the same authenticator app with this plugin for WordPress.
Take Regular Backups
It is always good practice to take regular backups of your WordPress installation through zipping and downloading all WordPress files on your site and also exporting a copy of your current database.
Take daily or weekly backups depending on how often you update your website so that you always have a recent backup of your entire WordPress website. Incase of a successful attack on your website, you can always re-upload your previous backup to minimize any downtime and or stress associated with trying to recover from a badly damaged WordPress installation.
Delete Unused Plugins and Themes
The less executable code you have on your server, the better – remove the chance of having old, vulnerable code by deleting themes and plugins you’re not using anymore. Disabling them will simply stop their functionality loading with WordPress, but the code itself may still be executable by a hacker.
Remove The “admin” Account
Most brute-force attacks on WordPress involve repeatedly trying the admin account – the default for all WordPress installs – and a dictionary of common passwords. If you either login with admin or have the admin account listed in your user table, you’re vulnerable to this.
Two ways to fix it: either use wp-optimize plugin – a great plugin that amongst other things, allows you to disable post revisions and perform database optimization – to rename admin account. Or simply create another account with admin privileges, log in as the new user, then delete the “admin” account assign all the posts to your new user.
Even if you have disabled the admin account, it may be possible to identify the username of your administrator account – at which point you’re vulnerable to a brute force attack again. Enforce a strong password policy of 16 or more random characters consisting of upper and lower case, punctuation and numbers.
Always ensure that you have the latest version of WordPress installed at all times. This also applies to plugins that you may have installed. Updates majorly contain bug fixes, performance enhancements and most importantly security updates that help to seal up any loopholes that might have been recently discovered in the system.