I get this quite often… sort of scary huh?
it really is amazing how many times my site gets bombarded by a bot trying to guess passwords to my account..
there are a few things you MUST do to secure wordpress from hackers.. here’s a quick and dirty list (keep reading below for a free plugin I made to help with this.)
- Change your administrator account from admin to something else
You need to do this because the vast majority of hack attacks and brute force password attacks are for the admin account, if you remove it then you stop the attack before it can happen.it’s easy to do.. just follow these steps
- create a new account with your chosen username
- set the account as administrator (check first to make sure you can log in and do administrator privaledge things
- always always ALWAYS choose a password that you would not find in a dictionary. Preferably with &*^ special characters
- delete the admin account and set all posts to be by the new account you created
- Choose a good password
And by “good password” I mean one that is not in a dictionary! please make sure it’s at least 8 characters (9 is better) and it uses numbers and/or special characters like *^$
And for gawds sake, don’t use the same password on your WordPress account as you do on other peoples sites where you have joined! (some dodgy admins monitor them and try them on your gmail or yahoo account)here’s a list of the 25 most popular passwords, make sure you’re not using one of them!
- Limit login attempts
I’ve been doing this for quite a while, a normal user may try 4 or 5 times to log in before they request a reset, there’s no way that someone would try 100 times so make sure you limit the amount of times someone can try before locking them out for a certain amount of time
Here’s a free plugin that I use to limit the amount of log in attempts.Limit Login Attempts plugin
- Watch what users do on your site
By this, I mean keep an eye out on user activities if you allow people to register to your site.There’s a really useful plugin for this called threeWP Activity Monitor which I’ve been using for some time because it can also be filtered to allow recording of other things like downloading files (useful to see if someone downloaded CommentLuv from the members site!)it will also record attempts to log in.
OMG you will get scared when you see how many attempts are made to your admin account! see this
You might want to see the passwords that hackers are using so you can make sure you don’t use them for your accounts! that’ll help to secure wordpress and other sites you have.
- Ban users who repeatedly try wrong passwords
There’s another free plugin that I use to ban users who have attempted too many logins (or any amount of logins to ‘admin’)
it’s called WP Ban and it’s helpful to make sure newbie hackers don’t come back (it’s also useful for banning trolls from your site)
It’s probably a good idea to clear out the ban list now and then so you don’t compromise the performance of yoru site when every visitor gets checked against every IP on your ban list.see below for how to automate this with a free plugin I made
There are some other things that you can do to secure WordPress, Regina Smola has some on her post “WordPress Security and Comments (3 Mistakes Blog Owners Make)”
Free plugin to secure your WordPress site
I got tired of doing it manually when I received a notification email so I made a plugin to automatically add someone to the ban list if they attempt to log in too many times with the wrong password.
what it does is monitor any emails that your site sends and when it detects one from the Limit Login Attempts plugin to notify you of a user being locked out, it automatically adds them to the ban list like this
Make sure you have set your limit login attempts to notify you if someone was locked out (see below)
It adds to the end of emails where it hasn’t banned someone so you know it’s working properly without having to wait until someone gets banned!