Over the last few weeks we have been plagued by issues on many of the websites we have built. Slow load times, inability to access the admin panel, and sites temporarily disappearing. At first I thought it was random glitches, or issues with just one hosting company, but the issue is much bigger.

According to a number of sources, brute force attacks against WordPress sites are on the rise. Since we build all of our websites on the WordPress platform, this is a serious issue for us. We have been working closely with our hosting companies and researching ways to improve our security protocols. While the problem is serious, there are a number of steps every WordPress site owner can take to mitigate their risk.

Let’s start with the basics – What is a brute force attack?

A brute force attack uses automated systems to target the weakest part of a website site: you. The attack system tries to guess your usernames and passwords, over and over again, until it gets in.

How do you protect your site?

  1. Start with very secure passwords. 8 – 10 characters at a minimum, with a mixture of numbers, letters, and symbols. Mix in upper and lower case letters as well. They’re harder to remember, but you will get used to the new password in less time then it will take to rebuild your site.
  2. Do not use the username admin.  This is a challenge for the entire WordPress community. The default user account with every new WordPress website is named “admin” and many people never change it. The hackers know this, so the majority of attacks are directed at this user name. If you are still using this username, make a new account, transfer all the posts to that account, and change “admin” to a subscriber (or delete it entirely). WordPress recommends this plugin to make the process easier: Admin Renamer Extended.
  3. Always update to the latest version of WordPress. WordPress developers continually upgrade their software, building in new levels of protection. It only takes a minute or two to upgrade, and hours to rebuild your site if you don’t.
  4. Limit log-in attempts with a plugin that sets up a fail screen if you get the password wrong more then three times. There are a number of these including Limit Login Attempts.  Just be sure you remember your stronger password before you install this plugin.

Additional protection

If the attacks continue, you may want to also consider limiting access to WP-admin page by IP address. This is a great strategy if you control your server or work with a small hosting company where you can talk directly to support team. Our hosting company, Midwest Internet, contacted me on Friday and told me they were going to block all traffic to our admin page, except from our IP addresses. But how do you find your IP address? It is easier then you think. Go to http://whatismyipaddress.com/ and it will tell you where you are.

And finally, back up your site. Even if your hosting company does backups, it doesn’t hurt for you to periodically export your entire data base and copy your theme file to your own computer or storage media. It is better to have two copies than none when  you need it.

Over the next few week,s we will continue to monitor this issue and look for additional ways to protect our sites.