WordPress security warning
On April 13th, the WordPress founder Matt Mullenweg warned all WordPress users to reset their user name, if they were still using the ‘admin’ name from registration. This is due to recent large scale brute-force attacks against WordPress sites. If you don’t know what a “brute-force attack” is, this means a systematic attempt to enter your site, by trying one password after another. Sometimes its done manually, but more often with software.
Do I need to protect my WordPress site?
The survey website W3Techs reports that almost a fifth of the entire world’s websites, or in other words, about 64 million of them, use WordPress. Because of large-scale attacks, all WordPress users are wise to protect their sites with increased security measures. This is easy and can save you a lot of tears in the long run. Here are several essential tips and tricks, plus a few useful plugins, to ensure the safety of your blog.
Don’t use the auto-generated password given to you by WordPress. Change it instead to the strongest possible password you can come up with. Although the WordPress-generated password is quite strong, their ftp/cPanel password is medium strength at best. It’s better just to create a strong password of your own. A strong password is long, and it contains Capital Letters, lower case letters, numbers and symbols – preferably as randomly as possible.
Image Source: Salvatore Vuono, courtesy of FreeDigitalPhotos.net www.freedigitalphotos.net/images/Computers_g62-Password_p28974.html
Every time a new WordPress version comes out, they reveal information about previous security bugs and vulnerabilities. By updating your WordPress site, you can make sure that you are protected against known security bugs. And obviously, for this reason, don’t make your WordPress Version visible to others!
Always back up your WordPress Database and WordPress files. If emergency strikes, you’ll still have your blog.
Only ever upload authentic themes, plugins and scripts, because there are plenty of uploads designed to damage sites. Items downloaded from sharing sites, and warez and torrent files are the most dangerous. The may look like themes or plugins, but can seriously harm your site when you upload them.
5. ‘wp-admin’ Directory
Limit access to a handful of IP addresses, like your laptop, PC, mobile device and work computer, by using a .htaccess file in the ‘wp-admin’ directory.
If your IP addresses are not static, use a plugin to protect your site. There are plenty of these around. Here are just a few:
- Ask Apache Password Protect - It protects your plugins, ‘wp-admin’ directory, wp-content and so on.The Login Lockdown Plugin protects against brute force attack where someone is trying to decrypt your password by systematically trying every possible password.
- Stealth Login – With this plugin you can create custom URL addresses for login, registering and also to logout.
- Login Lockdown – If someone tries to login to your admin panel many times in a row, this plugin will lock attempts for a period of time.
- Limit Login Attempts – This plugin blocks aninternet address from repeatedly trying to enter, so it makes brute force attacksextremely difficult or even impossible.
- Bad Behavior – This aptly named plugin helps fight spammers. Prevent spam messages appearing on your blog and also limit access to your blog so that spammers cannot even read it.
7. Hide Login Error Messages
When error login messages come up after a failed attempt to login, they can easily give hackers clues to whether they are getting a password right or not. Therefore, it is a good idea to hide your error messages. To do this, put the following code in functions.php, as suggested in the WordPress help section forums:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
8. Protect your plugins directory
It’s good to protect your WordPress plugins directory too. If you go to your wp-content/plugins/, you’ll see the plugins you are using. Some plugins are weaker and more easily attacked. Block access to them by usinga .htaccess file or uploading a blank ‘index.html’ file to that directory.
Image Source: foto76, courtesy of FreeDigitalPhotos.net http://www.freedigitalphotos.net/images/Internet_g170-Login_With_Username_And_Password_p130144.html
Entrepreneur and enabler, Tuhin Ghosh has been pursuing his dream of enabling business and catalyzing growth mainly in the education industry. He is the Co -Founder of PrepGenie, a test prep provider that offers exam preparation courses for GAMSAT, PCAT, HPAT, UMAT and UKCAT to aspiring medical students globally.