There have been a lot of brute force attacks recently both on WordPress blogs and Joomla sites. There are even web-based, commercially available tools that are being used to launch these attacks – and they are very effective.
Fear not! There is some steps you can take to make sure that your WordPress site is secure against brute force attacks, keeping your site, its content, any products you offer, your money, data, and, most importantly, your customers safe and sound.
Why Bother Protecting WordPress?
You may not realize it, but your WordPress blog can go wrong in a lot of ways, and if it does, it would have horrible consequences for your business. Some of these problems include:
- Temporary issues ranging from something as simple has having your password reset, causing you to be locked out of your account or having your site redirect automatically until you gain access to your account again and correct it.
- Loss of content can really be disastrous. Imagine if a hacker got access to your account and deleted all of the articles you had. Do you have them all backed up? Imagine all the time, money, and effort you’ve put into your content gone.
- Whether your products are digital or physical, hackers can wreak havoc on your products. If you’ve got a line of digital products (eBooks, graphics, videos, so on) that you keep on your server, they could easily be stolen and distributed. And if you think you’re safe because you sell physical products – think again. How could you know that a hacker changed information so that it looked like they paid for an order until it was too late? You’d have shipped the order out before you realized that you didn’t have the money.
- Speaking of money – how much would you lose if a hacker gained access to your account? Do you make your money from advertisers? How much would you stand to lose if your site went down for any length of time?
- Are you in the habit of keeping your personal data stored away on your server? Emails, passwords, personal, potentially sensitive information would be just a few clicks away to even the most novice of hackers. This is exactly the kind of thing that sells well in the “information age”. Even if the hacker didn’t have plans to sell your information, they certainly could make good use of it themselves.
- If none of the rest has bothered you, perhaps this will: You reputation. When you build a business around yourself, your reputation is key. Most damage is not permanent, but it can and does take a long time to repair – sometimes years. Think of all the business you stand to lose if your customers don’t think that their privacy is protected when they buy from you.
11 Easy Steps to WordPress Security
1 Update WordPress Often. Easy, quick, and simple. Updating WordPress often can help to protect you from hackers. So if you notice a new update out, install it! Critical security updates are issue by WordPress from time to time.
2 Choose Your Username Wisely. Be thoughtful when you choose your username. Don’t do the standard “admin” as so many do, and try not to make it easy to guess by using your name or information about the products you sell or the genre you thrive in. “SteveDog” isn’t too hard to guess when your name is Steve and you sell products related to and discuss dogs all the time.
3 A Strong Password is a Must. Though the importance of strong, alphanumeric passwords has been talked about for years, a surprising amount of people still use simple, easy to guess passwords such as “Password”, “12345678”, and “ABC123”. Others use easy to guess passwords that involve personal information “Sally92”. Though most sites now require you to use an alphanumeric password with a minimum length (some are even including a minimum of one character [!,*,@]), it is still very important to choose something hard to guess. If you’d like, use a password generator when coming up with your password.
4 Don’t Use the Same Info From Other Blogs. If you use the same log in information for all of your blogs, chances are that all of them will be hacked if one gets hacked. Choose different log ins for each blog so that you don’t have to worry about losing all of your blogs when you’re already stressed about losing one of them.
5 Don’t Use Log In Information From Different Sites. Similarly, don’t use the same old usernames and passwords that you use for several other sites, otherwise the hacker might decide to see what other problems they can cause for you on those sites, as well.
6 Attempted Login Limits. WordPress offers plugins that allow you to limit the amount of login attempts that can be made. This is incredibly effective against brute force attacks.
7 Two-Part Authentication. If you want an extra layer of security, go with a two-part authorization. This will send a secret verification code (something which cannot be guessed to your cell phone. This code has to be entered to log in to your blog. You can read more about this and other two-part authentication at:http://en.support.wordpress.com/security/two-step-authentication/
8 Password Protect wp-login.php. Another simple way to deflect brute force attacks is to password protect the file “wp-login.php”. It’s actually pretty simple to do. Hostgator provides an easy tutorial for you to follow, although it might not work on other hosting accounts. http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack
9 Hide Your WordPress Version Number. Not running the most up-to-date version of WordPress? Hackers can and will find out about and exploit this fact by using security holes. But it’s pretty easy to hide what version number you’re using in just two steps. Firstly, open functions.php and add
remove_action(‘wp_head’, ‘wp_generator’);
That’ll get the version number off of your header, but hackers can still access it through your RSS feeds. To prevent that, add
function wpbeginner_remove_version() { return ”; } add_filter(‘the_generator’, ‘wpbeginner_remove_version’);
into the functions.php.
10 Protect wp-config.php The configuration file is usually found in the root WordPress folder, which makes it easy pickings for hackers. But, it doesn't have to be there! It’s easy to move and will still allow WordPress to function properly. If you’re wp-config.php is located in /public_html/wp-config.php, simply move it to /wp-config.php . Problem solved!
11 CAPTCHA is a huge deterrent for hackers as it takes time and effort most aren’t willing to put in. Simply get a CAPTCHA plugin – there are several – and add that final layer of security to your WordPress.
Conclusion
Thankfully securing your blog doesn’t have to be hard. If you take these very easy steps right now, taking only a few minutes out of your day, you don’t have to worry very much or often about hackers.