For the past week there has been a rolling brute force attack on all major host providers that specifically targets the login of WordPress sites. According to the report by HostGator, it was a well-coordinated attack with over 90,000 IP addresses involved. The symptoms are a sluggish admin area after login, slow speeds, or trouble logging in. Read on for the steps that you can take to protect your site now and in the future.
Backup Backup Backup
There is no such thing as bullet-proof security on a WordPress site. Some attacks, like this one, come from outside the server. But some super sneaky ones come from inside. The hackers get in through unprotected sites on shared hosting and cause chaos everywhere. Think of it as living in an apartment building. When one catches on fire, all are at risk.
The very best thing you can do for yourself is set up a solid backup and recovery plan. If you’re using a free plugin for this, and storing the backup on your site, you can kiss all of that goodbye if your site gets attacked or hacked. It’s time to get serious about making a real plan.
How to Backup Your WordPress Site is a free report that you can download with 14 backup and storage options. Personally, I use, recommend, and install on every client site, the BackupBuddy plugin (aff link) and store my files on Amazon S3 (which recently announced they are cutting prices in half, and it’s free for the first year).
Lock the Front Door
(NOTE: Ensure that you don’t already have a plugin that secures your login before adding any of those mentioned below. And check your site after install for conflicts.)
Since a brute force attack is on the front door of your site, that’s where you need protection. The Login Lockdown plugin is my favorite. Now, when you go to install it, you’ll see a warning that it hasn’t been updated in over 2 years. That’s okay. The developer made it right the first time.
Install and activate it and you’re done. No configuration needed.
The other popular plugin for this is Limit Login Attempts. It works, but I’m not a fan because it tells the hacker how many attempts are left and how long they will be locked out. I’m not interested in giving the burglar that much info.
There are other plugins too, like Better WP Security, Wordfence, and a whole host of firewalls. Again, just make sure that you check the plugins you have first before installing a new one.
Visit the Plugins resource page to see all of my recommended plugins.
Strengthen Your Login
A strong username and password for your login is one of your best defenses. If you’re still using admin as your username, or have a weak password, you’re just waiting to be hacked. And if you show admin in the byline of your posts, you’re actually advertising to hackers.
At the very least, create a strong password. It’s easy to do. If you need to change your username, you’ll actually need to create a new User. I have a video tutorial on how to do that in the library. It’s in the WordPress Advanced section under SEO and is titled User Profile.
Also, read this post for more info on creating strong logins, and how a brute force attack works.
Need More Help?
I sent immediate notice to all subscribers of BlogAid News as soon as I learned of the attacks. That’s the best way to ensure you know about serious issues like this. While you’re subscribing, also check the box to receive all blog posts via email. I know social media is where a lot of you follow me, but honestly, Facebook’s delivery is just too unreliable (you’re only seeing 25% or less of my posts there) and I know most of you don’t check G+ regularly yet. I also report on plugins and WordPress news in my weekly Tips Tuesday post and podcast. You can subscribe to those too, but if you get all blog posts, you’ll get them in that. Plus, you can find the podcast on iTunes, as well as Stitcher, and the Blackberry Podcast.
Site Evaluation and Review
I also do comprehensive site reviews where I check your security and plugins. It’s live and you’ll see everything I see. And, I provide written documentation of what we discussed immediately afterward.
Or, you can contact me directly and I’ll be happy to tailor services to your unique needs.