April 21st, 2013 at 05:56am
WordPress is built primarily for blogs, but the platform is modified quite often to operate as a full-on content management system. It is robust, stable, secure, amazingly supported by a large community of developers, full of features, and boasts some absolutely gorgeous themes. What’s even better is that it’s open source, so licensing fees are nothing you need to be concerned about
The problem with WordPress actually lies within its own success. It’s so popular, and used for so many different types of websites, that it’s also the celebrity that every paparazzi wants to exploit – only the paparazzi are hackers and bots.
WordPress is structured in a very particular way. For example, if you’ve ever used it before, you’ll know that “wp-admin” is how you login to the backend of your WordPress website. Hackers and bots also know this. With a nifty yet disturbing technique called “Brute Force Attack”, a program is used to try various username-password combinations. So, if your username is “admin” and your password is “admin123”, you’re probably an easy target.
We’ve managed hundreds of websites over the years, and one thing we’ve noticed is that there are plenty of automated scanners out there browsing around for default WordPress folders like the notorious “wp-admin” folder. To counter this, we’ve begun implementing a couple of cloaking techniques. Here’s what we do…
- We change the default “wp-admin” folder and “wp-login.php” names to something unique for each client. This isn’t fool proof, but will definitely ward off most of the automated scanners.
- In case the scanner or hacker manages to find the login page, we have Google’s reCAPTCHA plugin on the login page. In case you don’t know what this is – it’s the “enter the characters you see in the image” thing you’ve probably struggled with before. Again, not a foolproof implementation, but it makes robotic attacks less effective. The characters displayed are usually quite warped and difficult for text recognition software to recognize.
These are simple changes that can be made to protect your WordPress website; however, nothing beats the basics of account security:
- Make sure your username is unique. Avoid “admin”, “administrator”, and other common words.
- Ensure your password is complex – 8 or more characters, with at least one uppercase letter, one number, and one special character.
- Change your password frequently.
- Avoid logging into your account from an Internet café or any public computer. Key logging software monitors every keystroke you make, exposing your username, password and other sensitive information.
- Don’t use the same password for multiple accounts. Every account you own – be it your personal email, work email, or Facebook account – should have a unique password. If one gets exploited, the others will remain protected.
These tips are just a few methods to keep your WordPress website safe, but there’s plenty more that can be done. There are always security patches and bug fixes being released, so always ensure your WordPress installation is up to date.
If you need an expert to take a look at your current WordPress website, email firstname.lastname@example.org and we’ll gladly help you out. Stay safe!