For the past two weeks I’ve been receiving notifications from my web host that my website, dandelionwebdesign.com is under brute force attack! I’m not alone.
According to HostGator, “there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence”.
How can we protect our WordPress sites from intruders?
- Delete any the standard “admin” WordPress username: If your WordPress installation has an administrative login that is “admin” you are at increased risk. Read more about how to remove “admin”.
- Use a strong password: Strong passwords contain upper and lowercase letters, are long (the longer the better), and include “special” characters (^%$#&@*). It is best to use a password manager such as LastPass.
- Limit the number of allowed login attempts: Go to Plugins -> Add New and search for “Limit Login Attempts”. Install and activate the plugin. You can adjust the number of allowed attempts under Settings -> Limit Login Attempts. This however won’t stop hackers from continued attempts using different IP addresses.
- Stop Bad Behavior: Go to Plugins -> Add New and search for “Bad Behavior” (note without the u). Install and activate the plugin. Bad Behavior is completely different from any other anti-spam solution out there, in that it doesn’t specifically target spam itself. Rather, it targets the methods by which the spam is delivered.
- Change where you login: The Stealth Login Page plugin will prevent a brute force attack on your wp-login page. What it does is change where you login and send anyone going to the standard wp-login away from your site.Go to Plugins -> Add New search for “Stealth Login Page” and install it. After you activate it, go to the settings page under Settings and you’ll see a simple set of options: Enable/Disable, the redirect URL (just enter http://google.com), the question (one short word), the answer (one short word), and an option to e-mail the site admin the new URL string to access the login page. You will want to bookmark your new login page and notify your web developer and any others who need access of the change.You will now login at http://yourdomain.com/wp-login.php?question=answer (replace question and answer with the words you entered in the plugin setting.
- Pick a web host that only hosts WordPress! I’m in the process of moving my site to WP Engine [affiliate link]. They are more expensive but worth it!
Want more? Here’s a detailed list of Security tips from WordPress.