Stay Safe from Hackers, Bots and Zombies

It doesn’t matter if your site is big or small, conspicuous or obscure, there’s always someone trying to hack it.

These people will use bots to find your login pages and use a brute force tactic to gain access into your site admin area. Brute force means they will try multiple times at the most common username and password combinations in the hope that they can access your admin area.

This is why you have Limit Login Attempts installed on your site, a plugin which records all login attempts to your admin area, the IP address and the username that they used.

Have a look at the attempts made on your site.

Navigate to Dashboard >> Settings >> Limit Login Attempts

find-limit-logins

You’ll see attempts made with the Username ‘admin’ and all the variants you can imagine (adminadmin, Admin, administrator, admin1, admin2 et.c). Luckily, you don’t have admin as your Username.

OK so your site is a little more secure without the default ‘admin’ username but the hacker isn’t out of tricks yet. When you publish a blog entry, hackers will look at the name of the user who published the post. Then a good old automated password guessing script is brought into play. These scripts will throw a whole dictionary at your login page using the username which authored your newest blog entry.

Hide your username

Navigate to Dashboard >> Users and click on your username.

Remove the personal details.

username-details

Now you create a Nickname for yourself so that your username doesn’t show in your posts. Then check the box to display that name publicly.

username-details-nickname

(no, I’m not suggesting that you use FelixtheCat as your nickname but it’s certainly a lot more secure than using your actual username)

Delete Unused User Accounts

If you have multiple users on your WordPress site, you need to keep these updated and remove any accounts which aren’t being used anymore. If your users are active, make sure that they have Nicknames different to their username login and remind them not to have simple (hackable) passwords.

If these accounts aren’t being used, delete them.

Check User Roles

Do your users have the correct permissions?
The Different User Roles

Passwords

This is always a difficult step as so many people just won’t choose a strong password. Google tells us the Top 10 popular passwords: Pets lead the pack and here’s a longer list of the surprisingly simple passwords people use. If choosing a strong password turns you off, imagine how turned off you’d be if a hacker just popped into your site one afternoon.

You can use a password that doesn’t exist in a dictionary. This could be an actual word or, better still, two words or three, and make some of the letters upper and lower case in random. Sprinkle in some numbers and/or characters such as # ! *

Keep your password safe. Don’t share it! If anyone else knows your password, change it by adding a number or character somewhere into the body of your password. I’m sure your friends are exceptionally trustworthy people but how about their friends and the friends of their friends? You can’t be too careful.

An Example of a Bot Attack

This screenshot is of the emails sent to me when a recent login attempt was made on a site. Non stop attempts. Brute Force.

lockouts

See how fast those notifications were coming in?