WordPress Sites Weathering Unprecedented Attacks…
Many of us have had experience with spam emails, some of which carry a virus which can compromise our computers and cause hours, if not days, of inconvenience and frustration. We’re not always aware it’s happened, and sometimes our own systems at home can contribute to the expanding threat of cyber attackers.
In recent weeks, WordPress sites have been a particular target of “brute force attacks” – exhaustive automated searches for that magic combination of username and password that can spell disaster when it falls into the wrong hands.
At best, these repeated attempts to log in can affect the performance of your site. At worst, successful attempts which result in the violation of your site may bring it down all together, or create yet another infected environment which will contribute to the wider problem. We all have a responsibility to do what we can to protect ourselves, and others, from this risk.
Don’t give the hackers half the answer!
Amazing but true: many WordPress site administrators are using “Admin” as their username! This is not news – but it is certainly bad practice. Chris Jean, in his excellent article for iThemes, reckons that almost 99% of attempts are using “admin” for the username. Mix this with a weak password, and you could be in trouble.
To safeguard against trouble, these are the very first things I do when I create a new installation of WordPress:
- Create a new user with Administrator-level permissions, and a strong password.
- Log out as the user named Admin, and log back in as the new user.
- From the new user login, I delete the original user named Admin.
Using a strong password is also important. Be sure to use a combination of upper and lower case letters, numbers, and a symbol like @, & or #…you should be able to come up with something memorable which is nevertheless complex.