Chances are if you built your own WordPress (WP) website or engaged a designer to help you create a WordPress based website, the typical set up for the first user account uses the default user name “admin.”
Well, hackers and spammers know this all to well and it does not take much to get to your login screen by typing <your website domain name>/wp-admin. Then through brute force attacks they will try any number of passwords to gain entry to your website dashboard.
Why are they trying to break into your website? WordPress has become a go-to tool to build websites due to the easy use of its Content Management System (CMS) and the variety of themes and plugins available to customize your site.
W3Techs.com reports WordPress is being used in 23.4% of all websites today and in more than 60% of all CMS style website engines. Other CMS engines include Joomla, Drupal, DotNetNuke and others.
Back in January I read a news story that I shared that Google was blocking certain WordPress based websites due to malware attacks. The attacks continue. If you want to get a visual on this look at the WordFence.com website. The graphic above shows only 5-10% of all the attacks that are taking place at any one point in time. As I write this, nearly 8,000 attacks per minute are taking place on WordPress websites.
Here are some reasons hackers attempt to break into your website
Primarily hackers do this to load malware onto your website’s server so when someone visits your website, they download this software onto their computer. It can be benign or malicious in nature. Who knows they may be trying to grab personal information off your PC, or loading something that will spread via your emails to other people.
Some of the prospects I have dealt with have seen strange domain names placed on their websites in off shades of background colors. This is an old backlink tactic to that used to increase website ranking. Google’s Penguin update put an end to this tactic. Some people have not gotten the word and still undertake this “black-hat” SEO tactic.
Another less pleasant option is they will take over control of your website and lock you out.
Solutions to block WP website hackers
Here are a few solutions you can use to slow hackers down, but at least protect your website.
1. Never, ever use ADMIN as your user name.
As I stated above, everyone knows this is the default user name, so best to change this ASAP. Since you cannot simply change the user name, you will need to create a new user account for yourself. Be sure to avoid common words, add a @ or – (dash) along with upper and lower can letters and numbers. Not all symbols work in a user name, but I have found the ones here do work.
2. Create a strong password
I cannot tell you how many times I work with people that have created a user account for me on a WordPress website and used the name of the company and added a number as the password. The first thing I do is create a new strong password. I use the Norton Password Generator and the increase the password length and add punctuation.
3. Add WP security plugins
You can do a plugin search inside WP, but I have found several that work quite well here are a few of my favorites:
- Captcha by Bestwebsoft – This adds a small captcha to the login screen that slows hackers down. They have to answer a mathematical equation every time they come to the login screen. Robots cannot do this. I have found this simple plugin stops practically all hacker attempts.
- Limit Login Attempts by Johan Eefeldt – This tool will lock someone out that uses the incorrect user name password combination after a set number of attempts. It does log the IP addresses so if you are curious you can do a IP address look up to see where the attack was originating.
- Smart User Slug Hider by smartware – This one is a must if you write a blog as part of your website and automatically include the attributing author’s name in the post. Even if you change the WordPress settings to the person’s real name, all a hacker has to do is scroll over the link and they will see the true user name for this person. This plugin will replace the user name with numbers and letters. Trust me on this one, I have seen hackers use it in trying to break into website I manage.
- WordFence Security by Wordfence – Yep, the some company that I show above has a great tool that will stop hackers in their tracks. This one can be a little chatty in that it can send an email alert for a variety of reasons; hack attempt, plugin update, or successful login. I do encourage the email functions and perhaps you should send the email to a non-critical business email address. I create admin@<company domain> for this purpose. That way your regular business email does not fill up with non critical emails. I change some settings as well to block anyone from using incorrect user names in one try. I don’t let them keep trying. They do have a paid version that you can immediately block by country.
- Here is an example of a Wordfence alert. You can see “admin” was the username of choice.
Wordfence also logs the bad IP addresses and will attach a country to the IP address so you will see where the attacks are coming from.
I am currently using solutions 1, 3 and 4 most often. If you are using solution number four, there is no need to use solution two and vice versa.
Bottom line on WordPress Security
You need to add some security measures to protect your website, prospects and customers from getting hacked and malicious software downloaded on prospect and customer computers. If you need some assistance, by all means call me a 402-953-2340 or use my contact form.