Recent word press hack attempts and how to stay safe
1. net mediablog.com http://netmediablog.com/recent-wordpress-hack-attempts-and-how-to-stay-safe
Recent WordPress Hack Attempts and How to Stay Safe
Nwosu Mavtrevor
Recent WordPress hack attempts spreading all over the internet these days calls f or serious concern.
Recently there have been reports of brute f orce botnet attacks on WordPress, users with “admin” and
“wordpress” usernames are most targeted. Every day I receive reports of f ailed login attempts on
Netmediablog.
So many of my f ellow bloggers have complained of their blogs being hacked and others have also
complained of WordPress hack attempts on their blogs recently. Blogs vulnerable to the recent WordPress
brute f orce botnet attacks are those with admin or wordpress as def ault login username. Getting hacked
will result into loss of income, downtime, disappointed visitors, etc. Restoring and f ixing the damage done
can only be easy if you have a regular backup of your entire blog. Read my article titled “Top 5 Cloud
Backup Plugins f or WordPress” and learn how to backup your entire WordPress site to the cloud.
Prevent WordPress Hack
You may not know how many times your site has f aced hacking attempts because you may not have seen
anything unusual, you’d be surprised when you f ind out. Now let’s see how we can be saf e f rom the recent
WordPress hack attempts.
Change your administrator username: If you are still using “admin” or “wordpress” as your administrator
username, change it now. The recent WordPress brute f orce attacks are targeted on blogs with such
usernames. Most hacking attempts are auto-generated and knowing that most users who install their
WordPress f rom Fantastico use such usernames as admin, wordpress and test, it is easy to target such
usernames.
Change such usernames to something more complex and dif f icult; add some numbers and special
characters make it at least 10-characters long. There are two ways to change your WordPress username,
f irst you can create a new users on your dashboard with administrator’s privileges and delete the old user
(admin) and attribute all it’s posts to the new user you created. Remember to use something complex only
you can remember as the new username. Secondly, you can read Babanature’s blog post titled “Changing
your WordPress Username/login Name”.
2. Install Login Limiter WordPress Plugin: The Login limiter WordPress Plugin is indeed an awesome plugin,
it helps you lock out IP addresses that are attempting unauthorized logins into your site. With this plugin
you can limit the number of login retries on your site, limit the number of attempts to login using auth
cookies in same way, report such f ailed login attempts and source IP address, logging of all login attempts,
and handles server behind reverse proxy.
Click here now to download the Limit Login Attempt Plugin, it’s also f ree.
Must Read: Necessary WordPress Security Plugins every blog should have.
Change WordPress Database Table Prefix: Do not install wordpress database with the def ault WP_ as
table pref ix, instead of “wp” use something else f or example ABC, TTT, XOXO etc, use something complex
that won’t be easy to guess.
Always Update your WordPress: Of course every update f ixes bugs and hackers can exploit bugs to hack
your site. Always ensure you have the latest WordPress version installed that way you will always have the
best security measures in place.
Use Strong Passwords: You just have to read my earlier blog post titled “Tips to creating strong
passwords”. A strong password, even with automatic program that guesses at several blazing speed, still
need lif etimes to crack.
Protect Wp-Config File: Sometimes protecting your WordPress site is not totally your responsibility, your
host should also play it’s part in it. If you are on a shared hosting then you may be f acing a greater danger.
WordPress sites on shared hosting can get hacked by a method called Symlinking. A Symlink is a virtual link
pointing to a f ile in a directory, in a shared hosting environment hard disks are divided in several parts f or
dif f erent accounts, if proper security measures are not in place, a shared hosting account can be taken
over by another shared hosting account on same server by launching a symlink attack.
What the symlink attack does it to get f ull source code of your Wp-conf ig f ile to reveal your site details.
The Wp-conf ig f ile contains all the sql database connectivity which means your usernames and password
are in it. So the best way is to protect this f ile. Login to your cpanel and edit your .htaccess f ile with the
f ollowing code;
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Add it anywhere in the f ile. Remember to backup your .htaccess bef ore editing it. Now you can go to your
3. browser and check http://domain.com/wp-conf igure.php (replace domain.com with your website address), it
will show 404 error page.
Allow access to the Wp-admin folder from your computer alone: You can simply edit your .htaceess
f ile to allow only certain IP addresses to access your admin f older. You can use the code below;
order deny,allow
deny from all
allow from paste.your.ip.here
Just add the code above into your .htaccess and you are done. No other IP address can be able to login to
your site. Note you can always change the IP through SSH.
Note: I may not totally advise this especially if you may need to use another network or computer to access
your blog somewhere someday.
Conclusion:
Even if you ensure all security measures discussed here, there is no way you can assume a 100% security
f or WordPress. Most security measures can only amount to 80% – 90% and the rest may not depend on
you. Most WordPress hack attempts are automated as I said earlier and if you can ensure your WordPress
security to even 80%, they may leave you and decide to turn to easier targets except they have a good
reason to get in.
WordPress developers are also working round the clock to close up any exploit they can f ind and most
hacking attempts are done with old exploits which may not be ef f ective to your WordPress especially if it is
updated and you have ensured the security measures discussed above.
So all I can advise you is to do your part and most importantly always BACKUP your WordPress site so that
even if you get hacked, you can always recover everything. I hope you f ind this post interesting, let me hear
your views and contribution about the recent WordPress hack attempts and how to stay saf e. Remember
to subscribe to my RSS f eed.
Listen