There have been a lot of comments surrounding the recent spate of attacks against WordPress websites. Whilst part of me thinks ‘enough said already’ another part of me wants to add my own two-penneth to the discussions by saying how I see it, and adding my own golden rules for keeping your WordPress websites safe.
WordPress has always been a popular target for hackers and spammers. Whilst a properly maintained WordPress site is no more vulnerable to attack than any other sort of website, the fact is that around 20% of all websites are now built with WordPress, making it a more lucrative platform for hackers to focus on.
Although WordPress work hard and fast to close any vulnerabilities that are found, there are many, many website owners that just don’t keep their WordPress version (and plugins) up-to-date. This leaves many websites vulnerable to attack. So, my number one golden rule for keeping your WordPress site safe is…
Followed swiftly by the number 2 rule…
Brute Force WordPress Attacks
The current threat to WordPress websites is from hackers who are attempting to log in to WordPress sites by trying thousands of combinations of usernames and passwords until they manage to log in.
These login attempts are automated, and a hacker is able to generate many thousands of attempts in a very short space of time, typically from a range of different ip addresses and locations. Even if they don’t succeed in breaking in to your site, their attempts to log in greatly add to the server load, slowing down websites.
We experienced such a problem on our own server recently, and it’s likely that this issue (or a variation) will occur more frequently in the future. This isn’t something specifically targeted at us – most website hosts are experiencing the same.
It’s possible that these hackers don’t even want to hack your site. Their ideas may be much more ambitious – for example, to use the power of you website to launch an attack on an even bigger target!
Protecting your WordPress site against brute force attacks
Your own website hosts may well have implemented measures to help protect your site against WordPress hacking attacks, such as adding an extra login screen in front of your actual WordPress login page. This is ok if it’s just you that logs in to your site, but if you have a number of users who need to log in this might prove confusing for them. You might want to look at a plugin such as Limit Login Attempts, that prevents an IP address from getting access to your website for 15 minutes if someone attempts an incorrect username / password combination 4 times, and a further lockout period of 24 hours if more unsuccessful attempts are made. This will seriously inconvenience hackers, who rely on making thousands of attempts every few minutes in order to ‘crack’ your password. However, it might not be effective if the login attempts are coming from a large range of different IP addresses.
Can you do more?
No website (WordPress or otherwise) can be rendered 100% safe from hacking attacks. However, the more work you do to protect your website, the harder you will make it for hackers to break in, persuading them to go for the many easier targets elsewhere.
Here are a few more quick tips…
We offer a premium support service that can look after your website by keeping all of the vital components up-to-date, as well as pro-actively suggesting issues that you might have and helping you to resolve them. This service costs just £225+vat per year, and provides up to 1 hour of our support time every month. We also offer an even more comprehensive Gold Service (for those website owners who want even more).
If you are not on one of our website support schemes, and would like us to take action to protect your website, please get in touch.