WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!
Is your website, like this one, based on the WordPress CMS/Framework, whether self-hosted or using your own hosting platform? Then you need to think very hard about your WordPress admin security, as currently there is a absolutely massive (some 100,000 computers appear to be involved at this stage), bonnet attack being targeted at WordPress based websites.
The attack is quite simple, it attempts to login to your website using the username “admin” and then using a dictionary brute force system to attempt to “guess” the password. Once it’s got the correct one, it’ll then try and exploit the WordPress platform to gain control of the server itself.
As it stands, it doesn’t appear whoever is behind these attacks is trying to disrupt the individual websites, but are rather trying to gain access to the server resources that the websites are based on. However, there are a few simple steps you can take to make your WordPress installation a little bit more secure;
- Change your username from the default “admin” one. Change it to something obscure that cannot be easily guessed.
- Use a strong, complex password, and do not use full words anywhere within the password.
- Use a mixture of uppercase letters, lowercase letters, special characters, numbers, and symbols, again, do not put them in a recognisable pattern.
- Change your password regularly. Once every 28 days (4 weeks) is a good length of time for most websites. If you are a little bit more security conscious, then once every 14 days is better, and every day is absolutely amazing, but not very practical.
- Make use of the Apache Webserver HTACCESS and HTPASSWD files to add an additional username and password which is required to get into your website.
- Again, it shouldn’t contain the username “admin” and the password should be complex!
- Install a WordPress plugin which stops someone from failing to login using the same IP address more than 3 or 4 times.
- Restrict access to the IP address you have at home/work/or wherever you mainly access your website from. (Not recommended for Internet connections without a static or nearly static IPv4/IPv6 address.
For the next 72 hours, I am happy to answer any requests submitted via my contact form and confirmed by followup email for me to look at your WordPress website and tell you how the security could be improved on your website. FREE OF CHARGE! (Limited to the first 100 people only.
UPDATE 13/05/2013 11:19: I am very happy that several of the website hosting providers I am regularly involved with have taken the decision to protect their customers en-masse. Some of them have done it better than others, by adding a generic HTACCESS password solution as recommended in my blog post above. Others have simply blocked access to the WordPress admin area entirely, meaning that users cannot update their website at all. This is not really a good thing, especially when there are other, more simple solutions which do not involve compromising functionality.
The plugin I use for security for my WordPress based websites is called Login Security Solution, and the plugin page is available at http://wordpress.org/extend/plugins/login-security-solution/. You can download it from within WordPress, or by downloading it from the plugin website and uploading it to your WordPress based website.
If you are using the WordPress.com platform to host your WordPress website, then you can enable two-factor authentication. This means that you have a code sent to your mobile phone every time you or someone else logs in using the correct password. Once again nothing beats having a secure password.