Starting around April 11, 2013 Hostgator and a number of other hosting providers became aware of a brute force botnet attack against their servers and specifically targeting WordPress sites.

What is a BotNet Attack?

A botnet attack is an automated computer generated attack against a web server. This specific attack is enormous with security experts estimating about 90,000 bots involved in the attack. A brute force method of attacking a web server is attempt after attempt trying to guess your username and password and trying to log into your WordPress site. This type of attack slows the web server down. Given enough time coupled with poor WordPress security, the botnet will gain access to your website. Once access is accomplished, the botnet can change your username and password effectively locking you out of your own site and then use your site in the attack on others.

Steps to Take to Improve WordPress Security

1) Keep your WordPress site and Plugins updated

Log into your WordPress site, go into the Dashboard and Updates. Download and install any WordPress and Plugin updates that are listed. If you  would like to be notified automatically when a new update for WordPress or a plugin is available, install the Mail on Update plugin.

2) Change Your WordPress Username to Something Other Than Admin

Most initial installations of WordPress set the Administrator’s login username to Admin. If your username is currently set to admin than 50% of the botnet’s job is already done because the first username they will try is admin.  Install the Change Admin Username plugin to easily change your administrator’s username to something else

3) Change Your WordPress Password

Short easy to guess passwords like ‘password’ are a botnet’s friend. Change your password to a lengthy password, the more characters the better. Also use a mix of uppercase and lowercase letters along with numbers and special symbols such as the dollar sign ($), comma (,), carat (^), or other special characters. This will create a very tough password for the botnet to crack.

To change your admin password, log into your WordPress dashboard, Click on Users, find your Admin  username and click Edit, scroll down to password and type your new password, then click Update Profile.

4) Install a WordPress Security Plugin to Limit Logins

If you install a plugin to alert you to when an attack is happening and limit the login attempts this will dissuade a hacker from attacking your website because they cannot use brute force. The plugin will only allow so many attempts to login before they will block anyone from logging into the site for a specific amount of time. With the number of WordPress sites on the planet, if a hacker runs up against a site limiting their logins and slowing them down, they will most likely just move on to their next victim.

I have found the plugin WP Security Plus by Robert Vance, a premium plugin, to be exceptional in limiting log in attempts, blocking access, and alerting me of when an attack is happening. For $7 its a fantastic investment in your website security. Their are other free plugins such as Limit Login Attempts but WP Security Plus does it all in one plugin.

Following the 4 steps above will make your WordPress site less desirable for a hacker to attack. You’ll also gain peace of mind that your site is well secured and safe.

Tagged with:

Filed under: Tutorials

Like this post? Subscribe to my RSS feed and get loads more!