When you are the world’s most popular content management system and the online publishing platform of choice used by millions of businesses and loved by thousands of website developers and website designers, it’s inevitable that at some point in time, WordPress will come under attack from hackers.
In early 2013 a large-scale brute-force attack began hitting WordPress installations across virtually every host server in existence around the world.
These attacks were caused by computer networks infected with viruses and programmed to attack other vulnerable computers (called “botnets”).
How To Protect Your WordPress Site From A Brute-Force Attack
About Brute Force Attacks
A brute-force attack is a technique used to break an encryption or authentication system by trying all possibilities.
(Source: Chinese University Of Hong Kong)
There are many methods hackers use to try and break into a WordPress site. One of these is by trying to guess the site’s administration login username and password. This can be achieved with software programs and scripts that can work through hundreds of possible logins in minutes.
If you’re using weak login details, your website could be an easy target for hacking attempts.
This is called a “brute-force” login attack.
Botnets
A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network.
(Source: Wikipedia.org)
A “Botnet” is a network of computers that have been infected with malicious scripts or software code, which are then controlled remotely as a group, often without the unsuspecting computer owners’ knowledge or awareness.
Botnets are typically used to blast mass spam emails from the infected computers of unsuspecting users.
Below is a screenshot taken from an internet security monitoring site showing the locations of the command centers of ZeuS – a botnet that has been actively infecting computer networks all around the globe since 2009 …
(The Zeus botnet has been actively infecting computer networks all around the globe since 2009. Screenshot: SecureList.com)
These ongoing botnet attacks were well organized and highly distributed. Over 90,000 IP addresses were identified by a number of hosting companies in the initial attack, when millions of attempts to force their way into WordPress site administration areas occurred. The large-scale attack then continued, with over 30,000 WordPress blogs being hacked each day.
News of this brute-force botnet attack was reported by all the major webhosting companies, as well as the leading technology media publications, such as TechNews Daily, Forbes, PC Magazine, BBC News, Tech Crunch, and even on the official US Department of Homeland Security website …
(WordPress often comes under attack by hackers, due to its popularity)
Does This Mean WordPress Is Not Secure And We Should Stop Using It?
No. In fact, there are many great reasons why you should choose WordPress if you are concerned about the security of your online presence.
We explain what makes WordPress a very secure platform for websites in this article: Is WordPress Secure?
It’s important to understand that, in the case of April 2013 large-scale brute force botnet attack described above, there was actually no WordPress vulnerability being exploited (the same script was also targeting sites built using other web applications like Joomla).
Mike Little, one of the co-founders of WordPress with Matt Mullenweg, made this comment about the brute-force attacks:
It is a “simple” script that attempts to login using the admin login and a generated password. So if your password is too short or based on dictionary words it will be guessed and then the script can login legitimately and do whatever it wants including installing scripts (as plugins) or editing files. The attack tries to guess your password, if it succeeds, the most secure site in the world is wide open because they have your password.
How To Prevent Your WordPress Site From Brute Force Attacks – Ten Security Points
Every blog with a vulnerability provides an opportunity to hackers. No web site is safe from cyber attacks. Business sites, personal blogs, government websites … even websites owned by web security and anti-hacking experts can and have been targeted.
If someone can find a way to break in and remotely take control of your web site, your website or blog can then be employed to attack more valuable sites.
Additional undesirable impacts of being hacked include being blacklisted by Google, having stealthy spam links advertising things like casinos, discounted fashion, etc. in your content and meta data, malicious redirects to phishing sites and other websites, data exfiltration (stealing customer details or Personal Identifiable Information from your web applications), and lots of other nasties.
The truth is that malicious bots are very likely trying to hack into your web site at this very moment. Whether they will achieve this or not, will depend on how difficult you will make things for hackers and botnets to continue persisting until they discover how to get access, or are forced to decide to look for a less secure target.
How Much Information Are You Broadcasting To Hackers About Your Site?
Does your website run on WordPress? If so visit a site like Hackertarget.com and run your website through their WordPress security check …
(WP Security Check Product image source: Hackertarget.com)
You will see that the check returns a number of results and details about your WordPress site …
(website security check results. Screenshot source: Hackertarget.com)
It should be obvious after using the above tool that if you are able to freely access all of this information about your blog, so can hackers.
(Screenshot image: BlogDefender site)
Being able to see which version of WordPress you are using, which plugins and themes you have installed on your site, and which files have been uploaded to certain directories can be useful information to hackers, as this informs them about any exploitable security weaknesses, especially where the owners haven’t updated their files.
If your website runs on WordPress and you are not taking steps to toughen up your site, we can practically guarantee that, at some point in time, someone will attempt to hack your website, because these brute-force attacks are systematically hitting WordPress sites around the world!
Typically, whenever a site is hacked, blog owners can find themselves completely “locked out” of their own site, or notice that their content has been altered or that everything has been entirely wiped out. Typically, most sites will be infected with malicious software or viruses without the owner even being aware that a security breach has occurred.
To avoid the heartache (and significant loss of valuable business data) that comes with discovering that your web site has been hacked into, below are ten simple, yet essential and effective security checks that will help to prevent your WordPress site from being attacked by brute force hackers.
Note: Some of the recommended steps shown below require some technical understanding of how to modify core WordPress or server files. If you are not technical, or don’t want to mess around with file code, then ask your web host or a professional WordPress technical provider for help.
***
Security Measure #1 – Get In Touch With Your Web Host
Get in touch with your host and ask them what measures are in place to protect your site from being attacked, and what is done to ensure that your site files get backed up.
It’s important to check that your web host regularly backs up your sites and that, if anything should happen, you can easily get back your files and data.
Security Measure #2 – Back Up Your WordPress Data And Files And Keep Your Website Frequently Updated
You should never rely just on your web host for your site backups. Instead, learn how to maintain and manage your WordPress site or pay someone to get this done for you and develop a habit of religiously performing a complete site maintenance routine frequently (e.g. weekly, monthly, etc …)
A complete WordPress maintenance routine ensures that:
- All unnecessary data and files are deleted,
- All WP data and files are free of errors, optimized and backed up,
- All WP software, plugins and themes are up-to-date,
- etc …
A complete WordPress site maintenance routine looks like this …
(Maintaining your WP site frequently backed up and up-to-date is vitally important for WordPress security. Screenshot source: WPTrainMe.com)
Again, we cannot stress enough how vitally important it is to maintain your WP website completely backed up and updated. WP site maintenance is not hard or time-consuming, but it must be done to ensure the security of your website or blog. If you don’t want to learn how to do WP site maintenance yourself, pay someone to do it but make sure it gets done. Backing up your site is the next most important thing you must do after making sure that you still have a pulse!
If you don’t want to back up your site manually, there are a number of WordPress plugins you can use. Learn about a WordPress backup plugin that can automate your site backups here: Back Up, Copy And Protect Your WP Site With Backup Creator WordPress Plugin
Security Measure #3 – Do Not Use “Admin” As Your Admin Username
The mass brute force botnet attack on WordPress is mostly attempting to compromise site admin panels by exploiting sites with “admin” as the user name.
For reasons of website security, never install a WordPress site with the username admin. This is the first area hackers will test. If your site’s user name is “admin”, you will need to change this immediately.
We have created a simple step-by-step tutorial created especially for WordPress users that shows you how to change your WordPress username here: How To Change Your Admin User Name In WordPress
Security Measure #4 – Use A Strong Password
A “brute force” attack occurs when a malicious script continually and persistently tries to guess the right combination of password and username characters that will give them access to your website.
Unless you put some measure in place to block the brute force attack (see further below for a couple of simple and effective suggestions for doing this), the “bot” will just persist in attacking your site until it eventually gets access.
Passwords that are easy to guess, therefore, become really easy targets for hacking attacks. Make sure that you change your password combination to a string containing at least eight characters long, with both upper and lowercase letters, combined with “special” characters (^%$#&@*).
Roboform is a password tool you can use to create different hard-to-crack passwords …
(You can use a password management program like Roboform to create unbreakable passwords)
For a detailed step-by-step tutorial on how to change your WordPress password, go here: How To Reset Login Passwords In WordPress
Security Measure #5 – Protect Your wp-config.php File
The wp-config.php file contains important information about your site’s database and is used to define advanced WordPress options.
(wp-config.php)
If hackers break into your site, they will normally look for your wp-config.php file, because this file contains important information about your site’s database, security keys, etc. Getting access to this information would allow a hacker to change anything in your database, create a user account, upload files and take control of your site.
To protect your WordPress site from attacks and even being used as part of a bot net, therefore, prevent people from being able to easily get to your wp-config.php file. This requires knowing how to edit database information, move files around in your server and changing access permissions.
Security Measure #6 – Rename Or Delete Unnecessary WordPress Installation Files
Delete or rename your install.php, upgrade.php and readme.html files.
These files are not required after installation and can be removed. If you don’t want to delete these files, then just rename them.
Security Measure #7 – Keep Your WordPress Files, Plugins And Themes Up-To-Date
Hackers look for vulnerabilities they can exploit in previous versions of WordPress, including outdated versions of WordPress plugins and themes.
Make sure to always keep your files, themes, plugins, etc. up-to-date.
Security Measure #8 – Disable The Theme Editor
WordPress installations come with a built-in editor that allows administrators to edit theme and plugin files inside the dashboard area.
In WordPress, you can access the WordPress Theme Editor by selecting Appearance > Editor from your admin menu …
(Accessing the WordPress theme editor via the dashboard menu)
The WordPress theme editor feature allows anyone accessing your blog to view and modify all of your WordPress theme files, or create havoc on your site.
To prevent unauthorized people from being able to access your WordPress Theme editor, you will need to disable it. This can be done by adding code to your wp-config.php file.
Security Measure #9 – Secure The Site’s Uploads Directory
The “uploads” folder stores all the media files that get uploaded to your website.
Normally, this folder is visible to online users. All a person needs to do to see all of the contents in your site’s “uploads” folder is navigate to your directory using a web browser …
(WordPress uploads folder)
If any files stored in his folder have weaknesses or vulnerabilities that can be exploited by hackers, this could seriously threaten the security of your website.
Protecting your directories will prevent online users from accessing your ‘uploads’ folder and other important directories. This can be done using plugins, setting file permissions, adding a blank index.php file (this is literally a file with nothing in it named “index.php”) to your uploads directory, and so on. Again, it’s best to get professional assistance if you are not sure about what to do.
Security Measure #10 – Security Plugins
There are a number of security plugins for WordPress available that specifically address common security issues WordPress website owners face, such as preventing hackers from gaining access to vital information about your site, protecting your website from malicious exploits, preventing injections of code into files, etc.
Many WordPress plugins address some but not all areas of WordPress security. One WordPress security plugin that does a comprehensive job of scanning, fixing and preventing potential issues that could lead to hackers accessing your website files and causing irreparable damage to your site is SecureScanPro.
(SecureScanPro – WP security software solution)
SecureScanPro is easy to install and easy to use, and does a great job of addressing most of the security issues that WordPress users need to address.
Another plugin you may want to consider using is BlogDefender.
Blog Defender Security Solution For WordPress Blogs
(Blog Defender Security Product Suite For WordPress)
This product is a package of WordPress security video tutorials, plugins and tools, plus a WordPress security PDF/DOC file.
BlogDefender shows you where potential security weaknesses in your website are …
And lets you easily fix these …
If you don’t want to invest in a premium security plugin like SecureScanPro or BlogDefender, then use various free plugins, such as Limit Login Attempts …
WordPress is a very secure web platform, but neglecting simple maintenance tasks like making sure that your WordPress core files, WP plugins and themes are kept updated to their latest versions, tightening file and data security and taking other necessary precautions can have disastrous consequences.
Regardless of the type of business you run or plan to run online and how small you think your web presence is, you cannot ignore the importance of web security.
As a final reminder, below is the advice given by an expert on website security to all WordPress users following the mass brute-force attacks on WordPress in 2013 …
Owners of websites based on WordPress CMS must improve at least basic security settings and implement best practices such as the use of robust passwords and the accurate management of “admin” accounts.
Pierluigi Paganini, Chief Information Security Officer, Security Affairs
***
As you can see, WordPress security is of the utmost importance if you run a WordPress site. Hopefully, this article has shown you what to do to prevent brute-force attacks on your WordPress site. If you need any further help or assistance with WordPress security, please consult a professional WordPress security specialist, or search for a professional WordPress service provider in our WordPress Services Directory.
We also recommend subscribing to WPCompendium.org to be notified whenever we publish new information on WordPress security and tutorials about new security plugins and solutions.
***
"Your training is the best in the world! It is simple, yet detailed, direct, understandable, memorable, and complete." Andrea Adams, FinancialJourney.org
***