At Atomic, we build many of our clients’ sites using publishing platform WordPress. WordPress is easy to learn, and offers great design and customization options—meaning we can help our clients build great-looking sites, no matter what look they want.
But like any system, WordPress is occasionally vulnerable to intrusions. And attacks on WordPress-hosted sites have exploded in the past couple of months. Most of these hacks are what’s called “brute force” attacks—and they’re exactly what they sound like. A network of infected computers or servers (a “botnet”) attempts username/password combos over and over—at a rate of hundreds of thousands of guesses per second. Sooner or later, the botnets break in. Then, they make themselves right at home.
If you haven’t taken steps to safeguard your site, you could become a hacker’s next victim. Fortunately, there are a few super-easy ways you can protect yourself—no programming knowledge required. Think of these as your alarm system, your attack dog, and your pepper spray.
1. Make sure you’re running the latest version of WordPress.
Easy enough, right? WordPress releases updates regularly, so it’s important to install updates as soon as you’re prompted (a reminder usually pops up when you log in to your Dashboard). Most intrusions are caused by bugs that have already been addressed by a WordPress update, so do yourself a favor and keep your site current.
If you do need to use an older version of WordPress for some reason, make sure the version is hidden from your source code. (Learn how to do that here.)
2. Get rid of the ‘admin’ username.
When bots scan possible username and password groupings, they go first to names people are most likely to choose. WordPress accounts come with a default ‘admin’ username, which hackers assume (rightly) that most people won’t bother to change.
If you’re still using ‘admin,’ it’s an easy fix: create a new user with admin privileges (using a new email address). And stay away from usernames like ‘editor,’ ‘moderator,’ or ‘administrator’—they’re also easy targets. Log in with your new account, delete the old ‘admin,’ and assign all of the old account’s post’s to the new user. Piece o’ cake.
3. Use a strong password.
You’d think we’d have learned our lessons by now. But accounts get compromised all the time because of passwords like “1234” and, well, “password.” It doesn’t take a powerful botnet to crack that code. Try for a password that’s moderately long (12 characters or more is ideal) and contains some combination of upper- and lowercase letters, numbers, and symbols. Another good rule of thumb is to avoid using your name, your company’s name, or common dictionary words—the zanier and more unheard-of, the harder it’ll be for bots to crack.
Not sure if your password is totally ironclad? Try out this handy password security testing tool, which tells you how long it would take a desktop PC to learn your password. (“atomic1” gets cracked in 19 seconds. “AtomicIzAwe5ome,” on the other hand, takes around 6 billion years.)
There are many other measures you can take to protect your site, like security plugins, restricted permissions, and secure login pages. (And if that all sounds like gibberish, we can help.) But following these simple steps should keep you safe from the majority of WordPress attacks—plus, they’re good habits to form for all of your online activities.
We can’t hope to prevent every intrusion or thwart every attack. But if we can throw at least a few roadblocks in hackers’ path, we’ll do our best to stay one step ahead.
Got questions about your WordPress site’s security? Contact Atomic, and we’ll make sure you’re safe and sound.