Recent word press hack attempts and how to stay safeDocument Transcript
net mediablog.com http://netmediablog.com/recent-wordpress-hack-attempts-and-how-to-stay-safeRecent WordPress Hack Attempts and How to Stay SafeNwosu MavtrevorRecent WordPress hack attempts spreading all over the internet these days calls f or serious concern.Recently there have been reports of brute f orce botnet attacks on WordPress, users with “admin” and“wordpress” usernames are most targeted. Every day I receive reports of f ailed login attempts onNetmediablog.So many of my f ellow bloggers have complained of their blogs being hacked and others have alsocomplained of WordPress hack attempts on their blogs recently. Blogs vulnerable to the recent WordPressbrute f orce botnet attacks are those with admin or wordpress as def ault login username. Getting hackedwill result into loss of income, downtime, disappointed visitors, etc. Restoring and f ixing the damage donecan only be easy if you have a regular backup of your entire blog. Read my article titled “Top 5 CloudBackup Plugins f or WordPress” and learn how to backup your entire WordPress site to the cloud.Prevent WordPress HackYou may not know how many times your site has f aced hacking attempts because you may not have seenanything unusual, you’d be surprised when you f ind out. Now let’s see how we can be saf e f rom the recentWordPress hack attempts.Change your administrator username: If you are still using “admin” or “wordpress” as your administratorusername, change it now. The recent WordPress brute f orce attacks are targeted on blogs with suchusernames. Most hacking attempts are auto-generated and knowing that most users who install theirWordPress f rom Fantastico use such usernames as admin, wordpress and test, it is easy to target suchusernames.Change such usernames to something more complex and dif f icult; add some numbers and specialcharacters make it at least 10-characters long. There are two ways to change your WordPress username,f irst you can create a new users on your dashboard with administrator’s privileges and delete the old user(admin) and attribute all it’s posts to the new user you created. Remember to use something complex onlyyou can remember as the new username. Secondly, you can read Babanature’s blog post titled “Changingyour WordPress Username/login Name”.
Install Login Limiter WordPress Plugin: The Login limiter WordPress Plugin is indeed an awesome plugin,it helps you lock out IP addresses that are attempting unauthorized logins into your site. With this pluginyou can limit the number of login retries on your site, limit the number of attempts to login using authcookies in same way, report such f ailed login attempts and source IP address, logging of all login attempts,and handles server behind reverse proxy.Click here now to download the Limit Login Attempt Plugin, it’s also f ree.Must Read: Necessary WordPress Security Plugins every blog should have.Change WordPress Database Table Prefix: Do not install wordpress database with the def ault WP_ astable pref ix, instead of “wp” use something else f or example ABC, TTT, XOXO etc, use something complexthat won’t be easy to guess.Always Update your WordPress: Of course every update f ixes bugs and hackers can exploit bugs to hackyour site. Always ensure you have the latest WordPress version installed that way you will always have thebest security measures in place.Use Strong Passwords: You just have to read my earlier blog post titled “Tips to creating strongpasswords”. A strong password, even with automatic program that guesses at several blazing speed, stillneed lif etimes to crack.Protect Wp-Config File: Sometimes protecting your WordPress site is not totally your responsibility, yourhost should also play it’s part in it. If you are on a shared hosting then you may be f acing a greater danger.WordPress sites on shared hosting can get hacked by a method called Symlinking. A Symlink is a virtual linkpointing to a f ile in a directory, in a shared hosting environment hard disks are divided in several parts f ordif f erent accounts, if proper security measures are not in place, a shared hosting account can be takenover by another shared hosting account on same server by launching a symlink attack.What the symlink attack does it to get f ull source code of your Wp-conf ig f ile to reveal your site details.The Wp-conf ig f ile contains all the sql database connectivity which means your usernames and passwordare in it. So the best way is to protect this f ile. Login to your cpanel and edit your .htaccess f ile with thef ollowing code;# protect wpconfig.php<files wp-config.php>order allow,denydeny from all</files>Add it anywhere in the f ile. Remember to backup your .htaccess bef ore editing it. Now you can go to your
browser and check http://domain.com/wp-conf igure.php (replace domain.com with your website address), itwill show 404 error page.Allow access to the Wp-admin folder from your computer alone: You can simply edit your .htaceessf ile to allow only certain IP addresses to access your admin f older. You can use the code below;order deny,allowdeny from allallow from paste.your.ip.hereJust add the code above into your .htaccess and you are done. No other IP address can be able to login toyour site. Note you can always change the IP through SSH.Note: I may not totally advise this especially if you may need to use another network or computer to accessyour blog somewhere someday.Conclusion:Even if you ensure all security measures discussed here, there is no way you can assume a 100% securityf or WordPress. Most security measures can only amount to 80% – 90% and the rest may not depend onyou. Most WordPress hack attempts are automated as I said earlier and if you can ensure your WordPresssecurity to even 80%, they may leave you and decide to turn to easier targets except they have a goodreason to get in.WordPress developers are also working round the clock to close up any exploit they can f ind and mosthacking attempts are done with old exploits which may not be ef f ective to your WordPress especially if it isupdated and you have ensured the security measures discussed above.So all I can advise you is to do your part and most importantly always BACKUP your WordPress site so thateven if you get hacked, you can always recover everything. I hope you f ind this post interesting, let me hearyour views and contribution about the recent WordPress hack attempts and how to stay saf e. Rememberto subscribe to my RSS f eed.Listen