You Need To Secure Your WordPress Site… NOW
There’s a botnet on the loose now that is attempting brute-force login attempts on WordPress sites around the world. Here are the steps you need to take to secure your WordPress site.
Note: these are just a few basic security measures against brute-force login attempts, they’re not guaranteed to keep determined hackers out of your site.
1. Get rid of “admin” as your user name.
- Go to Users/Add New
- Create a new user profile with something other than “admin” or your domain name with a role as Administrator
- Add a STRONG password (more on that in a bit)
- Log out
- Log back in using the new user info
- Delete the ‘admin’ user (check the box next to the user profile, click the arrow next to Bulk Actions and select Delete. You can select the “Attribute all posts and links to” option and move all posts from ‘admin’ to the new profile)
2. Use strong passwords – instead of playing a lot of memory games, what we use is LastPass as our password manager. It’s free for all your desktops and a minimal fee for mobile devices – I’ve posted about this before…
Home Office Small Business Security Checklist
This way all you need to do is remember one strong password to access all the others.
3. Limit login attempts. On all of our (and our clients’) sites I use a WordPress plugin called WordFence, which like most plugins these days has both a semi-limited free version and a premium version. Just adjust the settings for login attempts – I recommend 3 tries and they’re out. Another option that I came across that will just limit brute-force attacks is called Limit Login Attempts. Install it and activate it.
As I said, this is not a guarantee against all types of hacking, but it will sure slow down any brute-force attacks on your WordPress site.