Increasing Your WordPress Security Against Forced Attacks

Increasing Your WordPress Security Against Forced Attacks – In recent days the WordPress community has been plagued with constant attacks. Many bloggers have lost access to their blogs, or simply have been inaccessible to them, as a result of the targeted attacks involving thousands of machines. Some tech sites have reported on the situation, but in the meantime, many WordPress bloggers have been frightened by the situation and have quickly sought solutions to their problem. IThemes colleagues also talked about the issue and explained a little bit about the current situation, the way the attacks are being reproduced, and what can be done to get around the problem.

In general, these attacks are aimed at users who use the WordPress platform and have the admin panel login as the “Admin” username which is the standard WordPress standard, although it is possible to have other login names nowadays in addition to the vulgar “Admin” that was commonly used by all blogs in the area. There are several ways to solve the problem, including installing some plugins, changing username, using stronger passwords, among other advantages. Here are some of the things you can do to increase the security of your WordPress against attacks of this type and/or future attacks against your own site/blog.

Increasing Your WordPress Security Against Forced Attacks
Increasing Your WordPress Security Against Forced Attacks

1. Login Lockdown

The Lockdown Login plugin is one of the simplest ways to drastically increase the security of your WordPress blog. Basically what it does is limit the number of failed login attempts to a WordPress blog, and from that moment ban or simply block that IP address so that you no longer have a chance to re-login to your WordPress. Logically, this plugin acts not only for Bots and other systems that try to make attacks to your blog, but also for you, that if you log in to your administrative panel consecutively, it may cause a block of the IP address, not allowing you to log back into your blog, until it is removed.

2. Change Wp Username

As noted earlier, this attack targets users who use the “Admin” username by default on their blogs. This means that it is highly recommended that you change your username to avoid being exposed to the type of attack in question. Changing the user name from “Admin” to another user can be done in several ways, including accessing the database and editing the user’s table. However, the simplest way to do this is to create a new user with administrator privileges and to migrate all content from one user to another. Let’s see:

  • Create a new user with “administrator” privileges. You will need to choose Role Administrator, use a new email address, different from what you have already registered with your current user since each user must have a unique email address.
  • Log out.
  • Sign in with the new user.
  • Delete the user “Admin” you used previously.
  • When the system asks you what you should do to the posts and links of the user “admin”, select the “Assign all posts and links to” option, choosing the new user with administrator role that we created in the first step, and click “Confirm elimination”.
  • Once the user is successfully removed, you can change your email address back to what you previously had on the now deleted user.

3. Use A Stronger Password

Another important aspect is the use of a stronger password. The vast majority of users with little knowledge tend to use passwords that are very easy to discover, a vulnerability that is usually used by Bots attacking machines with WordPress installed, so always avoid using passwords of the following type:

  • admin
  • admin123
  • 123456
  • 123123
  • 123456789
  • password
  • 1234
  • 1234567
  • 12345
  • pass
  • abc123
  • 12345678
  • 1111
  • teste
  • dragon
  • demo

The vast majority of Bots use this type of passwords to try to enter blogs with WordPress, using the referred login “Admin” in parallel with one of these passwords. There are several services on the internet that allow you to store all the passwords you use in online services, including your blogs, and use only a master key to gain access to your account. This allows you to use stronger passwords on all the services you use online, since the only key you really need to know is your master key to access your password protection service account. Here are some of the services you can use that are recommended by the world’s top security and technology sites:

4. Prevent Your Backup

Another important aspect is the Backups of your blog. Make backups regularly, and given recent attacks, ideally, you anticipate your Backups and start working on backing up all your blogs. We have already explained how to make WordPress backups to Google Drive, how to make WordPress backups to Dropbox, and we also talked about the Vaultpress service which is a professional backup service created by Automattic. We also recommend that you read our article with some recommended WordPress security plugins, where you can find some extensions to improve the security of your blog.

Another important aspect is the use of systems like Cloudflare, which allow you to spread the content of your blog by several servers in Europe and the Americas, making your blog faster and at the same time less vulnerable to this type of situation. Cloudflare even has a WordPress plugin. Cloudflare itself tries to manage the forced entry attempts on its system, and even published an article explaining how to deal with this situation of forced attacks being given to WordPress blogs in general.