There’s been an increase in attacks on WordPress installations recently (reports indicate that on HostGator alone 90,000 sites are compromised). This is no joke.
If you work with WordPress (especially for your business), you need to take this recent wave of attacks seriously.
Fortunately, there are some very easy things you can do to help harden your WordPress security. I’ve listed them in order from quickest to most involved:
1) Use a SECURE password for the admin user. Something that is a random string of characters with at least 3 or 4 digits and a symbol or two.
uq7M9)gQncD.jM3PiRU is a secure password.
mycatrocks1 is NOT a secure password.
2) Make sure that the admin password isn’t a password used on another site. I know it’s impossible to remember these different passwords (especially when they’re random characters), but there are tools that help you. 1Password is software for your browser(s) that remembers your username/password logins for you. When you’re prompted to login to a website, you press a keyboard shortcut and 1Password fills in the username & password for you automatically.
You can also create secure passwords (like the one above) using 1Password.
3) Use the Limit Login Attempts plug-in. This WordPress plug-in will disable the admin login page if you enter your password incorrectly too many times.
4) Use something other than ‘admin’ for the administrator username. If your admin username is ‘admin’, create another admin user (preferably using something random as the username (like ‘hq7TMXAhDnCXHHUhw’). Then delete the old ‘admin’ account in the ‘Users’ panel (be sure to assign all posts & links to another (non-admin) user). The idea here is that your admin username is some random string. And that admin account is only used for admin functions, not for publishing content.
5) Use a non-admin account for publishing posts & pages. Never publish any posts as the ‘admin’ user.
6) Enable Two-Step authentication using Duo Security’s plugin. This plugin adds a second level of security by either sending a text, voice call or asking you for a code from their authentication app before letting you login. It’s free for up to 10 WP users per site. If you have more than 10 people modifying your blog, it’s only $3/user/month.
Check out their demo video.
7) Enable mod_security in your Apache config to limit failed login attempts to your wp-login.php page.
Taking a few minutes now to secure your WordPress install will save you hours of pain later (so you can spend more time with your cats).