In early April 2013, small-time bloggers and high traffic websites alike using WordPress were hit hard with brute force attacks. Websites had hundreds if not thousands of bots from all over the world trying to gain access. Your website was probably one of them. If you don’t have security on your WordPress site, then you may never have seen it happening, but it did. The who and why behind this attack is not yet revealed, but it’s believed by many that it was an attempt at something larger than taking down bloggers.

While your host was working hard to protect thousands of servers from this attack, website owners were working hard to protect their sites and income. If you have not protected your website from such brute force attacks, you need to now before your website becomes part of such an attack and corrupted.

What is a Brute Force Attack?

The bots were attempting to log into WordPress sites. These bots opened the login page and entered several common usernames, such as “admin,” and then tried to enter hundreds of commonly used passwords, such as “p@ssw0rd” and “01234.” Once in, the bot can then upload malicious scripts and backdoor access to your site. The full effect of this April 2013 attack is not yet known, but it did slow down the internet as web-hosting servers were overloaded with all the extra traffic. This attack successfully compromised thousands of websites by simply guessing at usernames and passwords.

What to Do First

To protect your website you need to first change the access to your website. Do not use “admin” as a login or a common password. To change the admin login you will need to go to your Users page. From there, create a new user with a different name and give that user admin rights. Create a password for that new user that is long, hard to guess, and uses a variety of characters, numbers, and letters. Then log out and log back in as that new user to ensure it works. Next, go back to your User page and delete the old “admin” user. This step alone will protect you from the most common type of attempt to access your website.

Add More Security with Free WordPress Plugins

There are several free plugins that do an excellent job of protecting WordPress websites from brute force attacks. Here are a few of the most used and recommended:

Wordfence Security – This is a firewall and anti-virus plugin. You can set it to alert you via email when anyone attempts to or does successfully sign into your website. You can also set it to block anyone who types in the wrong login user name and/or password. Viewing live traffic to your site and placing temporary or lifetime blocks on individual IP addresses are also features of this plugin.

Better WP Security – This is the top security plugin on WordPress. It runs a scan for you of your site to check for vulnerabilities and then advises on the fix. Other features include using HackRepair.com’s blacklisted IP list, automatic database backup that it sends to your email, and file change detection and alerts.

Anti-Malware by ELI (Get off Malicious Scripts) – This is one of the best for scanning your site for malware and other viruses. When a threat is found, it can usually be removed for you as well by this plugin. You must start the scans manually if you are using the free version and this does take time. If you have several websites, then the paid version, which will automatically scan your site on a set schedule, will be well worth the cost and peace of mind.

These WordPress security plugins can be installed together, which provides you with some robust protection for free. However, the paid versions will give you that much more protection and support. Keep in mind that these are not perfect solutions and you may still find your website under attack. However, you will at least cut down on the possible ways for hackers to gain access to your website by taking these simple security steps.

References

ARS Technica: Huge attack on WordPress sites could spawn never-before-seen super botnet

arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/