WordPress installations worldwide are currently under a brute force attack. These attacks are targeting the most common username and password combinations.
Contents
Is your WordPress Secure?
If you still have your username set as admin, your WordPress sites are very much at risk.
As a precaution, all WordPress users should change their passwords to a secure password that includes upper and lower-case letters, numbers and other characters.
What do you need to do now?
First, change your password. Do it now while you’re reading, I’ll still be here when you get back.
Then change your admin login to something not admin!
- Back up your database. Here’s a list of free backup plugins you can use. However, restoring from a free backup isn’t always straight forward. I recommend Backup Creator as a very easy and cost effective alternative.
- Log in, create a new user and give it administrator rights
- Log out then log back in with the new username
- Delete the old admin selecting the option to transfer all posts to the new user
- Update your new user profile with a new nickname, the correct email address and any other info you want in there.
What else can you do to secure your WordPress site?
One of the many comments circulating at the moment is to use a plugin called Login Lockdown. While this is a good plugin to have on your site, it is not likely to help in this circumstance.
Why?
The attacks on WordPress are coming from an estimate 100,000 unique IP addresses. Login Lockdown blocks attempts from the same IP range – and with 100,000 to choose from… well the numbers just don’t add up.
One of the recommendations I give in my guide How To Manually Install WordPress and Build a Secure WordPress Blog (on Kindle at Amazon.co.uk and Amazon.com) is to use Cloudflare.
Amongst other things, Cloudflare helps to increase your site security against common attacks. There are free and paid options.
Over on their blog, Cloudflare reported that they have rolled out protection against this spate of attacks and are including it for free accounts too. It’s well worth popping over and signing up.
What can you do if your WordPress site has already been compromised?
- Log into your WordPress dashboard and check your current users. If you have unknown users with admin rights, delete them.
- Change all your passwords for at least all admin users.
- Update the security keys in your wp-config file
- It is also advised that you restore a known clean version of WordPress
Over to you…
Have you changed your password for your WordPress site?
Image courtesy of chanpipat / FreeDigitalPhotos.net
Is Your WordPress Secure From Attack? by Jan Kearney
Denys Kelley says
Yes I did! After we had to wait a bit to get back into it! whew!
Great post Jan! Lots of great information.
Jan Kearney says
You’re on the ball, Denys!
Joy Healey says
I lost several sites a couple of years ago – dreadful experience.
That was when I discovered that my hosting company didn’t make backups on a regular basis ……
I eventually got most of my content and sites back, but changed my username and password very quickly after that.
Jan Kearney says
I learnt the hard way as well Joy – a painful experience and one I hope I never repeat! Glad you got most of your stuff back in the end. Thanks for popping in 🙂
Carlaa says
This post is VERY timely. Only yesterday my hosting company sent out an email regarding some recent Brute Force attacks. I have used all the plugins suggested so I know they are great but I’ve neglected to set up a secondary email address associated with my blog, just in case. A plugin that is great for renaming your username is called Admin Renamer Extended. Might be useful if you don’t want to set up a secondary account and just want to change your username and password.
Jan Kearney says
Hi Carlaa – yes WordPress and other PHP based sites like Joomla are being hammered at the moment. Thanks for the admin plugin suggestion – it’s a great plugin!
Katie S says
Thanks for the tips, Jan. Is finding users you didn’t add yourself the only way to know if your blog has been compromised?
Jan Kearney says
From what I have read around the web, with this attack additional users may be added to your dashboard.
In general, sites are often compromised to add spammy links or malware – you can pick those up using the free site scan over at http://sitecheck.sucuri.net/scanner/
Deb Dutilh says
Thanks, Jan! I got a clean bill of scan from the sitecheck link, too.
Jan Kearney says
That’s always good news, Deb! 🙂
Deb Dutilh says
Hi Jan,
This is very useful info. There is so much to know and to be honest, with all the fantastic tips here in the UBC alone, my head is spinning. No wonder they have people who take care of all of this. Thanks for sharing!
Jan Kearney says
Remember to breathe, Deb – it’s not as overwhelming then 🙂 Thanks for popping in and good luck with the UBC!
Eleanor says
These are all solid and great tips. I prefer WPTwin by Jason Fladlien and Wilson Mattos for backing my sites up.
Jan Kearney says
I think that’s because of your crazy crush? Heard good things about WPTwin, not tried it myself…
Arla DeField - SayingNoWithoutFeelingGuilty.com says
oh my gosh! Went and checked like you suggested. Talked to my webmaster and so far, whew, we are good. Crazy all this hacking!