I’m WordPress convert. I made the big switch from my Blogspot blog to a self-hosted WordPress site 4 months ago now based on reading many articles researching the advantages/disadvantages between Blogspot and WordPress during my first two years of blogging.
I finally decided to make the move as I wanted to begin trying to monetize my blog to turn my blogging hobby into possible part-time income. One of my main concerns though with a WordPress site was the security issues which kinda freaked me out. Of course, the security of your site is an issue for any site owner.
If you are thinking of beginning a WordPress site, or if you are a WordPress beginner like me, be sure to research and think about a security plugin to help you. I’m glad I did because last week I experienced my first brute force attack.
Image: Moritz Wellner via Flickr
It was early Tuesday morning, really early for me, about 5am in the morning and my email notification on my phone started to ding more times in under a minute that I knew something wasn’t right. I use my the alarm on my phone so its on my night stand and usually not a problem.
I checked my email and I was getting notification after notification from my security plugin Wordfence that an IP address had been locked out after trying to sign in using ‘test’ as the username. These IP addresses were literally from every corner of the globe.
I had to shut my phone off because it just wouldn’t stop dinging. I realized this was a brute force attack to access my site through login username and password. So, what is a brute force attack? In its simplest form, it is an attack to gain access to your site.
Basically, they try using usernames and passwords over and over again until they are in. They are hoping that your username is ‘admin’ and your password is ‘123456’.
I sat pretty nervous for the first couple of hours after I woke up wondering if I had been hacked. I had installed the plugin Wordfence Plugin and hoped that it would work to stall the attack.
Some of the things I had done previous to the attack, and I hope these will help you as well if you are on WordPress.
- When you set up your account, change your username right away from the default ‘admin’ username to something only you would know. Tips though are not to include variations of the name of your blog. Make it unique!
- Also change the password to your site and make it unique as well with a combination of words, small case and larger case, and numbers and symbols.
- Install a security plugin. There are many plugins for WordPress sites. Take the time to research which one would be the best fit for your site.
Within your plugin there are some more changes you might want to make as well. Note I’m currently using Wordfence so the images are based on their plugin.
If using Wordfence go to the sidebar and click on Wordfence and click on Options.
In the basic section make sure to check off Enable Login Security as this will allow you to make individual options in other sections further down the page.
In the Alert section you can customize what kind of alerts you would like and how often. Just check the boxes you would like or uncheck them. I originally had ‘0’ set in how many emails to receive per hour which is why at 5am in the morning my phone wouldn’t stop dinging with the alerts during the brute force attack. Now I have set it to 10.
And if you have more than one administrator who might login in to the account you might want to uncheck that box so you don’t get an alert every time an administrator logins in.
The next section to make some changes in is the Login Security Options. There are a number of areas that you can individualize such as after how many failures, how many forgotten password attempts, count how many failures over a time period, and amount of time the user is locked out.
Ever since the brute force attack, I have made my login failures smaller and I have locked them out for 2 days. I chose 2 days that way it would give me some time to investigate what was happening.
You can also set immediately locking out of invalid usernames such as ‘admin’, and I have now included ‘test’ as that was what common during the last attack. Also important is not revealing valid users in login errors, or preventing discovery of usernames through author scans.
Also prevent someone from registering ‘admin’ as a username if it doesn’t currently exist. (See check boxes below)
And don’t forget to save your changes.
Having these security items in place before the brute force attack can help you slow them down and hopefully give up. That is what happened this time with me. I don’t know if this will be likely every time but having the security gives me a little bit of peace of mind.
The attack continued for about 3 hours with the first hour being the hardest hit with attempts. Each hour there were fewer and fewer tries, and then it stopped. Afterwards I used Wordfence to scan my site for potential hacks but everything came back good. I then went to my hosting site and everything was good there as well.
As I am new to WordPress I frequently use the support topics found at WordPress.Org to help me learn how to use the WordPress platform and how to best protect it. Are you on the WordPress platform? How do you protect your site?
Any other security measures for WordPress that you might suggest? I would love to know. Leave me a comment below. We can learn how to master WordPress together.
*This is not a sponsored post for Wordfence. I was not compensated at all for writing this post. All the opinions are my own and I’m sharing my experience with this plugin. I’m just sharing this information in the hopes maybe it might help another beginner like me.*
Educator, Writer, Mom