With the recent spate of brute force attacks hitting WordPress installations around the world, its not surprising that hosting companies such as Heart Internet have taken some steps in protecting its users, even if it does raise a few eyeborws. But what can we, as users of WordPress, do to help protect our own blogs or sites.
Below are 4 simple ways to increase security for your WordPress install.
They have been selected for their ease, balanced with the increase in protection they offer. Please feel free to suggest others in the comments below.
Plugin: Login Lockdown
This simple plugin limits the amount of incorrect login attempts your system will allow before blocking future tries, for a pre-set period of time.
Although the plugin hasn’t been updated in a while, it is reported to work with WordPress 3.5.1 and comes with elegant options that simply work!
This will help stop brute force attacks in their tracks.
Check out the Login Lockdown plugin here.
Stay up to date!
Most security holes in WordPress are patched relatively quickly. When new ones are discovered, their quickly spread across the world. This helps a solution come to fruition, but also increases peoples knowledge of how to use that exploit to take over older un-patched systems.
Use the built in update tools to keep WordPress as up to date as possible. This will help protect you from a considerable number of exploits.
Current version at time of writing is 3.5.1
Delete your ‘Admin’ account
Yes you heard me right. Having the default admin account still as your main admin user makes attackers need to only crack 50% of the credentials. Once you have your fresh install working, create another WordPress administrator user, with a obscure name (and strong password!), then delete jolly old guessable ‘Admin’.
A good admin username could be something like Adm1nWP351.
.htaccess – IP lockdown!
This last one is a bit more technical, and only works if you have a fixed IP address.
Okay also it doesn’t really work if there are a lot of people signing into your WordPress, but it works perfectly for the majority of bloggers out there I’d guess.
Add this to a file called “.htaccess”, in your WordPress install. Replace the x’s with your IP address… thats it.
<Files wp-login.php> Order allow,deny Deny from all Allow from xxx.xxx.xxx.xxx </Files>
Only connections from your IP address will then be able to use the login screen.
You could expand this method to lock down the entire wp-admin folder too, in fact I’d recommend that!
Implementing any one of these methods is going to increase security on your WordPress blog, but fitting those pesky hackers is an ongoing battle.
Feel free to suggest some other easy methods in the comments below, all for the benefit of those other WP admins out there.