15th Apr 2015
Updated 3rd July 2015
Wordpress is one of the most popular CMS's today but its popularity has attracted the unwanted attention of potential attackers who look for out of date installations and vulnerabilities to gain access to your website's admin area.
This can cause serious problems, including:
- Attackers gaining access to your website, posting their own content or defacing your content.
- Heavy load on the website server as thousands of attempts to access your website log in is made, resulting in your website being taken offline.
There are ways to improve the security of your WordPress website so that you and your visitors can continue to enjoy its great features.
This needs to be done first and foremost, before any of the items below. Always make sure you back-up your website before starting the updates. Keep an eye out for new software releases and update your WordPress website each time.
WordPress' default Administrator username on initial installation is 'admin'. If you haven't changed this it gives attackers a better chance of guessing your log-in details straight away. Make sure none of your user profiles have the username 'admin'. You need to change the Administrator username or create another user at 'Administrator' level (with alternative username), log in as this new user and delete the original user which has the 'admin' username. Please note that the new user profile must have Administrator level access.
There is a very useful plugin that allows you to set a number of log-in attempts before a user is blocked. If an attacker is trying to guess your username and password their IP will be blocked until your stipulated timeframe. The 'Limit Login Attempts' plugin can be installed and configured easily and was still working on Wordpress 4.1.1 at the time of writing this article.
A potential attacker would usually try to find your log-in page from the default WordPress URL but this makes their job so much harder.
The 'WPS Hide Login' plugin allows you to change the standard log in URL from
www.yourwordpresswebsite/wp-login.php
to
www.yourwordpresswebsite/login-of-your-choice/
Again, this is easy to install and set up. Although the plugin is no longer maintained it was still working on Wordpress 4.1.1 at the time of writing this article.
As additional security to the above WP login rename you can add a small amount of code to your website's .htaccess file. If a hacker attempts to find your standard wp-login.php page they will run into a '403 Forbidden' rather than the '404 Page not found' on your website. Here's the code:
Deny from All
ErrorDocument 403 "Forbidden"
Please note: You should always back up your website before making changes such as these described above. These changes are suggestions only and we cannot be responsible for any problems with third party WordPress software, plugins or themes now or in the future. These changes shouldn't be attempted unless you understand their implications and have a good knowledge of WordPress. If you have a web designer who initially set up your WordPress website then you may wish to ask them to check and make these changes for you.
Additional steps - if your website has been compromised you may find the following useful.
Plugin Vulnerabilities alerts you when installed plugins contain known security vulnerabilities. Also lists vulnerabilities that exist in other versions of installed plugins. This plugin checks the plugins you have installed against a list of verified security vulnerabilities. If the installed version of a plugin is vulnerable an alert is added to the Installed Plugins page, otherwise details of the vulnerabilities are included on the Plugin Vulnerabilities page.
Wordfence starts by checking if your site is already infected. It will run a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. This is quite a powerful plugin and the options and settings are not intended for a complete novice but it will provide an additional layer of security if configured correctly.
If you do not have a web designer or are not able to check and update your WordPress website then we can help. Please send us a helpdesk support request and we can provide a quote for any work needed. It is much more cost effective to defend your website now than to recover a hacked or compromised website.
Green Hosting works handsomely with:
Auto-installer now available on all accounts
