First in a small series on WordPress security pitfalls, I’d like to share some basic tips on how to improve your WordPress website protection against abuse by improving your user account security.
There are many reasons why websites are being attacked but I will not be discussing them here. And there are many ways a website can be attacked, among which is a so-called brute-force attack or exhaustive key search. This kind of attack involves an automated process firing a huge number of login attempts at the websites login process. The aim is to gain access by guessing the login credentials.
In April this year (2013) The Next Web reported:
The WordPress ecosystem appears to [be] facing its worst ever coordinated brute force attack. Content delivery network CloudFlare says it blocked 60 million requests against its WordPress customers in a single hour.
Of course this staggering number is worldwide, and there are many many WordPress sites out there. But still, it’s very likely your site too will soon be or has already been targeted during these indiscriminate waves of brute-force attacks.
So here are four basic steps you can — and should! — take to harden your WordPress website against these kind of attacks. Is this list exhaustive? By no means. There are many other security measures you can take. But the following four steps are easy and they have relatively great impact.
#1 Do not use an Admin account to post
Even if there is no account with username “admin” on your site (see #2), it’s not hard to find the username of the account that is used for publishing. If that account has Admin rights, then a successful brute-force attack against that account will be very fruitful.
Create a second account with Author or Editor rights and use that one to publish. If you already posted with your admin account before, simply assign all existing posts to the newly created user: go to Posts > All Posts and select all posts by clicking the top selection box. Then select Actions > Edit and set the new user at the Author field.
Note: user accounts cannot share the same e-mail address. If you do not have a second e-mail address to use for the new account, you can usually (depending your mail provider) add a alias for your existing mailbox or (depending on your domain host) set up a redirect. Or you can simply create a new mailbox at Gmail, Hotmail, Yahoo or another mail provider.
#2 Do not use “admin” or “administrator” as username
Many automated brute-force hacking attempts that are launched, simply (but not foolishly) assume there is an admin account with the username “admin” or “administrator”.
When installing a fresh WordPress site, you can choose any username for the primary admin account. Do not leave it to the predefined one but choose something less obvious. If you have an existing installation where there already is an admin username, take the time to create a new admin account with another username, then log in via that new admin account and delete the old one. If you already posted with your admin account before, you can simply assign all existing posts to the user created in #1 during the deletion dialog.
It is important to actually delete the account with username admin. Simply not using it is not enough!
#3 Choose strong(er) passwords
A major weakness has always been the passwords themselves. The best advice is to use a combination of letters, numbers and punctuation characters and avoid recognizable words or (worse) your own name or web site name. The longer the password, the harder it is to crack. Exponentially. Use a password of at least 8 but preferably more characters.
Upgrade your WordPress installation to 3.7 or above. The new password strength indicator will help you find a less obvious password. But even then, your password might be “easier” than you think. Go to https://passfault.appspot.com/password_strength.html to analyse your intended password for recognisable patterns that make it weak. The tool will also tell you how long it would (theoretically) take to crack it. You’ll be surprised!
#4 Limit the number of login attempts
Brute-force attacks involve a large number of failing login attempts. This makes them easy to recognise and, subsequently, block the continued stream of failing attempts before the correct password is found.
There are multiple plugins available that in some or other way make the login process more secure and less likely to be abused but one of the easiest ones — in my experience, but I have certainly not tried them all — is Limit Login Attempts.
By default WordPress allows unlimited login attempts either through the login page or by sending auth cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Just installing it is enough to hugely improve login security. With the default settings, after 4 failed login attempts, the plugin will block login attempts coming from the same IP address (location) for 20 minutes which effectively cripples a simple* brute-force attack.
* Meaning: originating from one or a limited number of locations.
The plugin can send an email whenever a login is blocked after 4 failed attempts:
This concludes the list of relatively simple but effective security measures on WordPress user account level.
You really should take them!