WordPress sites subjected to brute force attacks
I don’t know if you following any of the online chatter these past few weeks about the “brute force” attacks on WordPress websites, but I wanted to keep you informed on what they are and what you can do about it.
In a “brute force” attack, a hacker uses one of more computers to to attempt to crack your admin username and password. Once they have access, they will attempt to inject code to hijack your website. For instance they may inject code that will redirect all inbound links from Google, Bing, etc. to a page on which they have placed CPC ads or even computer malware to infect even more computers.
One of the best defenses against brute force attacks are plugins that limit the number of attempts a hacker can attempt before being locked out for a pre-determined amount of time. This can slowdown hacking attempts even by multiple computers.
I use a plugin called Login Lockdown to do this for me. Despite the “no recent update” warning, I use it on the latest WordPress version (3.5.1 at this time) with no problems. No sites on which I have Login Lockdown installed has suffered a successful “brute force” attack.
You can install Login Lockdown, by clicking Plugins=>Add New and type “Login Lockdown” into the search box. When it is located click “Install” and once it has installed, click “Activate Plugin.”
To determine if you have Login Lockdown installed already, check your list of Active Plugins, or see if the “Login Form Protected by Login Lockdown” phrase appears in your login box. Click the image to enlarge it.
Another good practice would be to get rid of the “admin” user if you have one. Just login to WP-Admin, create a new user with any username other than “admin”. Then, log out, log back in using the new user and delete the “admin” user. When you have an “admin” user, you have done part of the hackers work for them as so many WordPress sites have an “admin” user.
I hope you choose to protect your website by making sure that Login Lockdown is installed and the “admin” user is removed. As always, if you need help with this, open a ticket at the Orange Cat Support Center.