Quick answer to the question of whether you should be concerned about your WordPress security is an astounding YES. To say that your site is “not important” enough or relatively protected from all the “harm” that are out there is being flat out careless. I have seen many people saying that they have their WordPress site protected because they have installed a login limit security plugin or a firewall, and are now good to go.
Is that really enough? Well, it obviously helps, but hardly enough. WordPress is a great software and is used by millions. This makes it very popular and therefore prone to attacks. Login limits is a great security measure, but that alone is not enough. You know about the saying, “better safe than sorry”, right?
Before I move forward let me show you my own experience about “attempts” that have and are being made constantly on this site.
Bad Login Attempts
Here’s a screenshot of login attempts that my log showed in a number of days. 1417 bad login attempts, how scary is that?
IPs that consistently have been trying to attack my site.
I blurred the IPs on purpose, but it is good to know what IP or range of IPs have been consistently attempting to login your site, so you can block it, dierctly on your hosting provider, using the IP deny security feature.
Attempts using the user name “admin”
As you can see from this log, the majority of attempts recorded is by using the username “admin”.
Am I fully protected? Again, saying that I am 100% protected is no where close to reality. The sheer number of attempts that happen on my site is so big that one may wonder that in one of these days, one may just be able to get in. The only thing that I am sure of is that, it happens every single day, no exceptions.
So how do we improve security?
There are many thing you can do, and I won’t be repeating it here, over and over, as I provide some links below that contains information and additional resources you can look at. Nonetheless, the following are the absolute essentials, and of which, I strongly recommend you following:
Username – If you noticed above, the username that has been consistently used is “admin”. Yep, that’s the standard or default username from WordPress and if you are using it, you are providing 50% chances of someone being able to login your account without proper authorization.
Recommended action: Change it, period. How? See the recommended security plugin below.
Password – Seems like for many users still is an enigma. If you use any or a derivative of the 25 passwords listed here, then you should seriously think of changing it like ASAP. In addition, it does not hurt to change your passwords on a regular basis.
Recommended action: Use strong passwords. How? Here’s how to make a strong password without complications.
Backup – Probably the only real safety net one can have. Regular backups is an absolute must and you should find the best way to do this. You can check from your hosting company what types of backup procedures they have, you can do it on your own, install an automated backup plugin that will do it for you, or make use of services such as that offered by ManageWP (aff link) which allows you to manage backups and more, on up to 5 websites for $4 a month. Totally worth it.
Recommended action: Need I say it again – backup, backup and backup some more (use the grandfather, father and son method)
Install Better WP Security
Or any other WordPress security plugin. Better WP Security is however my favorite and I recommend using. I have tried and tested several others, but this one does the job of securing your site quite well. It not only has the login limits, it will make suggestion as to “other” vulnerabilities your WordPress site may have.
Watch the video for a quick tutorial on how to install and set it up using the basic functionalities.
Finally, there are also services that help increase your sites security, as well as helping it to improve its performance. CloudFlare is one of those that I make use of, its free, and something worthwhile checking out (video – see link on description).
Here are some additional articles and resources, that I highly recommend you reading, if you get the chance.
- Domain Names and WordPress Sites, Are You Protected 100%?
- Best WordPress Security Plugins, Protect Your Online Business
- About malware and hacked sites – Google Webmaster Tools
That’s it! How about you? Have you been a victim of attacks? What are you doing to improve your sites security. Do you even have one in place?
UPDATE: A huge thanks to Joe Boyle from WebsiteBegin.com who left a comment below, providing a quick and important tip about the security logs that Better WP generates. You should regularly delete the logs to avoid having performance issues with your site.
Great tips, thanks for sharing. I received WP update notification on my Google Webmaster Tools, just wondering if not updating my WP damage my SEO rankings. I know that I am taking some security risk by not updating it.
Pankaj
I will recommend using WordPress bulletproof security plugin. It is very good plugin which provides overall security to your WordPress site
Fred Owusu
Great security plugin DiTesco… I use it myself on one of my blogs and I do see great protection from attackers. Great video also. Like the video since I found it complicated for setting it up. Thanks man π
Welcome Fred. Good to see you here. So, how is the WP security plugin working for you? Got a lot of “intruders” lately π
Fred Owusu
Every single day my friend…. it’s insane how many IP address it collects and blocks. Long list of intruders.
Maggie Jones
Worpress is great to use for personal blogs or for business. It is also very essential to secure it in order to protect it from hackers. Thank you for the tips!
Aasma
Hey DiTesco,
Certainly essential points, However for better security one should always change default settings and keep updated his passwords. Because you can’t rely on one tool every time, you need to be more careful.
Joe Boyle
DiTesco, one quick tip for using the plugin – be sure to delete the logs regularly. It does not, sadly, automatically delete the logs and they can be pretty hefty – I had a large amount of my DB being cluttered with the logs after about a month of using it. Make sure you clean them out for more efficiency and a faster database.
Fred Owusu
Thanks for the heads up Joe. Definitely got some deleting to do.
Hi Joe. Thanks for the timely addition. I actually was having some performance issues on another blog I had this plugin installed, and found out that it improved a great deal after cleaning up the logs. Thanks for the reminder, should have put it up there… but hey, you made an awesome contribution π Thanks for stopping by
PS: did you see the update above?
Are you saying that it doesn’t automatically delete logs on a regular basis, but has an option to manually do so? Or, are you saying that you have to manually delete the entries from the database itself? Just curious because I use an older brute force login protection plugin and it doesn’t delete or remove the entries either. Nor do I have the option of doing so in the plugin administration. I have been looking for an alternative to the one I use, but finding one with the option to remove old records is tough to find. I can manually remove them from the database, but it is a bit more tedious and time-consuming. Especially when you get up into the hundreds or thousands of entries.
Hi Ray. Yes, it does not automatically delete logs, but there is an option to manually do so. This can be done directly from the plugins dashboard inside WordPress. No need to log into your host and delete it there. Makes life really easy. Just goto “security” > view logs, and there you will see the various options you can do, including deleting logs. This is really a good plugin, I love it π
That’s great and what I was hoping for. I checked the screen shots on the plugin homepage, but they didn’t show the details for that option. I hate installing plugins only to find out something I was hoping for or expecting wasn’t include. This definitely helps me because now I know it will be worth my time. On a side note have spent much time with Wordfence or BulletProof security plugins? I have had my eye on them, but WP Better Security seems a little easier and now that I know I can remove old logs even better.
Hi Ray. Here’s a screenshot for you. You can the function of deleting old data as well as the other features of Better WP http://dl.dropbox.com/u/7888646/Logs%20Better%20WP.jpg
Let me know how it goes for you.
Thanks for taking the time to verify and add the screen shot. That’s what I’ve been looking for. I hope to spend some quality time with Better WP Security this week.
Philip A.
Hi DiTesco,
Thanks for writing this post, I’m fairly new to blogging and my blog is only one month of age.
Till now I haven’t really considered a security plugin but your post got me kinda worried about the security issues. I’ve worked hard to put content on my blog and I’m sure every blogger does so I would absolutely flip if something happend and I’m not prepared.
Have great day and thanks for the great instructions.
~Philip
Ti Roberts
Francisco, wonderfully written article and I appreciate all the tips you gave. I’m definitely going to be implementing these because I want to ensure my site is protected, especially now that I’m starting to gain more traffic and momentum. I would hate to one day wake up to my site being attacked and gone. The horror!
Thanks for sharing this post with our BizSugar community. I appreciate it!
Ti
Suresh
I have not checked in here for some time as I thought it was getting boring, but the last several posts are great quality so I guess I’ll add you back to my daily bloglist. You deserve it my friend
Glad to see you no longer find the latest articles “boring”, lol. Anything in particular you would like to see here?
Danny
Another great post, Francisco.
I currently use “Ultimate Security checker” and a paid(premium)from my web host) security service….
Though, just like you Francisco, I have seen way too much strange activity taking place, when I check logs etc…..
There are probably a lot of “false positives” as well(depending on security software, system) which makes it all the more harder to define where all the problems really are….
These days I get flooded with spam comments, many of which try to add malicious code(CSS hacks, etc) or bad links…so far they have been blocked….
These spammers(hackers) even go to the trouble of Subscribing to your website….(they are quite motivated)!
Agree with your point about “Backup, backup, backup” …this is so crucial, and often overlooked….
I just visited a site recently that had a large list of security protocols, and I was surprised by just how much work we need to do, just to gain a an acceptable level of security….
There were some very helpful tips in that article , so I try to come back later and include a few of the most crucial….
Just a word to all:
Hackers and spammers seem to out in force lately, and this trend may continue to grow….
Juan
I think, I should look more about this matter. Many of my friend blogger being hack easily. With this wp security, i will now if there are attack happen at my blog. Thanks DiTesco