Quick answer to the question of whether you should be concerned about your WordPress security is an astounding YES. To say that your site is “not important” enough or relatively protected from all the “harm” that are out there is being flat out careless. I have seen many people saying that they have their WordPress site protected because they have installed a login limit security plugin or a firewall, and are now good to go.
Is that really enough? Well, it obviously helps, but hardly enough. WordPress is a great software and is used by millions. This makes it very popular and therefore prone to attacks. Login limits is a great security measure, but that alone is not enough. You know about the saying, “better safe than sorry”, right?
Before I move forward let me show you my own experience about “attempts” that have and are being made constantly on this site.
Bad Login Attempts
Here’s a screenshot of login attempts that my log showed in a number of days. 1417 bad login attempts, how scary is that?
IPs that consistently have been trying to attack my site.
I blurred the IPs on purpose, but it is good to know what IP or range of IPs have been consistently attempting to login your site, so you can block it, dierctly on your hosting provider, using the IP deny security feature.
Attempts using the user name “admin”
As you can see from this log, the majority of attempts recorded is by using the username “admin”.
Am I fully protected? Again, saying that I am 100% protected is no where close to reality. The sheer number of attempts that happen on my site is so big that one may wonder that in one of these days, one may just be able to get in. The only thing that I am sure of is that, it happens every single day, no exceptions.
So how do we improve security?
There are many thing you can do, and I won’t be repeating it here, over and over, as I provide some links below that contains information and additional resources you can look at. Nonetheless, the following are the absolute essentials, and of which, I strongly recommend you following:
Username – If you noticed above, the username that has been consistently used is “admin”. Yep, that’s the standard or default username from WordPress and if you are using it, you are providing 50% chances of someone being able to login your account without proper authorization.
Recommended action: Change it, period. How? See the recommended security plugin below.
Password – Seems like for many users still is an enigma. If you use any or a derivative of the 25 passwords listed here, then you should seriously think of changing it like ASAP. In addition, it does not hurt to change your passwords on a regular basis.
Recommended action: Use strong passwords. How? Here’s how to make a strong password without complications.
Backup – Probably the only real safety net one can have. Regular backups is an absolute must and you should find the best way to do this. You can check from your hosting company what types of backup procedures they have, you can do it on your own, install an automated backup plugin that will do it for you, or make use of services such as that offered by ManageWP (aff link) which allows you to manage backups and more, on up to 5 websites for $4 a month. Totally worth it.
Recommended action: Need I say it again – backup, backup and backup some more (use the grandfather, father and son method)
Install Better WP Security
Or any other WordPress security plugin. Better WP Security is however my favorite and I recommend using. I have tried and tested several others, but this one does the job of securing your site quite well. It not only has the login limits, it will make suggestion as to “other” vulnerabilities your WordPress site may have.
Watch the video for a quick tutorial on how to install and set it up using the basic functionalities.
Finally, there are also services that help increase your sites security, as well as helping it to improve its performance. CloudFlare is one of those that I make use of, its free, and something worthwhile checking out (video – see link on description).
Here are some additional articles and resources, that I highly recommend you reading, if you get the chance.
- Domain Names and WordPress Sites, Are You Protected 100%?
- Best WordPress Security Plugins, Protect Your Online Business
- About malware and hacked sites – Google Webmaster Tools
That’s it! How about you? Have you been a victim of attacks? What are you doing to improve your sites security. Do you even have one in place?
UPDATE: A huge thanks to Joe Boyle from WebsiteBegin.com who left a comment below, providing a quick and important tip about the security logs that Better WP generates. You should regularly delete the logs to avoid having performance issues with your site.