You need to change your WordPress login information.
Now.
The world is a scary place. It’s important to remember that not all the mayhem is physical.
Right now, there are hackers trying to get your information from your website.
There were more than 1 million hacking attempts on April 11, 2013.
That’s right, one million.
We’ve all heard warnings about internet safety for years. But in the last few weeks, internet hacking attacks have increased and thousands of sites have already been compromised.
There were more than 1,000,000 scans /hacking attempts that occurred on April 11, 2013. Sucuri just published an in-depth blog post on the details of the hacks that is well worth reading.
The Battle of the Botnets is just beginning.
Hackers are using botnets (a series of networked, compromised computers) to try to gain access to websites all over the world. Once a clean computer is compromised, it joins the “dark side” as a new recruit in the botnet army. Hackers can have their wicked way with your site, uploading files, changing content, and inject malware…all without your knowledge.
How are they getting in? The way into your website is by figuring out the username/password combination.
Remember trying to figure out a combination lock the hard way as a kid? At first it was fun but after awhile, you gave up. The botnets don’t give up. They just keep trying.
Every time a botnet tries to login, they are using your server’s resources. When thousands of botnets are trying to log in at the same time, it can mean serious trouble. Your site performance can slow down, causing headaches for everyone. Additionally, people have had their site suspended because of the load on the server.
You should not take this threat lightly.
Tweetables
- How to Keep Your WordPress Site Secure From Hackers – Click to tweet.
- Is it safe? Is it secure? // How to Keep Your WordPress Site Secure From Hackers. – Click to tweet.
- Time to change those passwords! – Click to tweet.
- There were over 1,000,000 hacking attempts on April 11. Time to look into website security! – Click to tweet.
- The battle of the botnets is just beginning. Here’s how to protect your website. – Click to tweet.
What you can do to protect yourself from hackers.
There are a few things you can do to protect your WordPress site secure from hackers. I recommend starting them as soon as possible.
- Change your username / account (avoid the “admin” and “administrator” usernames)
- Change your passwords
1. Change Your Username / Account
If your username is still the default “Admin” I would suggest changing it. Right now. Most of the attacks are happening to accounts using this name. Simply changing it will increase your protection.
Here’s how you do it:
- Login into your WordPress admin panel using your admin account.
- Select the ”users” area from your dashboard sidebar.
- Click on “Add New User”.
- Fill in the form and choose ”administrator” in the ”Role” drop down menu. You will need to use a different email address than the one currently linked to your website.
- When finished, click on ”Add New User”.
- Log out of WordPress.
- Log in again, this time with your new WordPress admin username.
- Navigate back to the Users area.
- Delete the previous Admin account.
- Next, you will be asked about the articles posted under the the previous ”admin” username.
- Select the option “attribute all posts and links to:” and select your new username.
- When ready click “Confirm Deletion”.
It’s important to use common sense when you are choosing your display name. Make sure that it is different than the username. This is important for all users but exceptionally so for those with admin power.
2. Choose a secure password
Some important information on passwords from Zone Alarm.
As you can see, there are only so many combinations in the world. Unfortunately, most people pick the same ones because they are too lazy to make something original. If any of your passwords are on the above list, or on the list of the 25 most common passwords of 2012, change them now.
Your new password should contain:
- Numbers
- Symbols
- Lower and upper case letters
It will also help if your combination is longer than 12 characters. Think of your password like a Rubik’s cube; you want to make it as hard as possible for the botnet army to crack.
If the thought of remembering 12 character passwords makes you cringe, don’t. You can use a password vault so you only have to remember one secure password. Here are a few that will help keep your passwords secure:
I think my site has been compromised. Now what?
The first step is to do a quick scan to see if that’s really the case.
Sucuri offers a free site-scan. It’s not 100% accurate but if your site has been compromised, chances are that Sucuri will be able to tell.
Talk to your hosting company
Not all hosting companies are created equal.
A good hosting company will provide:
- Additional security
- De-hacking help
- Automatic website backup
Those are three of the services that Author Media provides for hosting clients.
If you find out that you have been hacked, call your hosting company. If you cannot get hold of them, or you are self-hosting, call another hosting company (you can call Author Media).
Go through the above steps (changing your passwords!) if you haven’t already.
Hopefully, you will never have to go through the experience of having a hacked website.
It’s your turn. Have you ever been hacked? What do you do to keep your website secure?
Is WordPress Safe?
Yes! WordPress is a very secure content management system. But even the most secure bank can be broken into if the front door is left unlocked.
I’m thinking of changing from Blogger to WordPress, so this is extremely helpful. Thanks.
I’m glad it helped!
Caitlin, it isn’t clear if this applies to all WordPress sites or to either WordPress.com or WordPress.org sites. Could you clarify, please?
Hi Sherry,
This is primarily for WordPress.org but if you have a .Com, you will still want to make sure that your password is secure. You don’t have as many options but you can take steps to prevent breaches.
Thanks!
This is helpful. We just spent $300 fixing an almost new computer, so yes, I’m being much more careful about where we click, and our passwords.
I was trying to work through the steps to add a user, but the only option I found was to “Invite New Users” on my Dashboard. How do I work with that?
I sure appreciate all the info you folks share. Thank you!
Is there a way to have a different author title than the username as a hacker only has to guess the password as they just need to look at who is posting for the username?
Hi Graham, indeed there is! All you need to do is go to your WordPress dashboard, click “users” on the left-hand side, and click on the user you want to edit. There will be field for a first name, last name, and nickname, and under those field will be a drop-down menu that says, “Display name publicly as”. It will give you several different options based on the username & first/last/nickname fields. We do this for all our sites because it makes it so that people can’t guess the username based on just looking at the post author.
Hello,
Very nice article on wordpress security. As wordpress is popular CMS and millions of people are using it ( hope I am right lol), there is a general feeling in people that wordpress isn’t secure — what i think wordpress is secure, but you have to take specific measures to protect your website from hackers.
When setting up new wordpress site, I always change wp-admin or wp-login to something else, I always install captcha plugin to protect my site, I always make files non-editable on wordpress (I edit then via FTP or Cpanel), When setting up new wordpress site I always change database prefix from WP_ to something else, I always change admin name to something else, something very difficult to judge, I always install Login Attempt plugin, I male my wordpress passwords very strong.