SIMPLE TIPS TO PROTECT YOUR WORDPRESS SITE FOR BEGINNERS
I'm Wordpress convert. I made the big switch from my blogspot blog to a self-hosted Wordpress site 4 months ago now based on reading many articles researching the advantages/disadvantages between blogspot and Wordpress during my first two years of blogging. I finally decided to make the move as I wanted to begin trying to monetize my blog to turn my hobby blogging into possible part-time income. One of my main concerns though with a Wordpress site was the security issues which kinda freaked me out. Of course, the security of your site is an issue for any site owner. If you are thinking of beginning a Wordpress site, or if you are a Wordpress beginner like me be sure to research and think about a security plugin to help you. I'm glad I did as last week I experienced my first brute force attack.
It was early Tuesday morning, really early for me, about 5am in the morning and my email notification on my phone started to ding more times in under a minute that I knew something wasn't right. I use my the alarm on my phone so its on my night stand and usually not a problem. I checked my email and I was getting notification after notification from my security plugin Wordfence that an IP address had been locked out after trying to sign in using the 'test' as user name. These IP addresses were literally from every corner of the globe. I had to shut my phone off because it just wouldn't stop dinging.
I realized this was a brute force attack to access my site through login user name and password. So, What is a Brute Force Attack? In its simplest form, it is an attack to gain access to your site. Basically, they try using usernames and passwords over and over again until they are in. They are hoping that your user name is 'admin' and your password is '123456'.
I sat pretty nervous for the first couple of hours after I woke up wondering if I had been hacked. I had installed the plugin Wordfence Plugin and hoped that it would work to stall the attack.
Some of the things I had done previous to the attack, and I hope these will help you as well if you are on Wordpress.
Within your plugin there are some more changes you might want to make as well. Note I'm currently using Wordfence so the images are based on their plugin.
If using Wordfence go to the sidebar and click on Wordfence and click on Options.
In the basic section make sure to check off Enable Login Security as this will allow you to make individual options in other sections further down the page.
In the Alert section you can customize what kind of alerts you would like and how often. Just check the boxes you would like or uncheck them. I originally had '0' set in how many emails to receive per hour which is why at 5am in the morning my phone wouldn't stop dinging with the alerts during the brute force attack. Now I have set it to 10. And if you have more than one administrator who might login in to the account you might want to uncheck that box so you don't get an alert every time an administrator logins in.
The next section to make some changes in is the Login Security Options. There are a number of areas that you can individualize such as after how many failures, how many forgotten password attempts, count how many failures over a time period, and amount of time the user is locked out. Ever since the brute force attack I have made my login failures smaller and I have locked them out for 2 days. I chose 2 days that way it would give me some time to investigate what was happening.
You can also set immediately locking out of invalid usernames such as 'admin', <yourname> and I have now included 'test' as that was what common during the last attack. Also important is not revealing valid users in login errors, or preventing discovery of usernames through author scans. Also prevent someone from registering 'admin' as a username if it doesn't currently exist. (See check boxes below)
Source: Simple Tips to Protect Your Wordpress Site for Beginners
No comments:
Post a Comment