If your WordPress site gets more than a few hundred visitors per day, odds are that it is probably under attack right now, or at least it has been attacked within the last hour.
This should scare the hell out of you.
Don’t believe me? Want to see for yourself? I recently found a cool feature in the Wordfence plugin that allows you to see login attempts in real time. Install Wordfence and activate it, then go to Wordfence -> Live Traffic and click the “Logins and Logouts” tab. You’ll see all successful and failed attempts to log into your site. (Just remember to turn this off after you’re done testing – it’s not a big deal but it will slow down your site a bit and add to your database).
If your sites are anything like mine, you will be horrified.
Here is a screenshot of the attempted logins to one of my client’s sites, which gets about 500 legitimate visitors per day:
I should note that I took this screenshot during a very quiet period of malevolent activity for this site. At peak periods, I see attempted logins every few seconds!
So, one thing you can immediately glean from this is that, just like you’ve probably heard before, you should never use “admin” as your WordPress username! If your username is “admin”, change it right now.
I’ve had clients with “admin” username tell me, “well, my password is hard to guess, so it’s OK”. That is crazy! Just imagine that a computer is pinging your site 24 hours a day, 365 days a year trying to guess your password! It never gets tired or bored!
To illustrate another point, here’s a screenshot from one of my sites, called lalindyhop.com, which gets around 200 legitimate visitors per day:
The IP addresses come from a who’s-who of third-world countries. Notice anything about the login name? The second lesson we can learn from this is, never use the name of the site as your login name!!!
How to Protect Your Sites
In addition to never using “admin” or the name of your site as your login name, here are some other easy things to do to protect your site:
- Keep the WordPress core and your plugins and themes up to date! As soon as vulnerabilities are found in WordPress, they are published, so everyone now knows how to hack into sites with older versions of WordPress.
- Use good passwords.
- Use SFTP instead of FTP if possible. (Check with your hosting company. Go Daddy allows SFTP).
- Disallow file editing from the WordPress dashboard. This can be done by adding the following line to your wp-config.php file:
- Use the WordPress secret key generator. No, this doesn’t generate passwords. It generates “salts” to improve encryption. Visit this site and paste the code into your wp-config.php file if you don’t already have it there. Every time you visit the site, it generates different codes.
- Backup your site regularly. VaultPress is a great service that costs only $5 per month. They make daily offsite backups to their servers for the last 30 days.
- Use a security plugin like Wordfence.
When set up properly, Wordfence can:
- Scan for infected files.
- Limit login attempts.
- Block known bad IP addresses.
- Show you when your site is under attack.
Wordfence really is a great security plugin. It’s rated at nearly five stars, which is quite impressive. There is a paid version, but the free version is all I use, and it has everything I need.
There are other steps you can take, but these are the quick and dirty ones. You can get more information at WordPress’ own article, “Hardening WordPress“.
I hope you will check to see if your sites are being attacked by using a plugin like Wordfence or, if you have root access to your server, looking at the log files (mine is located at /var/log/httpd/access_log). Doing so will make you more vigilant about your WordPress site’s security!
How many attacks is your site getting now? Has your site ever been hacked? – Brian