How Vulnerable is Your WordPress Site?

hackingIt’s not every day that Forbes, a major media outlet, takes a look at WordPress. The subject: security of WordPress sites, focusing on what you can do to ensure your domain is impenetrable. After all, hacking a WordPress site can involve just a user name and password, so let’s see how you can refrain from falling victim.

One recommendation from Forbes was to back up your website “often.” How often is completely up to you, but the news site recommended at least one update a week. Several plug-ins are available to help you back up your site, including UpdraftPlus, which Forbes recommended. Others we found included BackUpWordPress and BackWPup. Some of these cost money and others didn’t, so check out a few to see which ones match your needs and wallet the best.

Forbes also recommended limiting login attempts rather than allow unlimited cracks at your user name and password. A plugin called Limit Login Attempts was recommended, which helps stop logins by tracking a person’s IP address. You can also keep tabs on attempts using Limit Login Attempts and even have them e-mailed to you.

Just like many computer users have an obvious login name, Forbes recommended, “Most hackers try to get your password by trying to brute-force your ‘admin’ username. If you change your user name to something else, that will protect your website immediately.” In other words, pick a user name that’s not “admin”. It’s amazing how simple security can be sometimes.

Similarly, use a password that’s not inanely obvious like “password” or “WordPress” or one you’ve used on a bunch of other websites. Try to come up with something original that would give hackers a headache to crack. No, your first name is not original.

One final recommendation was to “limit the IP addresses that are allowed to visit /wp-admin/ section of your website. The easiest way to do so is to block all entry except your own IP address with an htaccess file.”

We found a number of plugins that provided e-mail alerts when potential security breaches came to light. Take BulletProof Security, for example, which allows you to be notified whenever a user account is locked out, an administrator logs in, and any user logs in. Think about how much control and oversight you’d have if you were e-mailed when any of these actions occurred.

all in one wordpress securityThe All In One WordPress Security plugin (pictured) received rave reviews (113 reviews of five stars out of 119 submitted). According to its site, the plugin “reduces security risk by checking for vulnerabilities and by implementing and enforcing the latest recommended WordPress security practices and techniques. [The] All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.”

Not protecting your site can yield pretty grave consequences. Take an incident in mid-March that saw 162,000 WordPress sites launch a DDoS attack. Yes, 162,000 WordPress sites were part of the melee. As one observer put it, “Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.” There’s a tool called WordPress DDOS Scanner you can use if you think your site might be at risk.

Users making comments in various articles about the DDoS attack reiterated the dangers of an “admin” user name. Others added that keeping your plugins and add-ons up-to-date is of paramount importance. Changing your password often is also advised.

Check out some of the other WordPress plugins that can help you be a lean, mean WordPress machine.