WordPress Passwords and Brute Force

WordPress Passwords and Brute Force Attacks

In June 2010 WordPress released a new version (3.0) Thelonious that allowed you to modify the username on installation. People being people the majority of people continued to use “admin” as their password. So if you are finding yourself having problems, that might be one of the reasons. There are botnets that check all WordPress sites that try to login with the admin username and common passwords.

Username & Password
So first solution if you are still using admin as the username is to change it, change it, use a strong password, if you’re on WP.com turn on two-factor authentication.

Regular WP Updates
I would also suggest that you are constantly updating to the latest version of WordPress with the latest patches. These two simple changes would mean that you are ahead of more than 99% of websites that use WP and will significantly reduce the likelihood of being hacked.

Regular Automated Backups
Backups have gone from a useful luxury to a critical necessity. It is best to have a regular scheduled backup that you can rely on. It could be something as simple as setting up a cronjob to back up your site onto your local PC or using your local hosting service providers online backup infrastructure.

Regular server scan to check for bots
A Regular scan of your server to check to see if it has been compromised allows you to be proactive rather than reactive to the problems.

To reduce your worries we would suggest regularly checking for updates and organising for it to be done when it would be least disruptive to your visitors.  For these things it is generally best to have a second (development or dev) site where you can check that the updates do not cause compatability issues with your plugins and that the site has not/ does not break.  That way should there be a problem you would not need to roll back the changes (not something that you can always do) or reinstall your last backup.