WordPress Security: First Line of Defence

When you have set up your WordPress website and published it on the web it has become vulnerable to attacks. Most people don’t realise that there are automated processes scanning the web for vulnerable WordPress websites. These scanning “robots” will try to get into your “admin” account by guessing the admin password. Most of these robots are smart in how they do this. They don’t want to get IP blocked so they’ll try a dictionary attack every hour or so using some password from a list of words.

When you set up your WordPress site there is one thing you always need to do first; Create a new admin user and then remove all privileges from the original admin user. So, after installing your WordPress website you log in with “admin”. You now create a new user with a very different user name and you give this user admin privileges. You then log out from the original admin account and you log in with the newly created admin account. You are now going to change the password on the original admin account to something so strong that chances are unlikely it will ever gets hacked by an automated process. To create this password go over to Passly and select a password length of 48 and click generate. This should give you a strong enough password. You don’t have to save this password anywhere for later since you’re never going to use the original admin account to log in into your website anymore, it basically becomes a dummy account. Now change the privileges for the original admin to “No role for this site” and you’re done. You’ve just created your first line of defence.

By leaving the original admin account to exist we’ve given potential hackers the “idea” that there is an “admin” account. They will try to hack this account because they assume that this account is the fully privileged admin, but it’s not. Even if they were to bypass the ridiculously strong password they will find that this account has no privileges what so ever.

Like I was saying earlier, most people have no idea that these attacks happen. However, I’ve written a WordPress plugin that will send out an email to the website owner whenever a failed log in attempt takes place. Simply download and install it and see what happens. It might be that you website is being poked and probed without you even knowing it.

This entry was posted in Programming. Bookmark the permalink. Both comments and trackbacks are currently closed.