Menu

• Dictionary
• Hot Shots

Directory

• Sponsors
• Billing Options
• Content Providers
• Web Hosting
• Traffic Counters
• Website Designers
• Resource Sites

Why do they keep on picking on me? That was the question I was asking myself when yet another email arrived this morning to tell me that a WordPress site on one of our servers was under attack from hackers.

If you remember, last week I talked about security issues with WordPress sites too. Last week I had to deal with two WordPress sites that belonged to clients that had been attacked ... one that had withstood the attack and one that had ended up full of some very nasty stuff.

One of those attacks was really just a bunch of script kiddies and I'm not sure who infected the second site but they certainly did a good job of loading it up with their stuff.

This time it was different. This time it was a site that belonged to me and these guys were serious about getting in but I'm serious about security so they didn't make it through the walls I've built around it.

The site under attack was one of those sites that you start building when you have a great idea but never quite get round to finishing it ... or in this case even adding much in the way of content ... so I have no idea what their motives for trying to hack into it were.

But it doesn't really matter what their motives for attacking the site were. What matters is that I was expecting them and made sure that site ... even though it didn't have much in the way of content ... was not an easy one to get into.

It would have been easy to think that no hackers would ever find that site ... and even if they did they wouldn't bother trying to get in ... so I would never have to worry about the site being hacked. Maybe you're thinking that with a gazillion websites out there on the Net hackers aren't going to find yours either but the fact is that sooner rather than later these guys are going to come calling.

Do you really think that they just choose websites at random? Have you ever had a chance to look at all the crawlers that are out there scouring the Net and hitting your websites? There are thousands of them and not all of them are what you would want to have anywhere near your website.

In amongst those thousands of crawlers there will be some that belong to those are looking for websites that are easily compromised and a site built on WordPress that uses simple access codes ... including the standard 'admin' for the username... is like a burglar finding every door and window open on a house he wants to get into.

So you have WordPress sites that have almost nothing in the way of security measure to keep these people out then it's a sure thing that you're going to get hacked. When that happens you're going to waste a lot of time cleaning up the mess and locking down your website so why not do it right from the start ... or do it now if your WordPress site has been around for a while?

Last week I talked about using Login Lockdown and one of the better captcha plugins to protect your site and today I'm going to suggest that even that is not going far enough. At the very least you need to go into your PHPadmin and change the username to something other than 'admin'.

Of course that user name is easy to remember but it also makes the job much easier for the hacker . If you're using 'admin' as the username then the hacker is already halfway into your website so change it ... but don't just change it to another word or group of letters ... add in some numbers and maybe even a character or two and where you do use letters be sure to mix them up with upper and lower case.

And it's all very well to have those security measures in place but what if they fail? How will you know if someone has got into one of your WordPress sites if you don't have some alerts in place so that you get notified when someone is trying to break in? How will you know if a security vulnerability is suddenly discovered in WordPress itself or one of the plugins you're using?

There are two WordPress plugins that my partner and I use that will keep you informed. The first is Login Security Solutions ... if your site is under brute force attack or dictionary attack it will notify you and block the attack.

Install that security plugin and you may be surprised at just how often you get an email telling you that someone is trying to get into your website.

The other security plugin that we recommend is Wordfence. This plugin regularly scans your WordPress site for vulnerabilities and it will email you when it finds something that needs your attention.

It also gives you the chance to look at who ... or what ... is accessing your site in real time. That data can be a real eye-opener too because it allows you to sort all those accesses into real people or bots and crawlers and you will be surprised at just how many bots and crawlers are hitting your site.

So if you're running WordPress sites you really do need to grab those security plugins and get them working for you. And while you're doing that just think of all those WordPress sites out there that have been built ... or are being built ... by people who don't understand how important it is to lock them down.

It's no wonder hackers are out there looking for vulnerable WordPress sites ... there must be millions of them.