Stop Brute Force Attacks On Your WordPress Site

The other day I was getting new user registrations emails. I’m like, WTF?! I located the IP address and say that they were being created from other parts of the world. I quickly resolved the problem following a few security steps in addition to other things that I had already had in place. Turned out that the “common” or “standard” security measures I took weren’t enough.

Two days later, a client from back in the day called at 11pm all frantic that his very popular blog site was hacked and he couldn’t login an all of his images and plugins were gone. And once we were able to get into his database, we found that there were over 2500 new user registrations!

Then today, I get a call from another agency that they had a client with 4 sites that were currently being hacked and asked for my help. They freakin’ out.

While on the call with the agency, I get an email from a current client that they were getting new user registration emails too.

IS THIS AN EPIDEMIC!?

dont-let-the-hackers-in

Under Lock & Key – Keeping Your Blog Secure

Here are a number good articles online to help deter brute force attacks:
http://codex.wordpress.org/Brute_Force_Attacks
http://www.rackaid.com/blog/wordpress-brute-force/

Here are some steps to what I suggest that has curbed the attached on my site as well has the clients I mentioned above:

  1. Change the admin login via the database. You can use an online MD5 generator to create one.
  2. When you go into your phpMyadmin control panel and into the users table, make sure to delete every other user that you haven’t approved of or created.
  3. If needed, change the admin user name to something other than ‘admin’.
  4. With the username and password changed, you should be able to log into your WP website.
  5. Install and activate the Akismet plugin.
  6. Download and install the All In One WP Security & Firewall plugin. Watch the video on the plugin page.
  7. Configure EVERY stage of the security plugin.

The All In One WP Security Plugin is very well documented and should be easy to configure.  If you would like to hire me to help with a hacked site, feel free to contact me.

Submit a Comment

11 − three =