From the security corner of WordPress there has been a lot of buzz about a new bot that is attempting to gain entry to WordPress websites via the default “admin” user. This user account is the default username/login for WordPress. These attacks are not new, nor is this bot particularly new – it, in one form or another, has been around for about 3 years – but it is being used with renewed vigor! So, how do you protect against these attacks? Kismet Design implements a number of security methods to successfully “harden WordPress” (protecting) against these types of attacks:
1) During installation of WordPress you can choose a different default username than “admin”. We choose unique names that do not fall on the commonly attacked list of usernames:
aaa, adm, admin, admin1, administrator, manager, qwerty, root, support, test, user.
2) When we take over maintenance of a website that has the admin, or another commonly used username, we strongly suggest changing the username. This can only be achieved by modifying the database, which we are quite familiar with doing or by creating a new administrative level user account and deleting the default account. When doing this latter option, it’s important to make sure the old admin’s posts are attributed to the new account. If this is not done properly than pages and posts will simply disappear.
3) Strong Passwords! We cannot emphasize enough how important strong passwords are. Using a combination of random upper and lower case letters, numbers, and special characters – at least 8 characters long – will ensure a high level of protection.
4) Brute Force Login Blocker: we implement a security measure that allows a certain amount of login attempts (generally 5) before banning the user from logging in for a specified amount of time. Concurrent failed sets of login attempts results in longer time spans for being banned. For example: failing 5 attempts would result in a 20 minutes ban. After this, failing 5 more attempts would result in a 24 hour ban, and so forth.
What solutions are the core WordPress developers exploring to resolve this issue? Two-Factor Authentication. Well… what in the world is that?! You have probably seen two-factor authentication if you do any online banking. Some solutions look like: answering secret questions, being emailed or sent a text containing security codes to verify you are indeed who you say you are. These verification methods are automatically implemented when you login from a different computer or mobile device.
Can I have Two-Factor Authentication for my WordPress website right now? Yes you can! There are a number of WordPress plugins that tackle this issue with varying options for authentication.
If you need help locking down your website, contact us now for help with WordPress Hardening solutions.