One of the most common methods that hackers use to get into your site is a brute-force attack. A brute-force attack essentially means that hackers are setting up bots to slam your login form, usually with a dictionary of common username/password combinations.
This is not a WordPress problem, but a website problem. WordPress has a reputation for being less secure, but in reality a lot of this is because WordPress is ~16% of the web. Meaning all of the sites out there with username “admin” and password “bieberfever” aren’t going to make it long before they get broken into. And, depending on your host, once a site is broken into it’s not long before others on the same server get broken into as well. The web can be a scary place.
Choose your username wisely
Treat your username like your password, keep it to yourself. If you’re on WordPress the easiest change for you to do is change your Admin username from “admin” to something unique. We run a lot of high traffic websites on WordPress and always do our best to secure the login. I thought I’d share some of the most common usernames I see coming through brute-force attacks. This way you know not to use them.
Most common usernames I see that bots are using
- moderator (added 6/19/2013)
- manager (added 6/19/2013)
Don’t use a password, use a passphrase
Passwords are easy to hack, really easy. More than likely, if you’re using a one-word password it’s in a dictionary that hackers are using to brute-force into sites. Use something long and ridiculous such as: dinosaurfiremoose. You can throw in some numbers and symbols if you’d like. Required reading: http://xkcd.com/936/.
Block the bots
Use a plugin to help secure your login page. Typically these plugins will look for several failed login-attempts in a short amount of time and slowdown or block the potential intruder’s IP address. These attempts are obviously not coming from a person genuinely trying to login.
Here are a few plugins that provide this protection
- iThemes Security (Better WP Security) – http://wordpress.org/plugins/better-wp-security/
- WordFence – http://wordpress.org/plugins/wordfence/
- Login Security Solution – http://wordpress.org/plugins/login-security-solution/