I’d like to thank the hacker with a Ukrainian IP address that tried 10,001 times during 1 hr yesterday to hack into my blog – in the end though you did not succeed. There were a mere 20-30,000 other attempted hacks from a range of addresses; in all cases it was one particular page that was the target. As a result here are some tips for other WordPress users in order to restrict access to your blog to hackers.
- Create a new admin account with a random login nonsense login name and password that is classed as strong. Your main admin account should not be called “admin” or anything similar.
- Ensure you have only one admin account, downgrade all others to something like author or contributor. Also change their passwords after completing this task.
- Install the “Limit Login Attempts Plugin” – this prevents the 10,000 or so logins from occurring and will lock down the admin account if required.
- The admin user should not write content, all content should by by one of the other classes of user.
- Install the Sucuri Sitecheck Scanner Free plugin and scan your blog frequently for malware.
- If you host your blog yourself you should probably also consider an SSL certificate to ensure logins not sent unencrypted. Contact your hosting provider for more information. I am also not an expert on installing these.
Prior to the attack I had been using multiple user accounts and also the Sucuri scanner (after a scare last year). Overtime I am sure hackers will try again but I hope the 6 tips above will prove useful in preventing them from doing so also please do a search online for more exhaustive tips as I not a WordPress or security expert.