Beware the new blog hacker!
A new WordPress blog has that same smell as a new car.
Any time I install a new blog, I can feel the freshness of it and relish the first post! It’s just like the first paragraph on the first page of a new notebook but it can quickly turn in to a nightmare if you don’t quickly get yourself some basic security quickly.
There are bots out there that hunt for brand new blogs (they can probably smell that new car aroma!) and quickly fire off every known vulnerability attack as soon as they’ve published their first post so here’s a list of basic things that you should consider any time you’re starting a new blog.
Don’t use ADMIN as your admin username
This used to be the default name for every admin but spammers, crackers and hackers know this and will set their bots to try different user/pass combos to try and get admin access to your account.
If you’ve got an admin account with the username of admin then they’re already halfway to hacking your blog!
Solution : Use a unique username when you first set up WordPress
If you’ve already got your admin account with username of admin then just add a new user with a different username and set it to administrator and then set the old admin account to subscriber or delete it.
Use a non dictionary password!
Never ever ever (ever!) use a word that can be found in a dictionary as your password.
These are the most comment passwords in use in 2011/2012 . Do you recognize any?
haha, lol at the password ‘bailey’ . oh how famous I am
Seriously though, by using a password that is a normal word that can be found in a dictionary you are making it very easy for automated bots to throw every word in a dictionary at your login page and get access (it only takes a few minutes for a bot to try every word in a dictionary in your log in form)
Solution : Use a combination of letters, numbers and perhaps special characters as your password.
Use a limit login attempts plugin
I never realized how many bots tried to login as my admin account until I installed this plugin! I get 2 or 3 emails from this plugin each day to tell me it has blocked someone from my site for trying to log in with the wrong details too many times.
Keep an eye out for too many attempts at logging in with the admin username (see point 1 above) as this is a good indication that a bot is trying to access your blog.
Solution : Install the limit login attempts plugin
Ban the spammers!
When you get a notification that someone has been blocked for trying to access your admin account or failed to log in as admin too many times then you should consider banning them entirely.
There are multiple ways to do this but the easiest is to install a plugin called WP Ban
You should be careful not to ban yourself! the plugin page will show you your own IP address so you don’t make this mistake.
Solution : Install the WP Ban plugin and ban anyone who gets blocked for trying to log in as admin
So these are the simple things that I always make sure I have done or installed on any new site that I create. Once you install the limit login attempts plugin you will start to realize just how many attempts are made to break down your WordPress door!
Don’t have nightmares!