Protecting websites from hackers
Just before Christmas a “massive distributed brute force attack” by hackers targeting WordPress websites across the world took place.
The broad-based attack was described by WordPress security experts Wordfence as “the most aggressive campaign we have seen to date” and was at one time generating 14 million attacks per hour.
In order to increase the security of your website – which is built on WordPress, as are around 25% of sites around the world – we immediately installed the free version of the Wordfence security plugin. Even in its free version, this plugin has a firewall that prevents brute force attacks, sends alerts about security issues and sends notifications about unauthorised login attempts. If you access your site’s control panel, you may have seen the information panels on the dashboard.
The plugin has subsequently proved invaluable, showing that one or two of the sites we host were subject to unauthorised login attempts using the ‘admin’ username. None of our sites were compromised and most haven’t been targeted
The use of admin as a username is very insecure, as it’s commonly used and therefore easily guessed by hackers. As it comprises 50% of the login security, we never use it – and if you are setting up new users on your site, you shouldn’t either.
These sort of hacking attacks aren’t looking for specific information. They’re looking for weaknesses that allow them to use the site in various ways, often connected with crypto-currencies such as Bitcoin.
Weaknesses are sometimes found in out-of-date software. However, unlike many web hosts, at Big Red Web Design we update all plugins, themes and core WordPress software for you – often on a daily basis – to ensure that any vulnerabilities are plugged as soon as possible to keep things safe.