WordPress under attack : Securing your administration area

Let’s now go step by step through a process of securing your website. We will propose some plugins for each of the steps but you can always choose your own plugins to carry out each of the steps of hardening.

Administration username and password

Let’s start with the simple things. First, your administrator’s username should not be the same name as the one being shown on the front end of wordpress. When you post something on wordpress, a blog post for instance, the author’s name is rendered for the visitor to see. This should not be the same as the actually username of this user. WordPress allows each user to have a different public name and a different login name, those should be different.

Your administrator’s username should not, for quite obvious reasons be “admin”, “administrator”, “root”, “master” and other common usernames. Use something different and more complex. Don’t use your name like “John” or “David” as those are commonly tried usernames in brute force attacks too. Also, do not have the same admin username for all your wordpress websites, in such case if one is found, all sites are vulnerable.

Your administrative password should be complex and very hard to guess to. Passwords like 12345 or “admin” or “access” or “password” are not an excuse these days. New versions of wordpress don’t allow you to set up and use weak passwords and generate complex long passwords so this is something built into wordpress currently. Your password should be at least 8 characters long containing numbers, symbols, letters, capital letters and maybe special characters. If you set up a password that you can easily remember, its almost certainly a weak one.

Your password should not be kept unchanged for a long period of time too. You should change your admin password regularly, how regularly is up to you but in general, a password that has been kept the same for 3 years could have become a weak one in the process.

You can easily change your password on wordpress via your wp-admin area by navigating to Users -> Selecting your user and then clicking “Generate new password” on the native wordpress user details form.

Administration login url

All default wordpress websites around the web have the same default login urls which are /wp-login.php, /wp-admin, /login e.t.c. Since those are the same for all wordpress websites, attackers know them too. It will be a smart move to rename those urls to something else which is not easy to guess. For instance, if your site is called X, then your default wordpress admin URL is x/wp-admin, how about renaming it to something like x/X6o6j7MF83g528j ?

This is not an easy url to guess. To do that you can use popular wordpress security plugins like iThemes security or All in One Security or other small plugins around keywords like “rename login url” or “rename admin url”. Keep in mind that if you forge this url, it will not be easy to access your back end as you will fall into the trap you set yourself ( but you can disable the plugin that renames your login url via your web server’s file manager and re-gain access to the default login url temporarily ).

Do not, though, have the same renamed login URL for all your wordpress websites. At some point, even this url can be found in various ways, in such case when its the same throughout all of your websites, all of them are vulnerable.

Advertisements