Other than using an old version of WordPress or maliciously poorly coded or out-of-date themes and plugins, the most common hacking method is brute force attack. These attacks involved software built specifically to crack your password by attempting to guess your password over and over again, and tell it is guessed correctly if an opening is found. Your entire site may then be susceptible to malicious activity depending on the permissions of the hacked account. If it’s an administrator account the hacker would have complete access to upload download and view information about all of your users.
This alone would allow the hacker to corrupt your files destroying your site and making you and all of your users susceptible to identity theft. Even blocking you from accessing your own site.
How do You Defend Against Brute Force Attacks?
Firstly you need to make sure each of the users on your network create a unique username when installing WordPress. If left to a script or some sort of automatic installation the administrator of the website will typically be given the username admin. It is highly recommended that you remove this username from your site completely. In order to access the WordPress dashboard you need to enter a username and password that match. If you leave admin as a username you are basically handing password cracking software the first piece of a two-part puzzle, as admin is the most common WordPress username. When choosing and creating a username it’s best not to use your name, your business’s name or any part of your web address. These are dead giveaways – make your username unique!
Secondly it’s important to create a secure password. Passwords like: ”letmein, pa$$word, using dollar signs for the SS, your user name backwards or a date of birth” – even if it is followed by a number are some of the most common passwords people use. For the most secure password use a password generator. Password generators create password by randomly selecting letters numbers and symbols. This combination will help ensure your password is harder to crack. If you struggle to keep track of your passwords it may be worth your while looking into purchasing a password generator and storage software like1password. Another great solution is creating a passphrase instead of using a single word. A passphrase is a few small words such as “CorrectHorseBatteryStaple”. Including capital letters lowercase letters and symbols into a long pass phrase will do much to strengthen your site against warring off password crackpots. Another measure you could try is setting up authentication with a plugin such as Google Authenticator. The plugin works by sending a unique code to your android, iphone or blackberry device. Each time you want to log in the code expires after a short time and because your site is directly linked to your mobile device you are the only person who should be able to retrieve a code for each log.
And finally, if you have other users connected to your WordPress site only grant them permissions to access exactly what they need from the backend. Take advantage of the varying user permission settings WordPress makes available. You can access user permissions under Users -> Settings in the WordPress admin sidebar. These five measures alone when managed properly will help secure your website. From this point on we will look at other ways to take your security to the next level.