WordPress is the world’s most popular blogging platform. At last count there were 77 million blogs using it across the globe and the World Wide Web (http://en.wordpress.com/stats/). Approximately half or, 38.5 million blogs are self hosted or run by a WordPress administrator who must make sure that the blog is secure at all times.
Guess what? Usually that person is you or me and we didn’t even know that the world’s most popular blogging program was vulnerable to hackers. Here’s how to fix the top 3 WordPress blog vulnerabilities that you never knew you had!
Blog Vulnerability # 1 : The standard or default administrator user setting or admin for short
The problem is that all standard; out of the box WordPress installations are set up with an administrator user account whose username is admin. This is one of the first places that hackers attempt to gain access into your account using the admin username and passwords that they guess or use a program to figure out.
The way to fix this vulnerability is to log into WordPress and create a new user with an unpredictable username. Give administrator privileges to this new user that you just created, and then delete the account named admin.
Now a hacker has to figure out both the username and password to gain access to your blog which is much less likely to happen.
Blog Vulnerability # 2: Brute-Force Login Attacks
The problem is that hackers like to use programs or automated scripts that do the dirty work for them. A brute force attack is often done at the same time as a username and password probe. These programs make thousands of log-in attempts into your WordPress administration page by using millions of combinations of usernames and passwords. This is bad because it slows down your blog for your readers and if the hackers are successful, it gives them total control of your blog.
The way to fix this is to start by always using complex usernames and passwords as described above. These attacks usually try combinations of dictionary words and numbers. An even more effective defense is to install one of the WordPress plugins that allows you set a login limit. For example, a login limit of 10 login attempts every 5 minutes could be set up to limit or not allow login attempts for 1 or more hours.
Blog Vulnerability # 3: Easy Access to Critical Files
The problem is that standard WordPress installations contain numerous files which you don’t want hackers to have access to. Files such as the WordPress configuration file, installation file, and/or the readme file must always be kept private.
The way to fix this is to prevent hackers from adding or injecting commands into the .htaccess file. Is to remove or delete the readme and license text files which should be deleted after any new update or installation of WordPress.
These 3 strategies are the quickest and most common WordPress security fixes that I have encountered. If you are unsure of how to do any of the above fixes contact an experienced WordPress Security Expert. As with any type of security, defending WordPress is an ongoing process that includes awareness of any new threats and specific information about changes to your blog’s operating environment.