Every couple of days, I get an email from my blog alerting me that the zombie hackers are at it again. They’re trying to break into my WordPress blog so they can infect it or steal any financial or personal information they find.
But I’ve taken a few steps to limit their access, and if you’ve got a blog, WordPress or otherwise, you should take these five steps to protect yourself from hackers.
1. Change the Admin Account
- Delete the Admin account. WAIT!! Don’t go do it yet. First, make sure you set up a new admin-level account under a different name. Use a variation of your name instead. Once you do that, then delete the admin account. The hackers’ automated system will keep trying to break into “admin,” even though it’s no longer there.
- Change Admin’s role to subscriber-level. Again, you’ll want to have your own admin account first, but by changing the role to that of a subscriber, even if someone gets in, they won’t have the power to add any code or change anything. The best, most thorough option is deleting the Admin account completely.
“Test” is another name I’m seeing a lot of in my email alerts, so don’t set up an admin account with that name.
2. Change your Password
Hopefully you’re no longer doing things like using “password” or your dog’s name as your password. But even if you’re using variations like “p@ssword” or “#enry,” those won’t work either. The hackers are on to our little tricks of substituting @’s for A’s, and so on.
Instead, pick longer multi-word password phrases like “ILeftMyHeartInSanFrancisco” or “ILikeNewYorkInJuneHowAboutYou.” Even though these don’t use the unique symbols we were told to use a few years ago, they’re almost too long to be easily cracked. Another option is to just mash a bunch of keys at random and then store the password in a password vault on your laptop.
3. Delete Subscribers (WordPress)
One trick you can do to reduce comment spam is to only allow subscribers to leave comments. In order to do that, the spammers will have to subscribe to a blog before they leave a spam-laden comment. And since it’s easy to automate, that’s exactly what they do.
However I don’t require commenters to subscribe (more on that in a moment). I let Akismet catch a lot of the comment spam, and let the real humans leave real comments. Instead, I moderate comments, and check over all the comments Akismet let pass before I publish them, because Akismet is 99% accurate. I just have to monitor the other 1% myself.
But even though I don’t require comments, spammers still subscribe to my blog, and I’ll have a couple thousand every few weeks or so. I go through and delete them whenever I have a few free minutes.
Now, the danger is a real commenter may have actually subscribed, and I will — completely unintentionally and accidentally, because I’m not reviewing every single subscriber first — delete them and their comment. This is why I don’t require commenters to subscribe. Otherwise I’d have no comments at all. (So, if you’re a real person and you want to leave a comment, DON’T SUBSCRIBE!)
Note: If you do this, make sure you click the Subscriber link each time you delete a batch. Otherwise you might actually delete yourself or another admin. Also, set the number of records that show on one page to about 350. That’s about as many as you can delete without causing an error.
4. Install Limit Login Attempts Plugin (WordPress)
Limit Login Attempts (LLA) is a great plugin for any WordPress owner. It limits the number of times an IP address can try to log in unsuccessfully before they’re locked out. It lets you set how many unsuccessful attempts you’ll allow before the IP address is locked out, and how long the lockout lasts. Then, if a specific number of lockouts are reached, the IP address is blocked for a specific amount of time.
For example, I have mine set to 3 unsuccessful attempts lead to a 24 hour lockout. 4 lockouts lead to a 96 hour block. I’ve also set LLA to email me after there are 4 lockouts. Most of these attempts have synced up over the past several months, so I get a new round of emails every 4 days (today was the day, which made me decide to write this post).
5. Install WP-Ban Plugin (WordPress)
If you do find an IP address that’s managed to guess your user name, or see one that continues to try to log in a few dozen times, it may only be a matter of time before they get in. (If nothing else, the one that’s tried a few dozen times is a bot that just keeps knocking on the door, coming back whenever it can to see if they’re unlocked). To fight this, I installed the WP-Ban plugin on my WordPress blog, as well as those of my clients, and I use it to block IP addresses that are most persistent.
Unfortunately, it’s a Sisyphean task, since the IP addresses are constantly changing. I always block the IP addresses that manage to figure out my user name, and I block the ones that have been hit with a 96 hour lockout more than 3 times. I can find that out by looking at the IP addresses that were blocked by the LLA plugin, because it shows the user name they tried and the number of attempts. There are a couple of IP addresses that have seen the Ban message 1,811 and 1,421 times, so it is worth it to ban them.
Blog security is an ongoing issue. For every hack they find, we find a solution. For every solution we find, they find a workaround. This day, these are the five things I rely on to prevent hacking into my blog. What other solutions do you use? Do you have any tricks? What about for non-WordPress blogs? Leave a comment and let me know what works well for you.
(Hat tip to good friend Lorraine Ball and Roundpeg for originally writing about this topic in April.)
And pay for WordPress hosting on a service that adds extra security monitoring, plugins, and backups, like WPEngine.com.
That’s another important step. There are a few places that do that, but do you have any preferences, John?