You have all likely heard about the recent rise in brute force attacks against WordPress, if you have not: Sucuri has been chronicling it for you. Here at Pagely we have the the best in class enterprise security appliances protecting our network, additional 2nd level mechanisms in place to throttle and block brute force attacks against our clients sites, as well as remediation procedures should something get through. However Regarding brute force attacks; here is the honest truth that most hosting company’s may not tell you. You the site owner are the first and last line of defense
Regarding brute force attacks; here is the honest truth that most hosting company’s may not tell you. You the site owner are the first and last line of defense.
A brute force attack is simply a program trying to login to your site with common username and password combinations. The easiest way to defeat these attempts is to use a good password pass-phrase.
Img Credit: xkcd.com
This simple change to your online habits will increase the security of your properties 1000 fold. We’ll keep protecting your WordPress sites from the various and nefarious denizens of the interwebs as best as we can, but if your password is “password”, you are defeating all the work we are trying to do for you.
A easy to remember 3 or 4 word pass-phrase is WAY harder to krack/guess then mYp@sw0®d.
Easy fixes to protect your WordPress site:
- Use a pass-phrase
- Don’t use a common user-name.
- Purchase and use an SSL for your login pages.
- Use Roles responsibly. Not every user needs “administrator” rights.
- Remove the default ‘admin’ account. (Create a new user with Administraor rights and good pass-phrase, login with it, and remove the ‘admin’ user)
- Did we mention to use a pass-phrase.
I use SSL for my wp-admin and logging, but I found that not all plugins work over SSL, so that’s one thing to be careful of.
A plugin similar for pass phrases could be the One Time Password plugin.
The support guys can help: https://support.pagely.com
As WordPress founder Matt suggests, choosing a strong password and making certain that you have most recent version of WordPress is an adequate protection. The botnet is in a literal sense guessing account details, if you have something that is simply not guessable you will be safe.
Now there is a Google Authenticator Plugin for WordPress. You can enable (or disable) it per user (admin, editor, etc). This plugin in conjunction with strong password is the best you can do to secure the back end. This is the plugin I installed for my personal blog site.
Any know, what’s the maximum length allowed for a WordPress password? Are there any character restrictions? I’m hoping it’s a 255 varchar or even a text field with no restrictions on allowed characters. However, I’ve looked at the login.php source code and so I’m not optimistic.