WordPress Security Advice

A few weeks back, I read something from someone talking about protecting their WordPress login screen. I did not think, that I would need to worry about any kind of WordPress security plug-ins simply because my blogs do not receive a lot of traffic.

Boy was I wrong!

I installed a plug-in called limit login. The plug-in keeps track of how many times a user has attempted to login, and then blocks the users IP depending on various factors. I’m still trying to figure out what the proper parameters for the different settings are supposed to be, but I am also alarmed at how many times people have tried to log into my different websites.

blocked_IP

As you can see from the attached image, the bot or whatever it is, is trying to log in using the username admin.

If you still have, or are still using, the username admin, I urge you to take a moment and learn how to change the username.

At the very least, make up a new username something that is not admin, that is not the same name as the website, that would only be known to you, and make that user a super admin on your site and then delete the user named admin.

I would tell you to go into your PHPmyAdmin and find the admin user entry and change the username in the database, but that’s really a lot more trouble than it’s worth for me.

I think that if you were to make a new user, with the new login name, that should be sufficient. I should also mention, don’t use names like super or administrator or anything like that. Basically, no generic names, that’s my recommendation.

The other thing that you need to consider, is creating a secure password. If you have additional users or writers/ authors on your website, consider enforcing some kind of a secure password rule.

Basically, require users to have at least 8 to 10 characters in their password, a number, and maybe even a special character as well. That should keep the bots at bay, and keep them from being able to log into your website, or at least keep them from being able to guess what your password might be.

Another thing that you can do, is to go into your control panel for your website host, and in there, you can permanently ban the IP addresses that the people are connecting from when they try to break into your website. I have a rather extensive list and the list keeps growing.

Get Webhosting