By Gary Nugent

WordPress hacked?

How often do you see messages like this in your Inbox:

[Blog Name] User failed to login
[] User failed to login

Unless you have a WordPress security plugin installed, probably never. That’s because WordPress doesn’t let you know when someone is probing for a way into your site. And without these notices, you have no way of seeing how often hackers are trying to get into your site.

Here’s what some of these messages look like:

Username: admin
IP: 69.89.31.202
Time: October 29, 2013 5:09 am
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36

Username: admin
IP: 66.147.242.170
Time: October 29, 2013 3:12 am
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36

Username: admin
IP: 208.111.39.48
Time: October 28, 2013 2:50 pm
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36

What you’ll see from these is that the username most probed is “admin“. So this is the reason you should never use admin as your blog’s username.

The IP is the address of the person who’s trying to log into the blog.

“Time” shows when the attempted login occurred.

And the “User-Agent” shows what software was being used.

Almost every day I’ll get a few of these notices from various sites I own. Some days, like today for example, I’ll see a lot of these messages, so I know that some sites are being repeatedly probed for weaknesses.

An estimated 30,000 WordPress sites get hacked every day. And those are just the successful attempts hackers make. Who knows how many hack attempts are made overall each day?

WordPress newbies frequently accept the default admin username when they create a WordPress blog. And when a login attempt fails, WordPress by default, will tell the person trying to log in whether the username or password was incorrect. So by using the admin username, a hacker will immediately know that all they need to worry about is the password. And, guess what, most people use easy-to-guess passwords too!

Securing Your WordPress Blog

One of the security plugins I use on my sites is Secure Scan Pro which among many options (including emailing you about login attempts like those above) allows you to lock out someone who repeatedly tries to log into your blog. You can set how many login attempts are allowed before a lockout and how long someone is locked out for, you can remove the default WordPress response which tells a hacker whether the username or password is incorrect and you can add a captcha to the login screen (that bots can’t read).

In addition, there are blocks of IP addresses from known suspect sites around the world that can be blocked from the outset, further protecting your blog (and hard work) from being compromised. I’ve reviewed the plugin here.

If you opt for my Managed WordPress Blog service, I’ll add Secure Scan Pro to your site in addition to performing other security scans and maintaining the plugins on the site and upgrading WordPress itself when a new version is released.

Please take the security of your blogs seriously. Whether you build them yourself or outsource blog creation, a blog is either an income stream for you or perhaps the online face of your business. You don’t want either scenario to be compromised, do you?

Next Article: Why You NEED To Secure Your WordPress Sites

 

Tagged with:

Filed under: WordPress Security