Hackers, Bots, and Bores

A few minutes ago, I tweeted “It’s fun using #Wordfence to watch bots try to login as ‘admin’ to my #WordPress sites. I auto-block that ID.” And it is, although the ongoing attempts are both annoying and a waste of bandwidth.  This was a big deal a few weeks ago. In fact, the sheer volume of attempts to login as ‘admin’, over and over again with commonly  used passwords, was enough to bring down several shared hosting sites.

As a hosting server, what can you do?  It seems to me that you should monitor http traffic, looking for multiple login attempts with the ID ‘admin’ and use firewall blocks to throttle traffic from those IP addresses.  I chose to say “throttle” rather than “block” because — just maybe — there might be a real user out there struggling to remember his admin password.

As a WordPress site owner, what can you do?  First, don’t have a user named ‘admin’.  They can’t login on an account that’s  not there! Second, install the WordFence plugin.  On the options panel, enable “Login Security” with fairly agressive settings:

If you want to see if it’s effective, enable WordFence’s “Live Traffic View” and on the Live Traffic panel, click on the “Logins and Logouts” tab

If you set up your WordPress site with an ‘admin‘ user, how do you remove it without breaking the site? 

  1. Create a new user on the site that you’ll use for administrative purposes.  Make sure you give it a strong password and don’t forget to assign it the adminstrative role.
  2. Log out and log back in as the user you just created.
  3. Under “users”, select and delete the orginal adminstrative user, ‘admin’.  WordPress will allow you to reassign content posted by this user to another user.

How else do you secure your WordPress sites?