Some of the sites I managed have been hacked… again.
Here are some changes I’m making to prevent future hack attempts.
1) Install the “Limit Login Attempts” plugin.
Like its name suggests, this wonderful plugin limits the number of times someone can attempt to log in. If they fail, their IP address is blocked for a set time. You can set the number of attempts to allow, how long the block lasts, and if you want to be emailed when someone is blocked. The plugin also keeps a log of IP addresses, so you can add them to your blacklist (if you use one), and logs the username of the attempted log in so you can check with that user if they need assistance.
The main benefit of the “Limit Login Attempts” plugin is if a hacker is using a brute-force method to find your password. Typically, the hacker will run a program that will repeatedly try different passwords until it is able to log in. The limit on login attempts slows the hacker down in his attempt greatly.
2) Never use “admin” as a WordPress username.
It’s temping to use “admin” as the first user since it is the default username WordPress gives you when you set up your blog.
With the “Limit Login Attempts” plugin installed, I found the hacker was repeatedly trying to log in as “admin” using a brute force method, but he was not trying the other accounts. I set up a new administrator user account for myself, logged into the new account, and deleted the “admin” account, being sure to set existing posts with my new account as the author. I think it would also be helpful to make sure your “Display Name” is not the same as your username.
3) Create a good password of 12 characters or more
Use Upper and lowercase letters, numbers and symbols. Get a password manager to keep all your logins straight.
What has not worked:
Google Authenticator Plugin. I had this installed on a blog that was previously hacked, but I did not have “Limit Login Attempts” installed at the time. The hacker still got in using what I presume to be a brute force attack. The Google Authenticator plugin just made it a pain trying to get back in, but I found deleting the plugin via FTP gave me access again.
I think Google Authenticator is still a good plugin when paired with a system the limits the number of login attempts. Even Google does this by using a captcha system.
To keep your WordPress blog safe from brute-force hackers, install Limit Login Attempts, never use “admin” as a username, and use a good password at least 12 characters long using upper and lowercase letters, numbers and symbols.