If you haven’t seen the news, there’s a massive attack going on against non secure WordPress sites. Sites are being hammered with requests to log in and once a match is found, the site becomes part of a massive botnet. From the Ars story:
The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.
So, what can you do to build a secure WordPress installation? A few things.
1. Get the Better WP Security plugin
This plugin by Chris Wiegman gives you a ton of options to better secure WordPress, including interesting features like turning off your WP admin area during certain parts of the day. Grab the plugin from the WordPress repository here.
2. Use strong passwords
WordPress likes strong passwords, but make sure you have many users or a multisite setup, you should require all levels of users to use strong passwords. If you are generating passwords when you add a new WP user, use a strong one. I use this site often to generate random keys and passwords.
Why are strong passwords important? Let’s look at three potential passwords:
We should immediately not use the doctor1 code as its based on a dictionary word. If we use WolframAlpha to analyze this password, it returns that it’s a very weak password and this data:
number of passwords | ~~ 2^36~~78.36 billion
time to enumerate | ~~ 9.07 days (at 100000 passwords per second)
password entropy | 36.19 bits
For the password
6TrSB45aO6, WolframAlpha calls this password very strong.
number of passwords | ~~ 2^57~~174.9 quadrillion
time to enumerate | ~~ 55456 years (at 100000 passwords per second)
password entropy | 57.28 bits
55,000 years to enumerate compared to 9 days on the last password, that’s pretty good. Let’s run the last one.
bl+4NF=(N35+ixq a very strong password and gives this data:
number of passwords | ~~ 2^98~~3.953×10^29
time to enumerate | ~~ 125.3 quadrillion years (at 100000 passwords per second)
password entropy | 98.32 bits
Where it took 55,000 years last time, now it takes 125.3 quadrillion years. Can you even comprehend that number, and that’s trying 100,000 passwords a second. That’s a strong password.
3. Use a password manager
But Mike, you’re saying, how can I remember a password like
bl+4NF=(N35+ixq? Easy. Use a password manager. This one isn’t directly related to a secure WordPress, but if you create yourself a 40 character password, you’ll be safe. How safe? Let’s run one through WolframAlpha. Let’s use this one:
At 100,000 passwords a second, that one would take 2.669×10^66 years. I’m not even sure how many zeros that number would have. A lot.
I use 1password and all my passwords are 50 characters, for everything. It’s a bit pricey, but I was able to find a half-off coupon on the web pretty easily. What’s nice is that you can store your passwords securely in Dropbox and have all your passwords at home, the office and so on. LastPass is another good alternative.
4. Remove your admin user and change your database prefix
Many times, when you set up WordPress, the admin user is made by default. This is fine at first, but immediately create a new user, give that user administrative powers and remove the admin user. That’s a common target for hackers.
It’s good WordPress security practice to rename your tables from the default titles, because hackers often look for installs that haven’t been changed, and can write their malware to look for tables named in most cases the default, such as wp_usermeta.
The best time to change it is when you’re first installing WordPress, but it is possible to do it after. I’d recommend using a plugin like Better WP Security. It will do the heavy lifting for you. But if you’re feeling adventurous, you can do it manually, by adding this line to your wp-config.php file:
$table_prefix = 'wp_2f2fss_';
You can make it whatever you like, just make sure you end it with an underscore. The next step is to rename your real database tables. This is slightly more tricky if you don’t have access to the database itself or something my PHPMySQL admin. You can learn more about this process here.
5. Add another layer of authentication to your site
For several months, I’ve used Google’s Authenticator app to sign into all of Google’s products as well as other sites that support it like Dropbox.
While it’s a pain to enter in one more piece of data, it’s as easy as copying the information from your phone, which is something we all have with us 24/7. When you login to Google, you’re asked for a 6 digit code, which you can have texted or called to you or use the Google Authenticator app, which gives you the code to enter.
On your phone, it looks like this:
There’s a WordPress plugin you can install to add this level of 2-factor authentication to your blog. The setup takes just a few moments. That screen looks like:
That QR code there? Just take a picture of it with the Authenticator app and it knows all it needs to know to start generating keys for you. Once you’re all set, your WordPress login screen will look like this:
That, friends, is a pretty secure WordPress setup. Chances are very slim to none someone is going to crack both your strong password and the code generated by Google.