Lawyer Websites

Guard Your Blog Against WordPress Attacks

By | Apr.22.13 | Daily Dispatch, Law Practice Management, Legal Technology, Optimize

Optimize Online Marketing for Attorneys

If you use WordPress for your blog or law firm website, you may know that this month the WordPress community faced perhaps its largest brute force attack. Reports around the web confirmed a large botnet was using brute-forcing passwords to attack WordPress and Joomla sites. While there are a variety of ways hackers can try to attack your site, if you follow basic security measures, you can protect it and avoid the overwhelming majority of common attacks.

Stronger Credentials

Fig1WordPressLoginThe list starts with stronger WordPress login credentials—your username and password. Don’t use “admin” as your username. And don’t use easily identifiable information in your password. Here are some additional password no-no’s:

  • Don’t use variations of your real name, your username or anything identifiable from your website.
  • Don’t use a “tough” word from the dictionary.
  • Don’t use just letters or just numbers. Use both.
  • Don’t give your password out to people!

I encourage you to use an automatic password generator. Make sure it complies with the WordPress recommendations for a strong password. You might also consider using a limit login attempts plug-in.

Also, make it a policy to update all usernames and passwords monthly or quarterly. I recognize that constantly updating your password can be inconvenient. But consider all the problems that can arise when your site is compromised.

Don’t save passwords to your computer, and don’t save passwords in your web browser. If you are having a difficult time remembering passwords, consider something like LastPass.


Another important aspect of preventing attacks is updating software, themes and plug-ins. I’ve seen many lawyer websites using ridiculously old versions of WordPress. While you may want to wait days or weeks to apply a new WordPress update, you shouldn’t wait much longer than that.

Also, keep in mind that themes and plug-ins can have security issues. That’s why you should limit your use of plug-ins to only those essential to your site. If you’re using a free or premium WordPress theme, do some research to make sure it isn’t known for security issues. If you’re commissioning a custom theme, talk to your developer about security. Experienced developers should be conscientious about theme security vulnerabilities.

Back Up

Of course, you won’t be able to protect against every attack, every time. That is why you should have a system for regularly backing up site files and databases. Backup buddy is a nice plug-in that makes scheduling, storing and restoring backups pretty easy.

More on Hardening WordPress

It’s important to keep in mind that no system is completely hacker-proof. Even the most sophisticated government defense systems get hacked. The keys to security are to take preventive measures to protect against common security breaches, mitigate the damage of any security breach and be prepared to respond and adapt to future attacks. WordPress provides extensive help for hardening WordPress, and a recent article from Forbes provides some additional advice on protecting against the botnet.

Have you been the victim of an attack? Tell us about it. Were you prepared? What steps did you take to recover? What additional steps have you taken to protect your WordPress installation?

Gyi Tsakalakis helps lawyers put their best foot forward online because clients are looking for them there. He is a co-founder of AttorneySync, a digital marketing agency for law firms. You can find more of Gyi’s writing in his “Optimize” column on Attorney at Work, on Lawyerist and on Avvo’s Lawyernomics blog. You can ask him a question (or just say hi) on LinkedInTwitter, Google+ and Facebook.

Sponsored Links
»Outsource IT and save money with Duncan’s Cloud Service. Free one-hour consultation.
»Top cloud-based practice management software: Free 30-day trial!
»Manage my legal practice from anywhere on any device—HoudiniEsq.
»Quality attorney leads. Reach prospects online. 10 free leads.
»Learn more about the easiest way to get paid.
»Simplify your practice with legal practice management in the cloud.

Sponsored Links

Recommended Reading

4 Responses to “Guard Your Blog Against WordPress Attacks”

  1. Natalie Waddell
    22 April 2013 at 7:18 am #

    In the past several months we have recovered several of our seo-clients websites from attacks. In some cases the designer/developer had left inappropriate file permissions on critical files (such as the .htaccess file) and in other cases it was built on a vulnerable template.

    Another couple of recommendation to help defend against hacks (not necessarily against password detection) are:

    1. Deactivate and delete any plugins that are not being used. Many of the hosting companies with one-button installs include several plugins that just arn’t necessary.

    2. Rename the prefix on your database tables to something other than the default (which is wp_). One of the WebsiteDefender plugins can easily do this. But of course, backup your database before doing this, just in case.