If you use WordPress for your blog or law firm website, you may know that this month the WordPress community faced perhaps its largest brute force attack. Reports around the web confirmed a large botnet was using brute-forcing passwords to attack WordPress and Joomla sites. While there are a variety of ways hackers can try to attack your site, if you follow basic security measures, you can protect it and avoid the overwhelming majority of common attacks.
The list starts with stronger WordPress login credentials—your username and password. Don’t use “admin” as your username. And don’t use easily identifiable information in your password. Here are some additional password no-no’s:
- Don’t use variations of your real name, your username or anything identifiable from your website.
- Don’t use a “tough” word from the dictionary.
- Don’t use just letters or just numbers. Use both.
- Don’t give your password out to people!
I encourage you to use an automatic password generator. Make sure it complies with the WordPress recommendations for a strong password. You might also consider using a limit login attempts plug-in.
Also, make it a policy to update all usernames and passwords monthly or quarterly. I recognize that constantly updating your password can be inconvenient. But consider all the problems that can arise when your site is compromised.
Don’t save passwords to your computer, and don’t save passwords in your web browser. If you are having a difficult time remembering passwords, consider something like LastPass.
Another important aspect of preventing attacks is updating software, themes and plug-ins. I’ve seen many lawyer websites using ridiculously old versions of WordPress. While you may want to wait days or weeks to apply a new WordPress update, you shouldn’t wait much longer than that.
Also, keep in mind that themes and plug-ins can have security issues. That’s why you should limit your use of plug-ins to only those essential to your site. If you’re using a free or premium WordPress theme, do some research to make sure it isn’t known for security issues. If you’re commissioning a custom theme, talk to your developer about security. Experienced developers should be conscientious about theme security vulnerabilities.
Of course, you won’t be able to protect against every attack, every time. That is why you should have a system for regularly backing up site files and databases. Backup buddy is a nice plug-in that makes scheduling, storing and restoring backups pretty easy.
More on Hardening WordPress
It’s important to keep in mind that no system is completely hacker-proof. Even the most sophisticated government defense systems get hacked. The keys to security are to take preventive measures to protect against common security breaches, mitigate the damage of any security breach and be prepared to respond and adapt to future attacks. WordPress provides extensive help for hardening WordPress, and a recent article from Forbes provides some additional advice on protecting against the botnet.
Have you been the victim of an attack? Tell us about it. Were you prepared? What steps did you take to recover? What additional steps have you taken to protect your WordPress installation?
Gyi Tsakalakis helps lawyers put their best foot forward online because clients are looking for them there. He is a co-founder of AttorneySync, a digital marketing agency for law firms. You can find more of Gyi’s writing in his “Optimize” column on Attorney at Work, on Lawyerist and on Avvo’s Lawyernomics blog. You can ask him a question (or just say hi) on LinkedIn, Twitter, Google+ and Facebook.