WordPress Security Audit

Introduction

There is a huge increase in WordPress installations. WordPress has recently released that there are over 59 million in existence today. It is very easy to get a WordPress blog up and running and the learning curve is very small. But due to the increase of installations there is also an increase in WordPress hacking. In fact, left to the default settings, you are almost guaranteed to have your WordPress website hacked.

While I won't go into a complete WordPress Security Audit, I will give you some tips that can really serve to reduce hackers from penetrating your website.

Source

WordPress Creates A Default Administrative User

If you have ever installed WordPress before from your hosting CPanel, it's usually a few simple steps in a wizard based program. You enter some information in fields, press a button, and boom! You're WordPress website is good to go.

But WordPress installs a default user that is called 'admin'. But guess who else knows that about 90% of WordPress owners won't change this default - hackers. They are counting on you keeping that user intact.

If you are insistent on using that user, then you should consider making the password much more secure. Don't choose "abcd", "1234", your name, etc. Make it at least 10 characters long and throw in upper and lower case letters, some numbers, and some special characters ($#@!).

Consider A New User Altogether

A better way to go, is to create a new user and then once logged in as that new user, delete the default. Why give the hackers a foot in the door? Even if you decide to create your own user name, you still should have a secure password. There are programs like lastpass.com that can manage passwords on your computer. As of the time of this writing, this software is still free.

After you decide to create a new user, also make sure you create a nickname that is different than your actual user name. This is what will be displayed as the name that posts or adds pages, etc. Don't forget to select it as the name you want your posts to display.

We'd Love To Hear From You

Have You Ever Had A WordPress Security Audit Done On Your Website?

  • Yes
  • No
See results without voting

WordPress Security Flaw

There have been many successive updates to WordPress. And yet, they still insist on displaying a message, "you entered the wrong password for username admin" after you incorrectly log in. It's Security Tactics 101 to let the user know that they incorrectly typed in one or the other but don't give them one of the items as being correct. The message above tells hackers hey this installation still has the default user name.

Have You Backed Up Your WordPress Website?

If you haven't, then this tells me you don't care about losing your website. Now, you may think that your hosting provider has a back up. You'd better check. And also check to see when they can restore it for you. Several places take days to get to it because it's often located externally and has to be delivered onsite in order for them to install. Can you wait that long? Back up your website!

Always Update WordPress

The above video shows how to update your WordPress installation. You should do this whenever you get the message (make sure you back up first). The reason you want to make sure you do this is because WordPress is always updating to counteract hackers. So if a hacker finds out that you are using a previous version of WordPress, you have given them a foot in the door of your website. Always update to the newest version of WordPress.

We'd Like To Know

When Was The Last Time You Backed Up Your WordPress Installation?

  • Every week
  • Once a month
  • I have never done it
  • I don't care about losing my website so I don't need to
See results without voting

Hacker

Source

If You Don't Believe It Happens...

I have had several of my WordPress websites hacked into before. It was because of this reason that I created a service called WP Auditors. We run free scans on peoples WordPress website and then give them a report of what needs to get done. Since we started doing this, we have not had any incidents of hacking on our websites or our clients.

The reason why I even wrote this Hubpage, is because someone on an online forum that I belong to was upset that her website got hacked. Luckily she really only got started in creating the blog so there wasn't any content of substance on her site. But what if there was? Without a back up here site would be toast!

Common Passwords

Brute Force Attack

By far this is the most common type of hack. Essentially the way this hack works is hackers will figure out which websites still have the default admin user installed. When they find it, they know that half their job is done.

Then they have a list of common passwords that they use and plug those in. More often than you would care to know about, their job is done. They have gotten through to your website. Game over!

But if your password is slightly more secure than that, then they have more work to do. They will navigate a dictionary and plug in each word from that. Again, there are a lot of people that will use single words as their password. That is a hacker's paradise.

If all three of these are not enough to get through, then it's time for the hacker to try every combination that they can think of and loop through and try out those combinations. They just simply take that user name and for the password, they go through several millions of iterations, changing one letter or number or symbol at a time.

Now no person is actually going to go through the process described above manually. They have computer programs that do it all for them. And these programs can do it relatively quickly.

Password Hacking Times

Longer Password Are Better - Much Better!

If you take a look at the chart above, you can easily see that if you make your passwords long enough, and combine uppercase, lowercase, numbers, and symbols, it will really make it very difficult for hackers to penetrate your WordPress installation. And you can also see that adding some uppercase, numbers & symbols really goes a long way in thwarting these jokers.

You Get Win 'Em All

Unfortunately, hackers are always hard out work trying to find ways to get through. The security tips are not complete audits and you should consider having an audit done by qualified professionals. But if you use these tips it will give you a greater chance of keeping hackers at bay than if you just leave your installation to "factory defaults".

We'd Like To Know

Will You Take Measures To Secure Your Site After Reading This Article?

  • Yes
  • No
  • Maybe
See results without voting

What Did You Think Of This Article?

5 out of 5 stars from 1 rating of This Article

More by this Author


Give Us Your Thoughts On Security For WordPress

No comments yet.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working