WordPress is one of the, if not the, most popular blogging platforms online. It’s also very prone to being hacked unless you, as a webmaster take proactive steps to secure your blogs from the ever-present hackers.
So when did you last check your WordPress blog? Yesterday, a week ago, a month ago? Or has it been longer than that?
WordPress Security Facts
It’s a sad fact that most people who build sites with WordPress aren’t aware that security in WordPress is non-existent when you install it “out of the box”. Here are a few eye-opening statistics:
- Roughly 30,000 WordPress sites are hacked each day – that’s 10 million blogs a year!
- 73% of WordPress blog owners use little or no security on their blogs – are you one of these?
- 62% of WordPress webmasters don’t even know that their blogs have been hacked – so when did you last check your blog?!
- Only 15% of WordPress blog owners actually keep WordPress and the plugins up to date – forgotten sites are huge security risks.
- Would you be surprised to learn that “admin” is still the most used username for WordPress blogs? Hackers know this and so for a huge number of blogs, all they have to do is crack the password.
- Webmasters still use easily guessed passwords – let’s face it, passwords are a pain and many people use the same, reasonably easy-to-remember passwords for multiple sites. The thing is, people use silly passwords like “123456” for their blogs. Combine that with the “admin” username and, hey presto, your blog’s just been compromised!
- There are over 200 individual vulnerabilities in WordPress that can be exploited by hackers – they don’t have to break in through your login screen. There are other “back doors” they can use.
The Massive Ongoing WordPress Brute Force Attack
Right now (April, 2013), there’s an ongoing, massive brute force attack against WordPress sites all over the world. With 90,000 IP addresses to play with, this botnet is hammering sites left, right and center.
No WordPress site is immune from attack so all WordPress blog owners should take proactive measures to secure their blogs. After all, why wouldn’t you want to protect your investment of time, money and resources in building your blogs?
Securing Your Blog
The first line of defense for any blog is you, the webmaster. Do not use “admin” as your username. If you already have a blog that uses this username, log into WordPress and create a new admin-level user with a hard-to-guess username. Stick some numbers into it – one tip is to change letters for numbers so instead of using “adminuser” (as an example), you’d choose “4dm1nu53r” (choosing numbers that are sort of like the letters they’re used to replace).
Then pick a strong password, at least 8 characters long (preferably longer) that’s a mix of upper and lower case characters, numbers and symbols. Each extra character you add to the password makes it exponentially harder to crack (same with th username).
Finally, delete the original “admin” user account.
If you’re creating a blog from scratch, then choose a strong username and password.
The Damage A Hack Causes
It’s no fun finding that your blog has been hacked. Most can be recovered, but it’s a time-consuming exercise and you have to know what you’re doing.
If Google discovers that your blog has been hacked before you do, your site will drop like a stone in the rankings after Google flags it as infected. Even after you recover such a blog, you have to work hard to get the site to climb back in the rankings. It doesn’t happen magically overnight just because you fixed the blog.
And of course, you’re losing revenue from your blog along with regular visitors and new visitors who will never return. And, if your blog has been infected with malware, your visitors may be leaving with a bit of parasitic software that can compromise them.
So there’s a whole host of reasons not to be lazy about making your blogs secure. Don’t be that guy. There are many ways to beef-up security in WordPress, too many to go into here so do some further research. Just remember: Prevention is better than cure!
Find out how you can secure your WordPress blogs by reading Gary’s WordPress Security Bible ebook. There’s more information about the ongoing WordPress attack and WordPress issues over on his Affiliate Blogging Secrets blog.