With all the news of WordPress sites being the target of brute force attacks, I thought I would make a post that touches on the security of WordPress. Years ago, WordPress had every new install start with an “admin” administrator level account. Now when you install WordPress, you are able to choose a username for the initial Administrator-level account. It is recommended to never choose “admin”. What this specific attack is doing, is trying to gain entry into WordPress-based sites that are using the “admin” username and thousands of common passwords. WordPress, as a whole, is very secure but choices that users make can make it become less so. Outside of choosing a secure administrator username and password, other steps can be taken like:
- Keep WordPress and its plug-ins up-to-date: WordPress periodically releases updates that occasionally address security updates. While not deploying every update the second it comes out is not a cause for alarm, letting your installation become really outdated is. Additionally, every plug-in you add to your site is open to any vulnerabilities that exist within that plug-in. Making sure any plug-ins are well-researched is important, as is keeping them up-to-date with WordPress.
- Harden WordPress: The Codex has a great overview of additional steps that can be taken to harden your WordPress install.
- Security-based Plug-ins: There are plenty of plug-ins out there that are geared towards added WordPress security steps. Doing a simple search for “security” in the plug-in repository will generate a ton of results.
- Web Hosts: I host my website with Kinsta, which is a hosting company that’s geared specifically towards hosting WordPress-based sites and security is a major focus. While more expensive than some other hosting options, if you want to go the extra mile with security, it may be worth checking out.
Overall, if the right steps are taken, WordPress is definitely a secure solution for any website. The Codex even offers guidance on how you can protect yourself from brute force attacks. Even with news of these brute force attacks, I wouldn’t hesitate in the slightest in using WordPress for any future project.