July 11th, 2013

Securing WordPress. Protect your Site or Blog from Escalating Attacks!

For a deep dive, see our white paper: Securing WordPress

WordPress is used by about 15% of the top 1 million web sites on the web and manages about 22% of all web sites as of August 2011.  It has only been growing since then.  Indeed, a large fraction of our hosting clients use WordPress, as does LuxSci for many different applications (e.g. blog, server status, video blog, etc.).

Unfortunately, WordPress has a history of being attacked, having significant security vulnerabilities, and being a source of security pain for web site administrators.

Things have gotten markedly worse recently:

  1. Bot Net Attack:  Wordpress sites all across the Internet are being attacked by a botnet that is attempting to guess administrative and user credentials by brute force.  This is compromising sites and causing significant load on web hosting servers.  This attack is “light” now, but expected to get only worse says CloudFlare, a cloud security firm. Indeed, LuxSci.com sees these attacks constantly on all WordPress sites that we host. We have measures in place to auto-block IP addresses that appear to be attacking WordPress sites; however, as the attack is coming from more than 90,000 different, unrelated IP addresses, they are hard to block outside of WordPress itself (see below for how to block them). These attacks are going after “wp-login.php”, the user name “admin” and trying the most common 1000 or so passwords.  Besides that, the sheer burden of the massive, if simple, attack is straining web hosting servers across providers.
  2. Vulnerabilities: Most problems with compromised WordPress sites arise due to vulnerabilities in the WordPress software or installed plugins.  Vulnerabilities are continuously found and corrected and new versions of the software released.  However, the vast majority of WordPress sites do not update their software, or seldom update. Attackers troll the Internet looking for outdated WordPress installs and then attack them with known vulnerabilities to gain control over these sites.  With more and more WordPress sites out there, there are more and more sites that are not keeping abreast with security updates.  They are ripe for the picking.
In this article, we discuss the best practices for securing your WordPress site.  Wordpress is a great tool if used properly.

1. Change your “Admin” username and password

The very first things you should do with any WordPress installation are:
  1. Change the administrative username from “admin” to something else.  As “admin” is the default administrative login, bot nets and other attackers will try to guess the password to that login to attempt to gain access to your WordPress system.  If there is no “admin” login, they can’t guess its password.
  2. Use strong passwords.  Botnets and other attackers that try to guess your password by brute force will be unable to guess your password if you pick a good one.  See Revised Password Strength Criteria and Security Simplified: The Base+Suffix Method for Memorable Strong Passwords for ideas.

2. Keep WordPress and Plugin software Up To Date

After having a weak default administrative user login, having old and insecure software is the number 2 problem for WordPress sites.  Be sure that you check for updates at least every 60-90 days and update all plugins and WordPress itself to the latest versions.
Fortunately, WordPress itself makes installing updates pretty easy.  With a few clicks, you can have WordPress download and install any updates you need.  We recommend making sure that your web site and WordPress database are backed up before making updates … just in case.
Sign up for new WordPress Release Notification emails on wordpress.org.  This will keep you informed of when there are new versions of WordPress that you should install.

3. Use Plugins to Enhance your Site Security

WordPress is amazing in the number of plugins available.  There are several that go a long way to really locking down your site’s security.  Here are some that we recommend:
This simple plugin blocks admin access to your WordPress site from unknown IP addresses when an attack is detected, while still allowing admin access from trusted IP addresses.  This goes a long way toward protecting your site against the current and any future brute force distributed login attacks against any user logins.
This is the #1 WordPress Security plugin; it enables you to lock down WordPress in a vast number of ways such as:
  • Changing the default wordpress URLs so attackers can’t just go after known end points like “wp-login.php”
  • Obscuring WordPress and its properties, database, and version
  • Protecting your site , enforcing SSL where needed, enforcing strong passwords, detecting and blocking many bots, user agents, and attacks
  • Creating and emailing database backups

Much much more, see their page for a full description.


The DuoSecurity plugin together with an account at www.DuoSecurity.com, provides amazingly easy to use 2-factor authentication for your WordPress site.  Its free for sites with 10 or fewer admins/editors being protected by it.

We highly recommend this plugin.  If your username and password should be compromised in any way, attackers will still be blocked from login access due to the additional requirement of a “2nd factor” to login (e.g. your phone, a hardware token, etc).

If you have a LuxSci account, you can use your same DuoSecurity account to add free 2-factor login protection to your LuxSci.com WebMail interface as well.


Jetpack is a plugin that provides a host of features available to sites not hosted at WordPress.com.   A critical security update for a bug that allows an attacker to bypass a site’s access controls and publish posts should be applied immediately if you use any of Jetpack’s modules.

What about WordPress.com Sites?

If your WordPress site is at WordPress.com, then you cannot install your own Plugins.  The good news is that they take care of ensuring that all of your software is updated and that proper server security is observed.  You can also ensure that the settings provided are well configured for security:

In your “Personal Settings” for administrative users (at least):

  1. Browser Connection: enable “Always use HTTPS when visiting administration pages”
  2. Username: Do not use the username “admin”.
  3. Strong Password: Always use a strong password.  They have a button “Generate strong password” that will give you a good strong random password if you need a new one.

What about WordPress sites at LuxSci.com?

For clients hosting WordPress sites at LuxSci.com, in additional to the above recommendations for self-hosted sites, we recommend:

  1. LuxSci Does It: LuxSci provides a service where one of our technicians will install WordPress for you for $50.  We will place it in a location of your choosing, secure it with SSL if your site has that, and install/configure the above security plugins for your site.  If you do not have the time to do it yourself, are not technical, or just want it done properly the first time, ask us to do it for you.
  2. File Ownership.  When installing your WordPress site, we recommend that you use our “FileManger” tool to make the entire site owned by the “web server”.  This will enable WordPress itself (which runs as the web server user on LuxSci) to update itself, to save file and perform other disk operations easily.  If you need FTP or SFTP access, you can use your special FTP user for compatible access.
  3. WordPress and Plugin Updates. Part of LuxSci’s Acceptable Use Policy requires that you actively maintain your web site security.  This means updating your WordPress software and plugins frequently.  Fortunately, this should not be difficult using WordPress’ built-in update mechanisms via FTP/SFTP.
  4. Tutorials:
    1. Member’s Help on Installing WordPress
    2. Video on Installing WordPress


Read Next: For a deep dive, see our white paper: Securing WordPress

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.