Passwords aren’t enough. WordPress security plugins are a must.
If you use WordPress for your website, then you’re in luck because there are a good variety of WordPress security plugins.
I’m so thankful for plugins. And I’m even more grateful that some of them allow you to use their basic features for free.
You get to try them out, see how effective they are, before you commit to spending your money on them for the more advanced features.
If you have a WordPress site, consider checking out WordPress security plugins. Don’t let the bad guys get a hold of your website!
Hackers are relentless. They’ll attack anyone — even a nobody like me.
I started a new website in the end of November 2019, and today I get an alert saying that someone attempted to log in to my WordPress. 😡
Wow. I was just getting started and already they’re trying to move in.
Fortunately, I already had the WordPress plugin Loginizer installed. That helped lock them out.
They had also tried to access xmlrpc.php.
I looked it up:
“An attacker will ~ access ~ site using xmlrpc.php ~ They can ~ use a single command to test ~ different passwords. ~ allows them to bypass security tools that ~ block brute force attacks.”
https://www.hostinger.ph/tutorials/xmlrpc-wordpress
Wonderful. Juuuuust wonderful.
Then I noticed that with my older evelynyap.com website and the newer website, the brute force attacks were attempted by using the default “admin” username and a user’s Name/Nickname.
It’s a good thing I had already removed the default “admin” username.
Apparently, they’re hoping that some people will never change the default settings, and that some will have the same username and name/nickname. And they’re probably right.
If they see that a user’s name is “Evelyn”, they’ll try using “evelyn” as the username and then brute force the password.
So then I went and made sure that usernames on my site are different from names/nicknames.
Use good WordPress security plugins!
Nautilus@framapiaf.org on Mastodon suggested that I try the WP Cerber plugin.
Wow. 😃
Now I can even assign the login page to a different URL instead of the WordPress default /wp-admin. 👍
That is to say that when someone tries to go to
evelynyap.com/wp-admin
they will get locked out or blacklisted.
I had to set the plugin to do that, of course.
My recommendations for those maintaining their own WordPress website:
- Never use the default “admin” username. Create your own odd username for logging in.
- Do not have use the same names for your username and your name/nickname. For example, if your chosen name/nickname is “Evelyn”, don’t use “evelyn” as your username!
- Install a security plugin like WP Cerber or Loginizer and tinker with the settings to make sure your site is protected.
- If your security plugin allows it, change your WordPress login page’s URL to something other than the default /wp-admin.
- Also using the security plugin, deactivate the default /wp-admin URL and prevent it from being used for logging in.
- Use a different secret login URL for yourself. Needless to say, you shouldn’t publish that URL anywhere.
- White list your own IP, and treat any other IPs with great suspicion! Especially if someone from that IP address tries to access your default /wp-admin login page. Block them!
Stay safe, people. A lot of bad actors out there. Don’t let them win. 🧙♂️
