WordPress users: as we clean out this mornings reports of the thousands of brute force hack attempts last night across our many WordPress sites, two things come to mind.
First, if you’re using WordPress anywhere, make sure you are using plugins to help limit login attempts and perhaps even log failed logins.
Second, take advantage of a bit of security by obscurity. Remove the default Admin user. They can’t guess a password to a user that doesn’t exist. WordPress makes it easy to assign posts to another user, so do so, and remove “admin”. That step alone will foil 90%+ of the brute force attempts we’re seeing.
Oh, and a pro tip: If you’re using your own server, consider logging WordPress failures to the syslog and then using a product like fail2ban to just blacklist the source IP.
Are you managing your own WordPress site, but not sure how to do the things we’re suggesting? Contact us at firstname.lastname@example.org and we can provide the support you need to help keep your site safe.