Earlier in May I wrote about a plugin for WordPress blogs that will limit the number of login attempts you can make before you get blocked. This is purely done to protect your blog from brute force attacks where someone tries passwords until they find a matching one.
Now I’ve been using the plugin for some time and I have so far received 5 emails (!!!) from the plugin because of IP addresses that has been blocked because of too many invalid login attempts using the user name admin. This is really scary and got me paranoid to the maximum.
So the conclusion of this is that you should:
- Get this plugin (can be downloaded from WordPress.org for free here)
- Remove the standard administrator account with the user name admin (will explain how to do that in a separate blog post later)
- Get a really strong and secure password which is hard to crack using brute force (just see this blog post to find out how easily your password can be cracked)
So why are they after the password for the admin account? First of all they focus on the user name admin because most blogs have an administrator account with that user name so they only have to crack the password. Secondly with the admin account cracked they can do whatever they want to with your blog, and if you also use the same password for your email account with Google, Yahoo or MSN then they’ve struck gold. With access to your email account the hackers can access any account you have with almost anyone, since they can just have the new password emailed to your email account.
Install the plugin now!