Several WordPress blogs have been hacked in the last two months leaving webmasters and system administrators puzzled. Network Solutions, one of the hosting companies affected by the hack discovered how the attacker gained entry and managed to manipulate the websites to service malicious contents or cloaked pages.

According to an article at The Register the culprit was the wp-config.php file. This file stores the database login information that are needed to connect to the database powering the blog. Many users seemed to have configured the configuration file so that other Network Solution customers had access to it.

I used this example to show that WordPress webmasters need to be extremely careful when it comes to securing their blog. This little guide will give some tips about passwords and the login process that can help the webmaster secure the blog further.

Every WordPress user has certain rights on the blog and a username and password. It is generally recommended to select a secure password which consists of at least 12 characters comprised of upper and lower case chars, numbers and at least one special character. Examples of secure passwords are j5w3f_45f!rRd3A and Pec,33.!4eas3ffF.

These passwords are hard to memorize and it is a good idea to use a password manager like Last Pass to store them for you. Last Pass can not only store them but also automatically log you in.

The first step to a secure WordPress blog is to select a secure password. Another option is to use an editor account for writing articles and an administrator account for administrative tasks. The first user that is generated during WordPress installation is always an administrator.

The login process is another element of the WordPress site that needs better security. Every attacker knows that the login for most Worpdress blogs is handled at example.com/wp-login.php/ and they write their attack scripts accordingly.

Stealth Login is a WordPress plugin that can protect the blog by renaming the login paths and enabling a stealth mode that is preventing users from accessing wp-login directly.

wp-login

It is possible to use any phrase for the login path, the extension suggests login by default which can be changed for extra security. A webmaster could then log into the blog by opening example.com/login/ in the web browser.

This prevents brute force attacks and is usually considered a good security addition. Stealth Login can be downloaded from the WordPress plugin repository or installed directly from the Plugins section of the blog.

Share