As it stands, WordPress Security is OK.
It’s certainly a LOT better than the security I had on my home-brew php/mysql website before I got into WordPress. (that site was hacked, which is WHY I got into wp).
BUT. And it’s a big BUT, it could easily be better.
A standard WP install has certain vulnerabilities a hacker can exploit:
- No user/hostname lockout or blacklisting
- Admin user called “Admin”, with ID of “1”.
- All database tables prefixed “wp_”
- Version Info displayed to everyone
All of these security holes can be used by a hacker to gain access and/or modify your content.
One of my sites was recently taken offline by my hosting company because their security software detected a password hacking attempt. Mega-Kudos for that! – WordPress would have let them get on with it!
So I’ve been installing a plugin called “Better WP Security” on my higher-risk sites.
It’s already detected (and banned) a Russian hacker (in St Petersburg) attempting a password hack. I’ve also rolled his hostname out to my other sites as a precaution.
None of my sites now have an “admin” account, an account with an ID of “1”, or a database table with a “wp_” prefix. I’ve implemented blacklisting (using a known list of bad hosts and user agents), so known bad people don’t even get a look-in.. and a host of other security measures including automatic timeouts between failed attempts, and permanent (automatic) hostname banning.
The more obstacles you can put in their way, the more chance the hackers will move on to easier targets elsewhere..
I recommend “Better WP Security” – and it’s free!
Like this:
Like Loading...