This is a WordPress-driven website, as are the sites for Sundin Sports Marketing and several of our clients. In fact, it is estimated that over 455 million websites worldwide (about 30% of all sites) use the free Content Management System (CMS). According to one report, 62% of the top 100 fastest growing companies in the US (Inc. 5000) use WordPress.
Pretty good for a platform created in 2003 for bloggers.
Used by businesses, governments, individuals and yes, bloggers, one of the reasons the CMS is so popular is because it is incredibly versatile. There are premium themes available for any type of business, and plugins designed to add all the functionality you could wish for.
But with popularity comes some risk. For example, every WordPress site comes with the default /wp-admin/ address to log in to the backend of the site. It’s actually one of my favorite ways to figure out if a site is WordPress-driven or not.
That also means that bots and would-be hackers also know how to get to the backdoor of your website. That and an active “Admin” account (the default User ID when setting up a WordPress site) and would-be hackers have almost everything they need to unlock your site.
And they will be persistent in their attempts to figure it out.
Take this site, which as of this writing still uses the wp-admin as the backend (a classic case of “do as I say, not as I do”). According to the Limited Login Attempts plugin installed on the site, on June 6, we received 35 failed login attempts and almost 60 on June 2.
A closer look reveals what user IDs the bots are using – in addition to removing the default Admin account, we would also not recommend using user names that match the domain – and from where they are coming.
An easy way to cut down, if not entirely end, these attacks is to change the login address. While the technically savvy amongst us may be tempted to change the address using FTP (file transfer protocol), there are issues with this strategy, in particular, every time you update WordPress it will recreate the login page and you will have to manually change the URL.
An easier method is using a plugin like WPS Hide Login to set up a custom login address. For example, instead of sundininc.com/wp-admin, we could change the address to sundininc.com/VWKhNOIF4N. (For maximum security, it is suggested you should use a random assortment of characters rather than something “guessable” such as “SiteAdmin.”)
Experts agree that hiding the WordPress admin login is an important first step to securing your site. Other recommendations are monitoring and limiting login attempts; setting up dual authentication; managing user permissions; adding a firewall, and malware scanning) and keeping WordPress and plugins up-to-date.
Now if you will excuse me – I need to go change our admin login.