Shannon is the person who helped me escape the snowy winters of Minnesota for the sandy beaches of California. She will always have a special place in my heart, so I was happy to help bring her dream of The Heavy Purse to life, which included designing and maintaining the website. It’s a pretty stress-free job, but this past Labor Day, I woke up to more than 2,000 emails, and I don’t even know 2,000 people! A quick glance at my inbox confirmed my suspicions—The Heavy Purse was in the midst of a brute force attack.
The attack started a little after midnight and didn’t end until about 9:00 AM. Since then, we’ve undergone about 3-4 more attacks. It’s a bit nerve-wracking and annoying, but if you run a blog, at some point, you will be on the receiving end of a brute force attack. Today, I want to share a few things you can do to to protect your blog.
At its most basic form, a bot is trying to hack your blog through continuously inputting various usernames and passwords. They are typically looking for the low-hanging fruit. Bloggers who leave their username as admin and use very common passwords, such as password or 123456. We may not even realize we’ve been hacked until Google sends us an email saying our site has been compromised and we’re being blacklisted. Eek.
Approximately 90% of the usernames attempted are admin or some variation of the word, including: Admin, admin, adm, Administrator, administrator, User (and User1, User2), tester, test.
Most of us breathe a small sigh of relief when we see those usernames, because we’re not using them. Good for you. Here’s another one they used: theheavypurse.
Uh-oh. That’s far more specific than admin. And it wouldn’t surprise me to learn that some bloggers do use their blog name as their username, especially those who blog anonymously.
Here’s another doozy: tanya.
Yup. They tried using my name. Thankfully, I changed my username a long time ago … but still. They are obviously getting smarter. So let’s not make it easy for them and use stronger usernames and passwords.
Log onto WordPress and go to Users. Click Add New. Type in your new username.
I strongly recommend that you use both upper and lower case letters and numbers. At this time, I don’t believe you can use symbols in your username. Do NOT use your name, blog name and ideally avoid using a REAL word. Real words are always easier to break.
Next, add your email address. I don’t believe you can reuse the email address you have linked to your Current User Name. Put in a real, but temporary, email address and we will swap it out later. Now type in the name that you want to show publicly with your posts. This can be your real name or your blog name.
Now it’s time to create a STRONG password. You want it to be at least 12 characters in length. Again, use a combination of upper and lower case letters, numbers and symbols. You MUST use all three! I would again avoid using real words.
Select Administrator for the Role and save. Log out of WordPress and log-in under the new user you created for yourself.
Go back to Users and click on All Users.
Hover over your old User Name and Edit or Delete should appear. Click on Delete.
It will ask you if you want to delete all posts or attribute posts to the New User. Choose to attribute posts to New User. Confirm deletion. Go back to Users and All Users. Select edit your profile and update with your email address, if necessary. Many bloggers have a gravatar associated with a specific email address and you will need to make sure that email address is the one linked to your profile if you want your gravatar to appear.
Well, I hate to be a Debbie Downer, but I’m not sure if you can ever be 100% safe against hackers. But you have certainly made it a little bit harder to breach your security through your username and password.
As I mentioned earlier, I received email notifications for failed log-in attempts, which is how I realized The Heavy Purse was under a brute force attack. I’m sharing how to use limit log-in attempts on my blog, Eat Laugh Purr, so please be sure to visit me there for some additional tips on how to protect your website. And if you have any questions about changing your username, please leave them in the comment section below. I will do my best to answer your questions.
Images courtesy of www.freedigitalphotos.net
The more complicated a username and password is the harder it will be.
The hackers do not earn anything from doing these attacks other than fun.
For them it is like any other computer game. And when they win they can add all kinds of funky posts to your blog, mess with your code and pretty much put you out of business. That is their goal.