Why WordPress is so popular?
Millions of websites are powered by WordPress software and there’s a reason for that. WordPress is the most developer-friendly content management system out there, so you can essentially do anything you want with it. Unfortunately, that has some downsides as well.
For example, if you don’t change your default configuration, hackers and some pesky users with too much curiosity immediately know where to log in to get into your admin area. In WordPress, you can just type in domain.com/wp-admin and it will take you right to the login screen. At that point, it’s all about trying to crack your password. The most common method hackers use is brute force, which allows them to test millions of login combinations in a short amount of time.
There’s a few different preventive measures you can take in order to minimize the risk of getting your website hacked.
Limit login attempts
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
There is a nifty little WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
The hacker would need to have many different proxies because the plugin would keep banning that IP address after a certain number of failed login attempts.
All options are customizable in this plugin. You can select how many failed login attempts you will allow, how long they’re locked out, and how many lockouts it will take to issue a temporary IP ban.
Don’t Use “admin” as Your Username
Most hackers try to get your password by trying to bruteforce your admin username. If you change your username to something else, that will protect your website immediately.
Don’t user WP_ as database table prefixes
Many published WordPress-specific attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some database attacks.
Avoid easy passwords
Don’t throw hackers a bone by selecting an easy-to-guess password. Avoid anything that has to do with your name, website name, or other publicly available information about you. And always choose complex password combinations.
Monitor your files for changes
When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc). If you are using OSSEC for example, it will monitor your files and alert you when they change.