Been some discussion recently on the WPUK mailing list after some recent mass attacks on WordPress Sites. Lots of good advice from people.
- Do you need to to allow access from all IP’s
- Do you need to be able to login all the time or can you say they never login a 2am in the morning so we can stop login at that time.
- Keep up to date obviously
- Changing default locations of login pages, wp-admin etc
- using two factor authentication (yubikey mentioned)
- captchas on login screen
- blacklisting of visitors by IP address
- renaming the default ‘admin’ user
All suggestions worth considering depending on your circumstances.
Someone mentioned about a user with a password of ‘password’, I wondered if there was a way of preventing users injuring themselves by using such a password. By default my current WordPress 3.5 allows a user to do pretty stupid stuff like create a user with a username of ‘e’ and a password of ‘password’.
Not added in list popular passwords that would pass as secure should do that. Could probably extend to exclude dictionary words not sure if its worth doing that.
Dave of interconnect.it mentioned a plugin called ‘better-wp-security’ which does quite a few other things as well, seems worth looking at, Dave had had it recommended to him. There are also a few similar plugins with more restricted scope that just stick to the password ‘force-strong-passwords’ and
I’ve not tried these so I can’t recommend them, I bashed out my own because I was interested. Its probably not quite so client friendly as its called ‘Stop users using stupid passwords’, might have to rename that.
Seems something worth checking on especially as you create a new site. If the password isn’t towards the top of the list of ones a bot attacker might try, it will at least take them longer. Will also stop a human guessing it quite so easily as well.