We have recently seen a large increase in the number of website hacking attempts. We have even see one host add an extra level of security to stop the sites it hosts from being attacked on behalf of its users.
Basically what happens is that hackers guess the admin login page for your website (it’s probably www.xyz.com/admin, or for WordPress websites www.xyz.com/wp-admin.)
A lot of developers accept the default login offered by the website system (in the case of WordPress admin).
So, that means that hackers can quite easily guess the login address and the user name, now all they have to do is set off a program that automatically guesses common passwords, such as “password” etc. and very quickly they’ve broken into you site and caused all sorts of chaos. WordPress, by default, conveniently tells the hacker whether the user name or the password is wrong on login (an act of programming madness which we prevent on all our installs). approach This is called a brute force attack.
- Don’t use an obvious user name, and never use admin
- Use a secure password that can’t be guessed or picked out of a dictionary
- If a login fails just say it fails, don’t say which element is wrong (user name or password) [DEVELOPER]
- Consider adding .htaccess protection to admin areas [DEVELOPER]
- Consider adding IP address blocking to admin areas [DEVELOPER]
- Add a security plug-in that detects too many attempts at logging in (and failing) and which then blocks users from that specific location [WordPress]
Hacking attacks are getting more common – take some some of the simple steps above to protect yourself… and always have a third party backup independent of your web host.