I recently taught a WordPress 101 seminar on how to get a blog up and running quickly using WordPress.com. As i wandered the room to assist with any signup problems, i noticed one peculiar dilemma reoccurring from student to student: almost everyone was stumped on creating a simple username and password. Seeing as this was shortly after the announced brute force attacks targeting WordPress sites, i advised them to be creative, unique, random, and lengthy in their selections. Hopefully they’re all now safe and sound.
The article WordPress Brute Force Attacks, and What You Need to Do About It outlines the steps you should take to avoid being hacked. I’ve listed the main points below, but please read the full article for detailed instructions on each step. These are overall suggestions, but points 1, 2 & 6 should be implemented at absolute minimum.
- Stop using the admin username
- Use a strong password
- Keep good backups
- Use two factor authentication
- Limit login attempts
- Differentiate your username from your site name (added point)
The ZoneAlarm infographic below illustrates some of the most commonly used (read: dangerous) passwords (other than #7), and makes suggestions for creating a strong password that’s easy to remember.