It’s been estimated that more than 40% of the Internet uses WordPress to power their website. This kind of popularity makes it a victim of opportunity, as scripts developed to hack WordPress can be deployed against so many targets. WordPress also offers a large attack surface, with many features willing to give up interesting information quite easily.

At Inacom, we take extra care to secure our Managed WordPress client websites. During our monitoring, we see that most WordPress websites are under constant attack. And one of the most common attack vectors are brute force logins. In this form of attack, scripts are attempting to guess usernames and passwords in an effort to gain access to your website. So one of the best ways to secure WordPress is to use good username practices.

Don’t Use these WordPress Usernames and Types

Here are the most common types of usernames that we see being used in WordPress brute force attacks. If you avoid using them, you’re one extra step away from getting hacked:

WordPress User Roles

The default WordPress user roles are often used in practice, and scripted into brute force attacks. Therefor, you’d be smart to avoid using them on your WordPress website. These account roles are:

• Administrator
• Author
• Contributor
• Editor

You should also avoid using Admin, a common variation of Administrator.

Web-based Job Descriptions

I see this quite often when I onboard new customers into Inacom’s Managed WordPress service. You really shouldn’t allow any of these usernames to exist inside your WordPress website.

• Developer
• Web Developer
• webdev
• SEO
• Analytics
• marketing
• marketer

Domain Name Variations used by your WordPress website

I see these in our logs all the time, so don’t create usernames associated with your domain name! Using this website as an example, I would have my clients avoid using:

• inacom-sby
• inacomsby
• inacom

Name Variations Tied to Your WordPress User Accounts

The WordPress API and Archive Pages can make all kinds of information available to bots and hackers. So don’t allow usernames that follow these common variations:

• firstname
• lastname
• firstnamelastname

Placeholders Tied to WordPress Hacking Scripts

Plenty of WordPress hackers out there are intelligent, but not very bright. They know enough to deploy some pre-written code, but they often make simple mistakes and fail to check on their work. We often see WordPress hacking attempts made with poorly configured scripts. So don’t use these usernames. You probably won’t, but I’m putting them out there just to make sure.

• username
• (username)
• {username}
• [username]

I have corrected my WordPress Usernames to avoid Brute Force Hacking. What else can I do?

We will have a follow up post on this. But I’ll touch upon some best practices here:

Use long, complicated passwords (or passphrases) to avoid WordPress Hacks

Every year, computer processors get faster. This means that hashes can be cracked in less time. This is known as password entropy. Today, researchers are suggesting that longer passwords are better than less complicated passwords. So be sure to get those character counts up!

Strong Passwords are essential. This means a mixture of letters, letter cases, numbers, and symbols. And today’s minimum recommendation is often cited as 12 total characters.

Many people find that passphrases are a bit easier to manage than passwords. They tend to be easier to type, remember, and lend themselves to higher character counts. You can combine dictionary words, numbers and symbols. And often stories or other pnumonic devices are used to remember them. If your uncle, Paul, has three children and your aunt, Betty, has two, you might come up with something like this: UnclePaul*3+AuntBetty*2. Boom! 23 characters, letters (uppercase and lowercase), numbers, and symbols. That’s one beautiful password!

Use a unique password for each of your accounts

This should go without saying at this point, but it still needs to be said. Make your WordPress password unique to the website. Don’t use it anywhere else. That way, a compromised credential that offers up your email address can’t be used against you on your website.

Make use of a Password Manager like BitWarden or LastPass

Password Managers often live as a web browser plugin. They offer tools to easily create secure passwords and store them in an encrypted vault. BitWarden and LastPass are two of our favorites, and there are many others out there.

Deploy a 2FA Solution on WordPress

One of the best ways to secure your WordPress account is to use Two Factor Authentication, or 2FA. By combining something you know (a password or passphrase) with something you have (a mobile phone and/or Authenticator App), you make compromising an account so much more difficult. There are numerous 2FA WordPress plugins available for your website, and many popular Web Application Firewalls offer 2FA built in as one of their features.

Use a WordPress Web Application Firewall

Web Application Firewalls can assist in securing your WordPress installation by analyzing user actions before they actually get interpreted by the website. One of my favorite features of Wordfence is that you can autoban people who attempt to login using any of these referenced usernames. You can also autoban login attempts using any invalid username, but that might create an inconvenience for somebody who makes an innocent typo. WAFs will also help to protect against many other types of WordPress hacks, too. Every site should use one. If you’re looking for basic protection on a budget, WordFence’s free version is fine. We use PatchStack for our Managed WordPress clients because it makes managing WordPress security at scale much easier.

Subscribe to better WordPress Hosting

Sometimes it’s not what you do that gets you hacked – it’s what your webhost fails to do or what your neighbor does. Once or twice a year we pick up a new client that has been hacked as a result of their web host failing to properly secure and manage their web server. Of course, they’ll never tell you they were compromised and it’s their fault. They might offer to move your website to another server, though. If you’re lucky, they configured that one better. Just know that the large web hosts that everybody knows about make tantalizing targets for skilled hackers.

Would you benefit from working with a WordPress Security Pro?

At Inacom, we support many clients as their Web Developer (don’t worry, that won’t be our login to your website!). We also host WordPress websites through our Managed WordPress program, offering frequent plugin and core updates, regular backups, and even Free Hack Repair in the event your WordPress site ever gets compromised. It’s not uncommon for us to identify and close vulnerabilities during the onboarding process. All Managed WordPress signups also receive our 60 day satisfaction guarantee – If we don’t meet your needs, we’ll refund any amount paid to us for the first two months of our engagement! We also don’t lock you into long term contracts, meaning we have to earn your business every day. To get started, call 410.543.8200, complete our Contact Form, or we’d be happy to call you in 28 seconds.