The Global WordPress Brute Force Flood attack the we experience recently affected litlerally thousands of WorPress sites. Many were recovered. But, many were lost.

In March, on HostGator's Blog, one customer reported having three hundred and fifty sites affected. All this, not to mention, the hours lost by WordPress blog owners attempting to regain access to their sites.

So, what can you do to hep protect your WordPress sites from a similar attack? Well, let's talk about some steps that you can take to add some layers of protection to your installations. As well as, ongoing actions that you can take to secure your sites and information.

Your Initial WordPress Installation

I'm sure that you have heard of the one-click installations for WordPress. You web host likely provides Fantastico, Fantastico Deluxe or a similar application to quickly get your sites up and running. I do all my installations manually. We are not going to cover a complete installation here. We are just going to close some security holes.

When you begin your installation, it is a good idea to open a text editor, like notepad, to copy and paste all of your settings into. Things like the database name, database user name and password. You will need them to complete the installation.

Once you have your WordPress files either placed in a folder in your home directory by Fantastico or uploaded yourself, open the wp-config-sample.php file in notepad or your favorite text editor for a little editing. Do Not use Word or Wordpad.

It will look like this, once opened:

Now, copy and past in your DB_Name, DB_User, and DB_Password into the highlighted areas. Then scroll down to the section under 'Authentication Unique Keys and Salts'.

Copy and paste the url, into your browser. This will display a series unique key phrases that are for this installation only. Copy and paste these keys into the highlighted area shown. Be sure to paste these into your notepad file and save later.


That done, scroll down just a bit to the 'WordPress Database Table prefix' area. This section is simple. Your table prefix is a series of numbers or letters or a combination, up to six or characters. It's really up to what you put here. Just type yours in after the underscore. Like this; 'wp_XXXXXXXX'.


The table prefix basically allows you to run multiple WordPress installations from a single database by assigning each it's own individual table prefix. Whether or not you intend to have multiple instances from a single database, it's still a good idea to fill this in.

Remember to add your table prefix to your settings file!

When you have completed these steps, you will want to save your updated wp-config-sample.php file. But you want to save the updated file as 'wp-config.php'. To do this, in notepad, click 'File>save as' and when prompted, type wp-config.php and save it to your desktop.

Then, just upload the the wp-config.php file to the WordPress installation files and delete the wp-config-sample.php file.

Now you are ready to complete the final steps to installing your new site. When you have completed those steps, go back to your WordPress directory, open the 'wp-admin' folder and delete the 'install.php' file. You no longer need it and it can allow someone access to your site.

If you have already installed your site and did not complete these steps, don't worry. Just follow the steps above and you're good to go!

Useful Plugins for Your Site Security

One of the things that makes WordPress such a popular site platform is it's versatility. There are literally hundreds of themes plug-ins and add-ons to extend the capabilities o the basic platform.

There are five primary plug-ins that I suggest. Until recently, I used the Simple-Login-Lockdown plug-in. But, this plug-in has not been updated for quite some time.

Bad Behavior - Michael Hampton
Deny automated spambots access to your PHP-based Web site.

BulletProof Security - AITPro, Edward Alexander
BulletProof Security protects your website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts

BruteProtect - Sam Hotchkiss, Rocco Tripaldi
If any single IP has too many failed attempts in a short period of time, they are blocked from logging in to any site with this plugin installed.

TimThumb Vulnerability Scanner - Peter Butler
Keep your instances of Timthumb up to date and free from vulnerabilities simply. Bonus - checks for obvious signs of compromised sites.

WordPress Hashcash Extended - Elliot Back
Client-side javascript blocks all spam bots. XHTML 1.1 compliant.

As I said earlier, there are many plug-ins available. Just as there are as many opinions as to which are the best or not.

A one hundred percent secure site is a dream. If someone wants in bad enough, they will get in. Bottom line!

But, as site owners, it is up to us to make our sites as safe and secure as possible for our visitors and clients.

Until next time!

Technorati Tags: Global WordPress Brute Force Flood, WordPress, WordPress Security