According to this site (http://en.wordpress.com/stats/) there are nearly 65 million installations of the blogging system WordPress in the world. There’s an outside chance that your site is made using it (even if you didn’t realise it) and it’s no surprise it’s so popular, it’s easy to use, easy to expand with plugins and very SEO friendly. However, there’s a downside to this popularity.

When something becomes so popular that everyone’s using it, there’s a chance that some Internet scum-bag is going to want some of the good stuff so they’ll do their best to hack into some websites and see if they can highjack them.

There doesn’t seem to be a consensus on what the hackers were trying to do, but speculation is that they were trying to build a huge ‘botnet’ of sites that they own and which can then be used to attack other sites.

Either way, it’s bad and it can easily be stopped. In fact, all this attack did was try to log in to lots of WordPress accounts using the username “admin” and by trying loads of different passwords. Simple, especially when you realise that many people still use “password” as their password. Tsk.

How do I protect my WordPress site then?

There are a number of simple steps to take to make your installation a little more secure, although bear in mind that nothing is ever 100% protected simply due to the complex nature of software.

Step One – Username

Make sure your login isn’t ‘Admin’ and ‘password’. Yeah stupid but some people still do it. A lot of installs are still using the username of ‘Admin’ and while you’d think that would be safe, it’s still worth changing it.

If someone wants to log into your site and you’ve changed the username to something else, it means they have to find two unique bits of information with immediately makes the hacking job harder.

How to do it

• Log in as ‘admin’ and go to the ‘users’ section of WordPress
• Click on ‘Add User’
• Enter new user details, you’ll need to choose a different email address if you used your existing one as ‘Admin’.
• When you’ve added the user, log out
• Log in with the new user details
• Go to ‘Users’ again and delete the ‘admin’ login.

That’s it! You’re now more secure than you were five minutes ago.

Step Two – Password

So many people use the same password across all their sites which means if someone knows you or knows your details to one site they have access to all of them. So, choose a different password for each one, even better, make sure your password is totally random, not just some words made of your spouses name and your first dog.

The best passwords have lots of random characters, numbers, uppercase and all sorts of things in there making them pretty much impossible to guess, something like this : Rz5$xI&Inv

But how do you keep a note of them? You can’t easily write these sort of passwords down so we need to look at something to keep them for us, and my tool of choice is RoboForm (http://bit.ly/18ovsJH)

This allows you to store all your passwords in one place, even across multiple computers and browsers. When you visit a site that you’ve saved, you click ‘login’ and it does it for you, very neat and it means you can have a separate and totally unique and strong password for each site you visit, including your precious WordPress installs.

Step Three – Plugins

WordPress has about a gazillion ‘plugins’ available for it. These are little bits of code that allow you to add extra functionality to your website. They range from image galleries through to video players but the one I’m going to talk about here is ‘Login Security Solution’ (http://wordpress.org/extend/plugins/login-security-solution/)

This great little plugin will monitor access to your site and if it seems someone is having a lot of trouble logging in or is attempting to hack, it will slow down access until eventually not even giving them a login form. If they log in and it seems like it’s a breach, they’ll be immediately logged out and the account locked, forcing them to use the password reset utility.

This will stop the very type of attack that has blighted so many sites this past month and I suggest you install it straight away.

How to install it

• Head over to the ‘Plugins’ dashboard on your site and choose ‘Add New’
• Type “Login Security Solution” into the search box
• It’ll be the top result, click ‘Install’
• Relax a little bit

And that’s it!

Am I now secure then?

You’re fairly secure. There’s absolutely no-way to be 100% absolutely rock-hard iron-core secure so you should ideally take a lot of backups, too. I’ll talk about that in another post.