We have had a lot of new people join lately who are following the wise advice (from Lisa and others) to use WordPress for a CMS (content management system) and shortcut around learning a lot of code at the beginning. This post is not about anything new, but for those who do not know about this or others who may not have acted on it yet to take the elementary steps to block hackers from getting into your site.
I just got a notice from a program I have installed which is what motivated me to make this post. This is what it said:
16 failed login attempts (4 lockout(s)) from IP: 18.104.22.168
Last user attempted: admin
IP was blocked for 24 hours
You will notice two things here. First, the login attempts that were blocked tried to get in by using the old WordPress administrator default, "admin" and then guess at passwords.
The first step a person should take is to get rid of the default "admin" administrator if it is being used. It is very easy. Just set up a new user name and give it administrator privileges. Once you are sure it is working OK, delete the "admin" user. Most hackers will likely be using it and will automatically be rejected. In my case, even if they had guess my password (and robots can try a lot of combinations) their attempt would not have worked.
The second step which I recommend is to install the free plugin I use, "Limit Login Attempts." You can adjust the settings, but if you look at the report I received you will see that any ISP that tries four times to log in with the wrong combination of username and password will be blocked for 24 hours. Amazingly, I think, the report here shows that this ISP has been blocked four times for 24 hours. They do not give up easily!
These are extremely important steps to take with a new WordPress site and only take a couple minutes to do. I thank everyone here who has written about them before, especially Lisa who has made a strong point of changing the user name in some of her posts.
I have a site where I am collecting my most important ideas for successful work online, mostly as reminders and mini-tutorials for how to do things so I can get to the information when I need it (especially for things like this that I do not do often but do not want to forget). I am thinking that I am going to write this up and add it to my collection. I never want to neglect it, especially as I think of what I might be going through right now if the hacking identifed in this report had succeeded in accessing my site.