Being the owner of a small company and knowing that both many of my clients & photographer friends run their own websites on the WordPress engine, it’s important I share this.
There’s a global attack on WP installs right now. It’s the worst that we’ve ever seen. (Tech Church article)
obtain your sign in info to your admin account and thus gain control to install malware on your server. They hope to accomplish this by means of brute force attack (randomly trying to login until they guess your sign in, they use programs that make this easy for them.).
If you haven’t removed the default user ‘admin’ I suggest you go into Users>All Users and add a new user with a unique name, give that user Administrator role and remove ‘admin’ from the list. You’ll use this new user & password you create to signin from now on.
Also I recommend installing a plugin called Login LockDown. It will prevent brute force hacking attempts by locking out IP addresses that have 3 failed attempts for 60min before they can try again. It’s ready to go ‘right out of the box’ or you can adjust it’s settings as well.
Lastly, update your WP installation & plugins. Out of date installs can be exploited. As is always advised, you should try new updates on a test site to determine no compatibility issues arise.
I recommend you install a clone of your site on a subdomain like test.yoursite.com, make sure to set that site to noindex under Settings>Reading. This will give you a place to test updates & new plugins to check for compatibility issues with your already installed plugins. Keeps you from breaking your site and I know none of us can afford to have our sites offline.
Also another great plugin to consider having in place in case your site does ever get infected; UpdraftPlus Backup. You can set it up to backup to your Google drive account, email you backups etc. It can do your entire site, database, files, uploads etc. If you ever have to use it you’ll be glad you had it 🙂
Hope you have a secure day. Comment or contact me if you have any questions