With the ongoing password guessing attempts at different WordPress blogs, as mentioned at Ars Technica, there are a few, but easy steps you should make to secure your blog.

  • Use a strong password.
  • Rename the admin account to something else.
  • Install the Limit login attempts plugin for WordPress to automatically block login attempts for a certain time.
  • Do not allow remote access to your database.

The plugin is in use on this blog, having blocked a couple of hundred attempts, all attempting to login as the user “admin”.

Securing SSH

If you are running your own webserver, you probably should also monitor SSH for brute force login attempts. The same rules about password and username can be applied to the SSH login too. Change username from root to something else.

You can also use the fail2ban tool to easily firewall brute force attacks on SSH.

Do you have any other tips for securing a WordPress installation?