Every few minutes of every day there are malicious attempts to log into your WordPress site. That’s why a good security plugin for your WordPress installation is necessary. The security plugin I use produces a log file that, when it reaches a certain size, is sent to administrators and a new one is started. Looking at that text file, you can get cross-eyed. The one I analyzed has 14,151 lines of text lists 1010 + login attempts, starting November 30, 2013 and ending January 17, 2014, that is about 20 attempts a day, and that is only for one relatively small business website.
I am talking about brute force type attacks, and I am keeping a complex subject very simple. Some knowledgeable people have written about what that is. (If you want to get really technical read more here.)
You know, it’s not actually individual hackers sitting in front of a keyboard who try to log into your site. Hackers produce programs, sometimes called bots, that roam the Internet and hammer against any type of login dialog they come across. You can see in those logs that one originator tries 5 or more times before they go to the next one.
If a login is breached those bots may insert code into your site, often into the index.php (the WordPress home page), or other type home page if it’s not a WordPress site. Once injected, that code sends Trojans or other malware to the visitors’ computer the moment they arrive at your site. Those virus invasions are often detected by up-to-date anti-virus software, but if they are missed those Trojans quietly settle in, find and send private information, such as credit card info, contacts, any sensitive information, back to the hacker’s server. Thankfully Google creates a red warning screen that tells visitors if a infected website has been detected, if you see one of those, leave the site. I’ve written more about viruses and other nastiness in earlier posts.
Brute force attacks try to match the login routine of users of the site. So, just like the analogy of the chain that is only as strong as the weakest link, a website is only as secure as the weakest password used. While security software detects and protects against the ceaseless hacking attempts at the login dialog of your site, if you are using weak passwords, or allow users to use weak passwords, that may not be enough.
I’ll be writing about password management and forcing users to create strong passwords in another post. But be aware that the longer (and complex) your passwords are, the longer it takes a hacker to break it. And, please tell me you don’t have a Word document named passwords.doc saved in your documents folder on your computer.