Random header image... Refresh for more!

A PSA for Self-Hosted Blogs

This post is for anyone who self-hosts or who may self-host in the future or is on the free version of WordPress.  Though I would love to know if my site’s loading time has slowed down considerably for you since Friday.  It is being hit by a wave of spam, and while my spam program has done a decent job keeping most of it out, I may need to play with the security plugins.

You’ve probably heard right now that WordPress is under attack by bots.  They are attempting to break into blogs that still have the admin username that came with your space when you set up WordPress.  There are two simple things you can do to protect your blog right now:

Get Rid of the Admin Username

  • Go into “users” on your left sidebar.
  • Click “add new.”
  • Create a new user account with a username that only you will know.  In other words, don’t make your username your blog name or your real name.  Make the name (different from the username) anything you want.  The name will show up at the bottom of your posts, so make it different from the username.  Give this account administrative privileges.
  • Log out of WordPress.
  • Sign back in with your new user account.
  • Delete the admin account and reassign all your posts to the new account.  It is important to get rid of this admin account.

Install a Security Plugin Such as Wordfence

  • Go into “plugins” on your left sidebar.
  • Click “add new.”
  • Do a search for Wordfence (a similar plugin is Better WP Security), install, and activate it.
  • Run a scan and correct any problems the program finds.
  • Click on “live traffic” and choose the menu for “logins and logouts.”  Check this daily to see if people are trying to log into your account and what username they are using.  If they ever get the username correct but the password wrong, you may want to return to those instructions above and change your username.  If they get the username and password correct, you will see the IP address of the person who logged into your account.
  • Go into options and sign up for alerts.  Get notified whenever someone logs into your site.  You’ll get one whenever you log in that you can delete without reading, but if you haven’t logged in and you get that email, you’ll know someone has been in your site.
  • You can also lockout IP addresses that attempt to break into your account, though bots will keep switching IP addresses, so not all that helpful in an attack.

I think of plugins like Wordfence akin to a security alarm.  It will let you know that someone is trying to break in, though it won’t necessarily keep everyone out.  It just makes you a harder target.

Make sure you are always updating and running the most up-to-date version of WordPress.  Don’t install plugins that you haven’t done diligence and checked out.  Yes, even if WordPress has vetted them. (Case in point: there were problems with both a Google Analytics plugin and a social media widget plugin last week.) Delete plugins you’re not using.  Use two-step verification — there are plugins for installed WordPress and you can also get it for any WordPress.com account.

And that’s one to grow on


1 Thomas Seidman { 04.15.13 at 4:35 pm }

Thanks for the useful information. I wasn’t aware of the bot attack.

2 a { 04.15.13 at 4:36 pm }

What is with the sudden increase in spam, lately? And what is the point of taking over blogs, anyway? I just don’t get it sometimes…

3 Turia { 04.15.13 at 7:54 pm }

Thank you. Had no idea. Off to fix things.

4 Natalie { 04.15.13 at 11:42 pm }

Thank you!!

5 panamahat { 04.16.13 at 5:02 am }

thank you very much Mel, all attended to and secure now. Oh and I’ve moved my google reader stuff over to netvibe land. All ready to go, thanks to you! 🙂

6 marwil { 04.16.13 at 10:52 am }

Thanks for sharing this. I had no clue.

7 lostintranslation { 05.23.13 at 9:39 am }

Thanks for sharing. I’m finally getting into the WP site I’m the admin of for an association and wanted to make the admin change but then I found out that I can’t re-use my email address as long as the old admin address hasn’t been deleted yet. So, is there a way to go around that without having to use another email address?

(c) 2006 Melissa S. Ford
The contents of this website are protected by applicable copyright laws. All rights are reserved by the author