There is a constant, world-wide war being waged against WordPress sites. And in the last post, I gave you one thing you could do right away to help you stay safe: change your WordPress administrator User’s username to something other than “admin.”
You did that, right?
And I promised you one more thing that would finish the bad guys off for good. Here it is.
First, a very brief summary of what’s happening. Then, I’ll give you the plugin you need to get this project finished.
Since Thursday of last week, a group of hackers has been using an automated program to attempt a large number of logins on sites that are identified as using WordPress. This is happening world wide, in an attempt to turn those sites into automated spam servers.
You don’t want your VO actor site turned into an automated spam server. You just don’t.
Here’s an article that gives the tech details, if you want to wade through it.
So, now that you’ve changed the name of your administrator User login from the WordPress default “admin” to something else, let’s finish the job.
(By the way – this will all work a lot easier if you have a smartphone: iPhone, Android, or BlackBerry. If you don’t have one, you can get protected via text message or phone call. Get details on how to do that in this very geeky article.)
First, get the Google Authenticator app for your particular smartphone. If you have an iPhone, like I do, you can get the app, for free, here:
If you have an Android device, go here:
And if you have a BlackBerry, go here (the app at BlackBerry App World is called Authomator, not Google Authenticator, but it does the same thing):
OK. Got your app downloaded and installed? Don’t worry that you can’t use it yet.
Here’s the next step.
Go log in to your WordPress site, go to Plugins, click the Add New button at the top of the page, and then search for the phrase Google Authenticator. It’s usually the first plugin that shows up in the results, and it’s by Henrik Schack.
Install that. And follow the instructions to show the QR code in the plugin that you’ll snap a photo of with the app, to tie the two pieces (the plugin, and the app) together.
Once you do, you’ll be on your way to using world-class, timed authentication access codes, used by the big boys to protect access to their big boy stuff. And you’ll need your phone in front of you to be able to log in to your site (or sites – I have it protecting all of mine now).
Here’s how the plugin and the app work together: the plugin adds a third text box to your login screen – and the app is constantly generating six-digit numbers that change every 20 seconds. When you go to log in to your WordPress site, you enter your non-“admin” username and your password, along with the number that’s currently displayed on your phone’s screen in the app, and if it’s correct, then the plugin allows you to be logged in.
And you don’t have to worry if your phone is not connected to the Net, like when you’re on an airplane – the Google Authenticator keeps creating numbers for you to use as your codes.
It sounds more tricky than it is, but it’s easy and it’s rock solid. All because the bad guys can’t know what’s on your phone’s screen.
And it stops all these brute force attacks on your site – cold.
Hope this helps.