Website security is not always a major consideration for small businesses but there are a few simple things that can be done to help prevent becoming another statistic when things pop up like the recent Brute Force attacks against WordPress sites.

Admin Account
If you are currently using the “admin” account on your site, we recommend that you change it but this is easier said than done. Although you cannot change a username to something different on the WordPress system you can create a new username and then delete the “admin” account once you are finished. Also keep in mind that email addresses on the system have to be unique so you will need to change the email address associated with the “admin” account before continuing. To convert your existing “admin” account to something different, follow the instructions below:

1. Login to your WordPress Admin and go to “Users” in the left menu
2. Find the “admin” account and click to edit.
3. Once in the account, go down the the email address field and change it to a different address (assuming you want the same email address associated with the new account)
4. Click “Update Profile” to save the changes to the “admin” account
5. Once you are out of the account, go to the top of the page (or the side menu if you prefer) and click the “Add New” button
6. Fill in the new username (anything you like other than “admin”), email address (if you changed the one associated with the “admin” account you can now use your old email here) and Password.
7. Set your role as “Administrator” in the drop down list
8. Click the “Add New User” button
9. Once the account is created you will need to logout of the WordPress Admin and log back in using your new account
10. After you log back in you will want to go back to “Users” and delete the “admin” account. Make sure during the process that you do not delete the posts associated with the account. You will want to attribute them to your new account instead so you do not lose any ground during this transition.

Strong Passwords
It is recommended that you update your passwords on a regular basis and more importantly to use very strong passwords. Make sure to use a combination of capital and lower case letters along with special characters like !@#$%^ (don’t worry, that was not an cartoon expletive, those are the characters I meant). Using numbers as well is also helpful. The best case is to create something that is easy to remember but hard to guess using a dictionary type attack. An easy way to do this is using elite speak (substituting numbers and special characters for letters in words you can remember). A better way to do this is to get a password logging program like “LastPass” and allow it to automatically generate super secure passwords for you. You create one secure password for the system and then allow it to generate and remember the secure passwords for you.

Plugins
Better account security can always be augmented with plugins that can be added to your site to limit the number of failed login attempts and some that can even allow you to blacklist IPs that are generating brute force traffic. You can go with a simple plugin like Limit Login Attempts that will allow you to set the number of times a user can attempt to login before they are punished for a period of time. You can also go with something more involved like Wordfence that not only limits login attempts but secures files on your site, and will allow you to scan for anomalies in your core WordPress system files and fix them as well as allowing you to blacklist IP’s. Some sites may experience performance issues while using Wordfence depending on their complexity so you will need to test it before you decide to deploy it for the long term

If you do not feel comfortable making these changes to your site on your own, your web developer will likely be happy to help you integrate whatever you need.

However you do things, taking a little time to make these simple changes now can save you some incredible headaches later and will help keep you ahead of the curve for future cyber attacks.