For almost two years I’ve been relying on the G5 firewall from Perishable Press, but I’ve come to believe an .htaccess blacklist is simply not enough. Part of the problem is security flaws inherent in the default WordPress installation, such as:
- An admin user named ‘Admin’
- table prefix is wp_
- revealing header information
- users can choose a non-secure password
Better WordPress Security can change the username Admin to something else. Without this plugin, you would need to use phpMyAdmin to change it in the database, and if that’s probably not going to happen, just use the plugin.
And to be fair to WordPress, I have not had a site hacked because an attacker knew my table prefix, but nonetheless if you install Bit51‘s Better WordPress Security plugin, it can rename your table prefix for you with a random string like hl3ia_ or some such. I makes me feel more secure anyway. I’ve tested this on six different WP sites now, and even with all the changes it makes to my sites, I’ve had no problems. (You can also not change your table prefix, and still use this plugin’s other features).
The table prefix fix is the least of what this plugin does. It will require users to choose strong passwords. It will log 404 errors and it will ban hosts with too many failed login attempts. It will do everything the G5 blacklist will do and a heck of a lot more.
The most important thing it does if give you feedback so you don’t have to scour your server logs to see who is trying to break in. It has its own logs. It will simply show you that a host in China tried to access admin.php 20 times unsuccessfully, and was then locked out. It provides you with the IP address of the offending host and a link to the host’s location via an IP tracer. Then, if you want, you can copy the IP address into the plugin’s permanent blacklist. And, you will be amazed at how many computers are constantly trying to break into your WP site. The majority of the malicious logins and accesses are from China and Russia actually, and very few from the United States or Europe. Indonesian, South American and Middle Eastern addresses make the list though.