This week I noticed an apparent attempted brute force attack on this web site with over 10,000 blocked log-in attempts. This caused me to question and re-evaluate my data management plan and Privacy and Security protocols. This review is for my own satisfaction only, these is no indication that any of my systems or data have been compromised.
Thanks to a half dozen online exercises and the help of a few friends and peers, this is a compiled list of security upgrade suggestions:
- Use unique randomly generated and securely stored usernames and passwords. (This is the most basic; I already do this).
- Use the web host’s built-in backup system and periodically download a copy. (I do this but am still unclear about its value for a restore in the event of a problem with the WordPress-specific portion of the site. If this works, why use other backup systems?).
- Use two-step log-on authentication.
- Use WP malware cleaner to check for problems https://www.malwarebytes.com/adwcleaner/
- Use Loginizer add-in to limit the number of log in attempts.
- Rename the WP log-in page to make it harder to find. https://wordpress.org/plugins/rename-wp-login/
- Use ManageWP or Backup Buddy, Updraft Plus or I-Themes Security https://wordpress.org/plugins/better-wp-security/ for automated backup of the web site
- Use a VPN.
I haven’t taken these additional steps yet but plan to do so after a bit more planning and research. As always, comments are welcome.