Recently I managed the website for a historic hotel in Jackson after their website designer disappeared. The site was designed in WordPress but it didn’t have any security plugins installed. So, I checked out website security plugins and installed the free version of iThemes Security.

Warnings from the plugin about brute force attacks against the website appeared in my e-mail inbox the next day. The attacks came in one of two forms. One form tried to log in with a standard “admin” username and a password. The other used a variety of usernames that could hit the mark (like the hotel name) and a password. I suspect the passwords the attackers use are simple ones that too many people still use, like password123.

When I added iThemes Security to my website and several client websites that use WordPress, I saw the same types of attacks. They weren’t as numerous as those found on the hotel’s website, probably because these sites haven’t been online that long. Even so, the attack notices appear in my e-mail inbox daily.

Each warning message from iThemes includes a link to an IP (Internet Protocol) address. The IP address shows where the attack came from on the Trace IP website. For example, a recent attack on my website says it came from Paris.

The Trace IP map shows a website attack from Paris

Attacks on the hotel site and all my sites came from all over the world.  Each attack comes from a different address, though Trace IP couldn’t detect some of the IP addresses. Automated bots likely generate the attacks, scour the web, and infiltrate as many sites as they can for their evildoers.

I recommended that the hotel management use a dedicated WordPress management and security service. They decided to handle security and website updates themselves. (The grapevine says business at the hotel hasn’t been good.) I suspect they’ll have some unpleasant security incidents in the future.

So, how do you avoid such incidents and keep website(s) you manage safe from hackers and data thieves?

  • Look in your browser’s address bar and see if you have https:// preceding your website address. If not, talk to your hosting company about getting SSL (Secure Sockets Layer) protection installed on your site(s) right away.
  • Talk with your hosting company about using their built-in security features. If you’re not comfortable with your hosting company’s security, find a new company.
  • If your site uses WordPress or another content management system (CMS), get and install a security plugin you like.

I hope this helps and stay safe out there.