If you are a small business owner with a WordPress website, this tutorial is for you.

It starts with a party scenario and a dash of humor.

Hello Hackers. My Name is Admin.

Picture yourself at a party.

Someone walks up to you and says, “Hello. My Name is Admin.”

Of course, it sounds absurd. You would probably burst out laughing. No one would ever name their child “Admin,” you think to yourself.

It would be unheard-of. It would be cruel. They would be the butt of every joke.

Now picture that same party where “Admin” naively walks up to a hacker. Not only would the hacker not find the name to be absurd, the name would be absolutely intriguing. “Tell me more,” the hacker would say, leaning in with his undivided attention.

In reality, Admin is not a real name (hopefully), but it is used ridiculously often as a username to log into a website…  especially a WordPress website.

If you’re a business owner with a WordPress website, are you familiar with the usernames you have listed in the Dashboard? Be honest. Have you been to your website lately? Have you logged into your WordPress Dashboard in the past month… or do you leave that job to someone else?

Not sure. Then prepare for a Brute Force Attack.

Gosh. That hacker you met at the party seemed like a nice guy. He probably didn’t say, “Hello. My Name is Hacker” to clue you into his malicious intentions.

How could you possibly have known that he went straight to his computer after the party, found your website and hacked into it while you were sleeping? Sadly, you woke up the next day and still knew nothing about it.

What is a Brute Force Attack?

A ‘brute force’ login attack is a type of website attack used to gain access by guessing the username and password over and over again. A website may be systematically bombarded with username and password combinations until a successful login occurs. The hacker often runs a script that uses automatically generated passwords at a rate of thousands of times per minute.

WordPress websites are often targets of Brute Force Attacks for the mere fact that WordPress is a popular CMS. Being popular, makes it an enticing target for hackers.

Read WordPress Brute Force Attacks are at An All-Time High.

What is the purpose of a Brute Force Attack? Brute force attacks are typically carried out to gain access to websites for the purposes of data theft, vandalism, or the distribution of malware.

What is Malware?

Malware is an abbreviated term meaning “malicious software.” This software is designed to gain access to or damage a computer without the owner’s knowledge. These days, malware is often created for profit. The hacker may change the content of the site (to add spam), or create additional pages, usually with the intent of phishing. Malware can be used to open pop-up ads, redirect the visitor to pages with viruses or steal personal information. Some hackers may even take administrative control over a hacked site.

Your visitors can suffer consequences from a malware attack on your site, and your business reputation may also suffer. But you can take some simple steps right now to protect your website, your visitors and your company.

1) First things first. Don’t call yourself Admin.

You should log into your WordPress Dashboard right now to check the usernames.

If you discover that you already have Admin as a username, here are the steps you can take to change it: How to change an Admin User and Why It’s Important!.

2) Don’t Use Easy-To-Guess Passwords Either.

Do you use “123456” or “password” as the password to your business website? How about “baseball,” “dragon,” “monkey” or “sunshine.” You are not alone.

Hello Hackers. My password is “monkey.” Come on in.

Ready to change your password?

WordPress login screenSince you’ve already logged into your WordPress Dashboard, you can click on the “Users” link. (Then click on your username, scroll down the page, and enter a new password.) It will take you less than a minute.

Try using a combination of lowercase and uppercase letters along with numbers and symbols.

While you’re in your Dashboard, you should probably take a look at your Plugins. (Look for the Plugins link… near the Users link.)

Do you have any security Plugins installed in your site? No. Then that is your third task.

3) Add a Security Plugin to your WordPress site.

Your security plugin will monitor your website for you and notify you if your website is the target of a Brute Force Attack.

Try Securi , All In One WordPress Security Plugin, or Wordfence. Plugins such as these will help protect your WordPress site from viruses, malware and hacking attempts. They also have login security options available such as locking users out due to numerous failed logins.

Has your site already been hacked?

Google has launched a service that blacklists hacked websites and warns users before they visit these suspicious sites. If your site has been blacklisted, Google will display the message “This site may harm your computer” in its search results. Chances are that your site contains malware.

hello WordPress hackerVisit Google’s Help for Hacked Sites to learn more about Google’s process for marking sites as malicious.

Also read: Blacklisted by Google and How I Cleaned Up My WordPress Site after It Was Hacked and Blacklisted.

But hopefully, you’re reading this tutorial first… before you walk into that party and shake the hacker’s hand.

If so, you’re in luck. It is so much easier to do these simple steps, than it is to clean up your website and save your reputation.

If your real name is Admin, you can laugh it off and blame your parents. But if your username is Admin, it’s no laughing matter.