I recently had my website developer install Wordfence, a website security service for WordPress sites. We’re trying out the free version at the moment on an e-commerce website I own and I’ve just received the first weekly report. To say that it was an eye opener would be to understate it’s impact.

The report on attacks from numbers of IPs, originating countries, and failed logins that Wordfence blocked and listed was astounding—they numbered in the hundreds. I would never have guessed the extent of nefarious activity out there. I asked our website host what the impact of this activity would have been before we engaged Wordfence. “Nothing, the sites we host are “hardened” which means that we lock down security. What Wordfence does that we cannot do as quickly, is stop attacks on plugins in which someone has found a vulnerability. WordPress plugin exploits are the number one way sites get hacked.”

But it was the answer to my question about why there had been 165 failed attempts to log in using my name and hundreds using speculative usernames like “admin”, “test”, “guest”, “username”, “123456789”, and others. “That is people trying to guess the passwords for the accounts. This is common and why passwords should be complex.”

So, I’ve changed my attitude to complex passwords. I’ve resolved to stop regarding them as a nuisance and to make sure that I follow the advice about changing passwords regularly and making them as random, unpredictable, and complex as possible. I urge you to as well. And perhaps consider a website security service—it’s rough out there in cyberspace.