My buddy Evan and I spend a lot of time working with clients who need help on their websites, we build stories online, with the help of along with some great web developer partners at Fervor.
We noticed that WordPress was under attack (yeah we are kinda geeks like that) and Evan spent some time writing out our thoughts on what’s going on…
Over the past couple of days, hackers have been attacking websites hosted on the WordPress platform. Now, we really like WordPress and use it for a lot of sites. It’s extremely robust, flexible, and well documented with a lot of free and inexpensive plugins that add custom features. Well, because of all of that, we aren’t the only ones that use it. In fact, it’s this popularity that has made it such an attractive target for hackers.
So what flaw in WordPress are these hackers exploiting? None. Instead, they are using a bunch of computers (approximately 90,000) to try a bunch of passwords with the username ‘admin’. It’s called a dictionary attack because they are effectively running through every word in the dictionary to see if they can find one that works as a password with the admin user.
In addition to the above, the massive scale of these attacks are resulting in a DDoS (Distributed Denial of Service) attack that is overwhelming servers and rendering websites unavailable. A few of our small, personal sites are currently M.I.A…
What can you do to protect your site? A bunch of things. Employ the following… or just contact us to take care of it for you (including hosting your website). If you’re wanting to change web hosts from WordPress to a separate hosting server, you might also want to look at migrating your site to a dedicated host like Hosti Server or others can provide.
Don’t use ‘admin’ as your username. In fact, remove the ‘admin’ user from your WordPress database.
Use complex passwords – preferably those that have been randomly generated. We are big fans of (and made the investment in) 1Password from AgileBits because it generates long non-sensical passwords and syncs them with all of our computers, iPhones, and iPads. We’ve also heard good things about LastPass. Pick one and use it for everything.
Install the Login Lockdown plugin for WordPress. This plugin can help prevent any one computer that is used as part of this attack from being effective for very long. It can block IP addresses of bad login attempts preventing them from continuing to try to login. Are settings are as follows.
- Max Login Retires: 3
- Retry Time Period Restriction (minutes): 5
- Lockout Length (minutes): 6000
- Lockout invalid usernames? YES (If you’ve removed the ‘admin’ user, then you’ve effectively made the change necessary that will protect your login from this specific attack.)
- Mask Login Errors? YES (Why tell them what didn’t work?)
Install the Better WP Security plugin for WordPress. This plugin will let you make several changes away from the default install that will eliminate your exposure to this attack and subsequent ones.
- This plugin helps you remove the ‘admin’ user.
- Force longer, more secure, passwords.
- Change the login URL from www.yourwebsite.com/wp-login.
php to something else. This attack, specifically, is targeting the wp-login.php page. Thus, if you use Better WP Security to change it to something else, your site would not be targeted with this attack. For added bonus points, change it to something crazy, such as /LetMeIn or /OpenSaysMe
There are other steps that this plugin can help you take to secure your site. It’s got a pretty good dashboard that shows you what it feels are still vulnerable versus what needs to be secured. And, it will make those changes for you if you click a couple buttons.
Generally, you should also do the following to reduce any exposure you might have to future attacks.
Keep your WordPress install up-to-date. There are vulnerabilities removed and bug-fixes included in each update.
Remove unused plugins and themes. The less you have installed, the less possibility there is that you’ll have some vulnerability open to hackers.
Don’t use shared hosting. With shared hosting, you are also vulnerable should someone else get hacked. With a dedicated server – even virtual servers – you are more isolated from the laziness or ignorance of other website owners.
If you want help, just give us a ring.