Maybe you have already heard about the massive WordPress attacks that have been going on. You probably know that WordPress is a website/blogging platform that is preferred by small business owners because it is easy to use and very SEO friendly.
The problem is that when you first install WordPress it leaves some pretty significant security holes. Basically one or more illegal “botnets” or software programs will try thousands of username and password combinations every second.
Like I said this is done with software so they search out easy targets and “auto-hack”. Don’t think your safe just because you are a small business. You are the ideal target for these programs.
Why Are They Doing This?
The purpose of these attacks is to compromise as many sites as possible, thus increasing the size and strength of the network making it possible to attack large sites (like banks for example). The plan of attack is to hack from millions of locations instead of just one single location.
The details of the recent attack has been covered by Sucuri, Hostgator and Krebs so we know that it is very serious and if you want to read about the technical details you can find links at the bottom of this post.
How To Protect Yourself
There are several things you can do to protect yourself. If you are one of my clients and are currently on my hosting plan then all of this has been done for you and you have nothing to worry about.
1. If your username is “admin” then create a new user, set the rights to administrator. Then log out and log back in and delete the admin account.
2. Install the Login Lockdown plugin. This will lock out the botnets after 5 attempts.
3. Backup your site. Call your hosting company and have them step you through the backup process. All of my sites and my client sites are backed up every week automatically. I suggest you do the same.
4. Change your password. Use 8 characters with numbers, symbols – NO WORDS FROM THE DICTIONARY.
5. If you are on a shared server then you may experience slowdowns as the botnets bog down the system and your site (bad for SEO). You may want to consider a dedicated server option. All of my client’s sites are on a dedicated server and run at top speeds (many times 5 to 10 times faster than shared servers).
Further Reading:
http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/
http://blog.sucuri.net/2013/04/the-wordpress-brute-force-attack-timeline.html
https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/