Yesterday security experts warned of a large distributed botnet attack against WordPress sites. From ArsTechnica:
The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported.
This doesn’t mean that WordPress is inherently insecure. However with the vast WordPress install base, it is a big target for a large level attack. Also, since many users have self-hosted WordPress, and either never updated, or are using “Admin” as their username along with a password that is not complex enough, like “P@ssw0rd” or other easily guessed passwords, they are open to attack.
At BlogWranglers, we install, support and move a large number of WordPress sites. If you are concerned that your site may have been hacked, or if you want a quick security audit to make sure it’s as safe as possible, we can help.
If you have a WordPress site, here are a few steps you can take yourself:
- Make sure your site is up to date with the latest WordPress code. Remember backup first. Then upgrade plugins.
- Install the plugin to Limit Attempts to Access Admin – this may not stop it cold as some reports indicate over 90k IP addresses in the botnet. Still, this is worth while. http://wordpress.org/extend/plugins/limit-login-attempts/
- Change your password (and ALL passwords for your site ) to something that uses at least 8 characters, including numbers, symbols and uppercase.
- Do not use “Admin” as your user name for any account. If you do, set up a new administrator account and delete the admin user. There are also plugins to do this.
- You can install a second layer of security by installing an htaccess password. Instructions here.
The solution that works for me is a password manager. I use RoboForm. This password manager allow me to use super complex passwords that are long. Entering them is a click of a button. RoboForm attaches to my browser and is always available to capture and store and then enter passwords based on the URL. I have complete control and nothing automagically scary happens. It will even work with desktop applications. RoboForm is also great for filling in forms with a click. I have over 800 passwords and could not function without it, let alone be secure. Check out RoboForm.
If you need our help, we have engineers standing by ready to help you. Contact us now!
email@example.com Be safe. Enjoy Life.How to Protect Your WordPress Blog Against Brute Force Attacks by Jim Spencer