There has been a massive attack on WordPress sites in the last few weeks, and it continues at this very moment; it continues into May although chatter about it seemed to peak around mid-April. Insecure passwords, out-of-date software, and server vulnerabilities all contribute to the access points which these brute force attacks exploit.
A brute force attack is one in which the bot tries again and again to gain access to software on the physical server so that it can take over control of the server. This banging up against your login information with different plausible user id and password combinations again and again until it gets it right.
These attacks are not focused on any particular “value” of site. Friends have told me, but my site is “low value,” no one would want to hack into my site. The hackers do not care about your site. They only care about access to the servers that host your site. They want to get to the servers to launch attacks, take downs, or commit crimes. The type of site you have makes no difference. If you use WordPress on a self hosted site with your own domain name you are potentially vulnerable.
A good overview of this topic is: http://tonyonsecurity.com/2013/04/25/crazy-april-for-the-wordpress-platform/
Insecure User Names and Passwords
One of the ways brute force hacks often get server access is through user negligence in creating their user names and passwords both for WordPress and or control panel access. If your user name is “admin” or your password is “abcd1234” your account can be broken into in no time flat. If you have not changed your password in a few months or your user name is admin, go change your wordpress password RIGHT NOW. Your password should use upper and lowercase letters, numbers and allowed special characters and be made up of at least 8 characters.
For further information about the need for good passwords, read: http://www.wphub.com/botnet-attacks-show-need-for-strong-passwords/
Software updates are most often minor bug fixes that address little bits of code t that can turn into major holes in and tunnels through your WordPress platform to the server which hosts your site. You should always be running the most current release of WordPress. To make sure you are doing so, go to your Dashboard and when you hover or click, that depends on what type of computer or mobile device you are on, you will see two tabs, the Home tab and the Updates tab. Select Updates. You should then see something like the image I have clipped and framed below. If you see something other than “you have the latest version of WordPress,” you need to make sure you have a backup of your website, however you do that, and then install the latest software.
Do the same thing for the plugins that you use by going down the Dashboad, toward the middle of the coloumn, and you will find Plugins and when you click or hover you will find options for Installed Plugins as a choice among three options. Select it.
You will find a similar option to that you had with the version of WordPress. It could tell you that your plugins are up to date or that you have version such and such and that versions such and such is available. Again, make sure your site is backed-up and then install the update or updates.
Old Files on Your Servers
Another common way for a hacker to gain access to your site and resources is by hacking into “inactive sites” that you may have played around with as a test site, or a domain you purchased, were thinking about using, or created for a friend. These could be distinct sites or add-on components such as forums or galleries that you did not merge into a final site.
If you have files, directories or sites such as this on your server, the odds are that you have not kept the code for these sites and bits of sites up to date from any WordPress or plug-in updates. Any vulnerabilities in old versions of code may still be there presenting wide open doors and windows for hackers. A good hosting service will shut down any site that shows signs of being hacked. Not all hosting services are good.
What’s A Blogger To Do?
You can mitigate most of your risk very simply.
- Ninety-nine percent of the sites that have fallen victim to the current ongoing attacks have probably had active out-dated software on the server space of hosting accounts use, or had woefully inadequate username and passwords on the accounts. So if you take care of these problems, you will be far ahead of all other bloggers using WordPress.
- Talk to your tech person about old versions of anything that might be in your files on the hosting server and make sure that is not the case.
- Make sure your user name has been personalized by you. Do not use or allow user names such as admin or user.
- Then make sure your password is a minimum of 7 to 9 characters length, and uses both upper and lower case letters, numbers, and other grammatical characters.
- If any of your accounts are compromised, change all your passwords.
- Build an update check into your weekly routine. Once a week go to your dashboard and make sure all your WordPress software, themes, and plug-ins are up-to-date.
Luck seems to happen to those who are most prepared. Adopt a scout motto and prepare yourself with these relatively painless steps. You will increase your chance of getting lucky and remaining hack free.