An attack on WordPress is sweeping across the web as analysts suspect a “never-before-seen” super botnet is being created that could threaten the web as a whole.
“With so much at stake, readers who run WordPress sites are strongly advised to lock down their servers immediately. The effort may not only protect the security of the individual site. It could help safeguard the Internet as a whole.”
Using more than 90,000 IP addresses, this attack is using brute-force to break open logins on WordPress systems. By leveraging these servers bandwidth and power, the damage would be substantially more than a DDoS attack.
Is your church website safe?
Here’s what to do:
What to Do
This is still breaking, so there’s time to make sure your WordPress installs are safe from this new attack.
Here’s what you can do:
- Install a Limit Login Attempts plugin.
I have this on ChurchMag and it’s awesome. Since last week, I’ve had 151 lockouts and 3 blocked IP addresses. - Update your login passwords ASAP, using at least eight characters, upper and lower case, numbers and special characters.
This is simple, but powerful! - Remove, replace or change the “admin” username.
Be careful with this one if you don’t know what you’re doing. If anything, make the password super long. If you want to change the name on it, you can do this via your PHP admin (advanced users only). Otherwise, consider creating a new Administrator first, before removing the generic Admin name. - Considering adding Better WP Security.
- And possibly adding CloudFlare, as they automatically block logins that resemble brute-force attacks.
It’s best to do this sooner than later, as “there are also indications that once a WordPress installation is infected it’s equipped with a backdoor so that attackers can maintain control even after the compromised administrative credentials have been changed,” according to ars technica.
Is your WordPress install safe?
[via ars technica]
Evan Courtney says
Boom. Cloudflare is installed on all of my domains easily via Bluehost.
Thanks for the tips.
Eric Dye says
😀
Tony Whittaker says
Another thing you can do is use and .htaccess file to prevent access to the wp-admin and contained folders, limiting it to your own ip address, or if you have a range of ip addresses from your ISP, you can allow just that range starting with a particular number, eg
allow from 78
You can put a special htaccess file into the wp-admin folder just for this, or add it to your existing one if you have one.
Eric Dye says
Great stuff, Tony. If you’re running WordPress “as is”, there’s a lot of room for beefing up the security. Thanks for the extra tips!
Eric E. Kidwell says
Do you know where there might be a tutorial on this? Something else I’ve wondered is how to change the “.com/wp-admin” to something else.
Travis Paulding says
Thanks for this post. Just added Better WP Security to three WP sites I manage, including my church. Removed a clunky Bullet Proof Security plug in as well.
Eric Dye says
#HIGHFIVE
Travis Paulding says
Interestingly enough, one of my sites had a brute force attack blocked LAST NIGHT after I installed the security plug-in yesterday. Good timing on this post. Mashable is reporting about 90,000 sites hacked in the past few days.
Eric Dye says
Yeah, it’s pretty heavy. Glad you upped your security!
Daniel says
My church’s website’s been hacked in the past. I wrote a blog post on this as well – http://goodchurchwebsite.com/church-website-security/
Paul Clifford (@PaulAlanClif) says
I made sure all my clients were up to date and added the limit login attempts to all their sites as a free service (because there are still few enough that I can).
Thx for the tips.
Eric Dye says
WOOT! 😀
Frank Steiner says
As WordPress founder Matt suggests, choosing a strong password and ensuring that you have latest version of WordPress is an adequate protection. The botnet is basically guessing security passwords, so if you have something that is not guessable you’ll be safe.
Now there is a Google Authenticator Plugin for WordPress. It is possible to enable (or disable) it per user (admin, editor, etc). This plugin coupled with strong password is the best you can do to secure the back end. This is the plugin I installed for my personal blog.
Eric Dye says
Cool. Another reason you might consider these other options, is that although you may be safe, every bot that keeps to repeatedly try to login puts a drain on your server. Better for them to get flagged and blocked.