You may have heard the news about the brute force attack against WordPress sites and the servers that host them. Unfortunately, it’s real. The attack is global and very organized, and is not directed at any one web host. This unknown organization is using more than 90,000 IP addresses to hack into your website and take control.
Read more about the brute force attack here.
What you can do right now to protect yourself
1. Change your password.
This attack is primarily (but not exclusively) targeting sites with the username “admin”, which is the default WordPress username if you did not choose a different one when you created your account. The best passwords use a combination of upper and lowercase letters, are at least eight characters long, and include “special” characters (^%$#&@*).
Go change your password now.
2. Install a plugin that limits login attempts.
I use the Limit Login Attempts plugin, and you can get it either on the WordPress website or in your “add plugin” section of your WordPress website.
These types of attacks try to log into a website are sort of like throwing something against a wall until it sticks. The “bots” try hundreds of thousands of password combinations until they find the one that gets them in. This plugin monitors those attempts and locks out anyone who exceeds the number of attempts that you’ve set.
Here’s what someone sees when they’re locked out:
And here’s a screenshot of the settings options:
This will go a long way in protecting your site. Go install and activate that plugin now.
3. Take a backup of your site
If you’re on a maintenance plan with us, this is done for you on a regular basis. If not, you should be taking regular backups in case you ever have to restore your site. I use BackupBuddy, but if you want a free backup plugin take a look at this one. I haven’t used it personally but it gets good reviews.
Now you’ve done what you can, and you have to leave the rest to your web host.
Don’t blame WordPress or your host
This is attack is not an indication of whether any one web hosting company is better than another. I’m seeing different companies starting to point fingers at each other on their blogs in an attempt to increase sales, so don’t buy into any of that. If you have a decent web host you don’t need to switch. If your mother’s-neighbor’s-friend’s-cousin-who-took-a-class-in-college is hosting your site, you might want to consider switching to someone like HostGator or A Small Orange (both of which I use personally).
This is also no fault of WordPress. Hackers don’t waste their time targeting software and services that aren’t popular. WordPress is used by hundreds of thousands of websites around the world, so it’s an easy target. It’s still a solid website platform and will continue to be. As a matter of fact, they’re celebrating their 10th anniversary next month. You can read about that here.
So make the changes I recommended above, then sit back and know that you’ve done what you can. This particular attack will pass, and you’ll be better prepared for the next one. It’s a reminder to all of us to be vigilant in protecting our websites.
Here’s a link to a tool that will scan your site for malware: http://sucuri.net
And if your username is “admin”, you can change it. The easiest way without digging into the database is to create a new user with administrative rights (use your name as the username and set a strong password), then log out and log back in as that user, and delete the original “admin” user. You’ll be asked if you want to attribute posts written by the original user to the new user – say yes. 🙂
Questions? Comments? Discuss below.