WordPress is easy. That’s why people like it. It’s quick to set up a simple site. It’s easy to manage large amounts of content. It’s easy to add functionality without having to know how to code PHP because there is such a large developer community that makes tons of free plugins.
If you and your customers are running WordPress sites, now would be a good time to ensure that strong passwords are always used and that your username should be changed from “admin”. According to reports, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aims to find the password for the “admin” account that every WordPress site sets up by default. This attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is very difficult to block all malicious data.
To ensure that websites are secure and safeguarded from this attack, we recommend the following eight-step process: (feel free to share this with your customers)
1. Avoid Obvious Passwords. Use a hefty mix of alphabets, numbers and alpha-numeric characters to create a good, strong password
2. Immediately change your passwords to the WordPress admin area, FTP, any control panels, and all email accounts
3. Change the Admin Username. The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin”, create a new user with admin privileges (you will need to use a different email address than the one attached to the current administrator account) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. The five minutes you spend here will ensure that your hours of hard-work are safe and secure.
4. Scan your computer for viruses, keyloggers, rootkits, and botnet software. Make sure the scan is performed on all computers that have access to your site admin area
5. Update WordPress and all plugins to the latest versions
6. Add this to the .htaccess file in your document root (public_html, www, htdocs, etc). This is in order to stop direct automated attempts to log in to your site:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.yourdomain.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
Note: Replace example.com below with your domain (leave the “?.” before it and everything else)
7. Now for the Plugins to install on all WordPress installations:
- WordPress File Monitor Plus
- Limit Login Attempts
- Stop Spammer Registrations
- Spam Free WordPress
- Ban Hammer
8. We recommend that you use Cloudflare to prevent the attack from affecting the functionality of sites that belong to you and your customers
Current statistics confirm that one in every six sites on the web runs on WordPress. That’s a lot of fodder to make a botnet out of! You can ensure your customer’s sites don’t get affected by making them aware of these simple fixes.
Got better ways to secure WordPress? Do comment and let us know!
