The WordPress platform is used by millions of bloggers and businesses and has been under massive bruteforce attack over the past week. Some are speculating whether or not this is just the start of something much bigger. So far according to TechNewsDaily, “90,000 WordPress blogs” have been attacked. Click here to read more.
The primary target of entry has been the login panel, specifically those with “admin” as their username. We all know that keeping any default settings is never a good idea. So why do we do it? Are we lazy? Or do we just think it is not going to happen to us?
Regardless of your answer, the events of this week need to wake up all of us. No longer can this be ignored. We need to take responsibility and secure our websites ourselves. Think of the countless hours of work that has been put in that can be demolished in seconds.
Matt Mullenweg, one of PC World’s Top 50 People on the Web and one of the Founders of WordPress, says “almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using “admin” as their default username”. Read the full article here. So what’s happened? Have people forgotten or is it the huge number of new users that may never have been alerted to this problem?
Matt recommends that, “if you still use “admin” as a username on your blog, change it, use a strong password… and of course make sure you’re up-to-date on the latest version of WordPress”.
One of the bigger questions with this weeks botnet kerfuffle has been around motivation. What do the hackers want? TechNewsDaily reports, “the ultimate goal of the botnet is a mystery; having administrative access to a number of blogs is not that useful in and of itself…however, a network of more than 90,000 compromised machines can wreak all sorts of havoc, especially in denial-of-service attacks”.
InformationWeekSecurity who also reported on this story said that, “successfully exploited sites get a backdoor installed that provides attackers with ongoing access to the WordPress site, regardless of whether a user subsequently changes the password guessed by attackers…exploited sites are then used to scan for WordPress installations, and launch the same type of attack against those sites”. Read more here.
They went on to say, “thankfully, a quick solution to the attacks is at hand: ensure no WordPress site uses any of the targeted usernames, which include not just admin and Admin but also “test,” “administrator” and “root”.
What’s really staggering are the number of attacks. Just read the statement below…
The WordPress “admin” attacks aren’t new, but they’ve recently tripled in volume. “We were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days” said Sucuri CTO Daniel Cid in a blog post. That means that the number of brute force attempts has more than tripled” (InformationWeekSecurity).
We need a solution and we need one fast. Free plugins are just not going to cut it any longer. It’s time to look to the experts and let them help. HostedinCanada.com and Upfrontbydesign.com are WordPress Security Experts and provide a complete protection, from setup through ongoing updates.
– Daily backup
– 24/7 monitoring
– Quarterly PLUGIN Updates
– Bi-annual CORE Updates
– Special rates on any required edits or fixes related to plugin or core updates. (CORE updates are only done if there is a vulnerability/REQUIRED….but are completed every 6 months.)
– Daily SCAN and checks include:
12 standard weaknesses
21 Advanced weaknesses
Blocking hackers from trying to login. (IP’s are AUTOMATICALLY banned)
626 CORE files (we check core WordPress files against wordpress.org for attached files)
Call today if you have questions. To get a FREE Security assessment and report, CLICK HERE!
President – 403-730-2040 #207