Is your WordPress site being targeted by brute force attack?
Have all the events of this past week got you wondering, “What in the world is going on?” Trouble seems to have been delivered in the combo-pack, and it leaves us wondering how prepared we really are for pending disasters.
In the midst of it all, nearly a hundred thousand WordPress sites came under brute force attacks beginning April 11. While it first seemed to be just a blip, within 24 hours, it was obvious that a full-scale attack of unsuspecting websites had fallen prey to a botnet. Through internet-connected programs, malicious tasks can be executed within a network of infected computers. The end result is never good. So what is the intent this time? Experts can only speculate at this time, but it does appear that the attacks are widespread.
Upon first glance, experts at Sucuri determined that while the attack has great reach and was simultaneous, sites with even a modicum of prevention are immune.
Here are Three Tips You Should Follow NOW!
If you thought that something like this would never happen to your site, now is the time to think again and take some action. Here are our three simple steps to a more secure WordPress site:
#1 – Create a unique username:
Is “admin” your username? Then you are a prime target! Change this immediately. Oh, but wait… you can’t change a WordPress username. Don’t fear. First log in as you normally would. Under “profile,” change your email address to an alternate email. (This is because you can’t use the same email address for more than one username). Now create a new user choosing a unique username that is not admin, test, administrator, Admin, or root, as these are the top usernames being targeted. For this new username, you may now include your normal email address. After creating the new user, then delete your old username. Poof! That was easy! (Here are 4 steps provided by Judi Knight)
#2 – Update OFTEN!
This is like getting your teeth cleaned. You can keep putting it off, but eventually the consequences of your procrastination are certainly going to increase your chances for problems. Consistently check your WordPress version as well as plugins, and make sure that everything is up-to-date! Mickey Mellen gives more tips here.
#3 – Password creativity is essential!
Use strong passwords including upper and lower case letters. Include numbers and special characters, and avoid normal key sequences and words, such as the top hits like 12345678 and qwerty. If you must use words, choose a pass phrase like “correcthorsebatterystable.” Exchanging 0 for o is easily guessed, so avoid that. To be super-safe, we recommend that you use a password manager, like lastpass.com.
Celebrate your success with these bonus cleanup tips:
- Install a security plugin. Sucuri is a favorite that ClickHOST recommends to their customers. We offer FREE malware scanning with all our hosting plans as well as FREE malware removal for our BEST plan customers.
- Delete any old WordPress installations. Move on! It makes sense to keep things cleaned up.
- Delete all unused plugins and themes. Think of this as spring cleaning! If you aren’t using it, then the time has come to delete it! Keep learning about WordPress! And it goes without saying that you really need a good backup plan. Our post on WordPress Backup Options will help.
If you are ready to learn more about WordPress security then check out ClickHOST’s 2013 WordCamp presentation on this subject.
So that was very simple, and because this attack is also very basic, then you are safe. As always, make sure you chose a host like ClickHOST that keeps on guard for issues like this. Thank you for taking the time to read and follow these steps. Please comment here and let us know what you will be doing right now to assure your site is prepared to fend off these attacks. Malicious code is looking for an easy target. Prepare your site now so you are no longer in the bulls-eye for attack!