If you are using Wordpress then you are in good company – it is reckoned that somewhere between 50 and 70 million websites are operating using Wordpress. However, this popularity comes at a price, and having the most popular blogging / content management software on the planet means you are a big target for those that would like to steal, hijack, hack or compromise your website.
What happened
Recently a large host, Hostgator, went public with the information that it was under attack from a brute force attack and that wordpress installations were being targeted, and some had been compromised. This was then confirmed from a number of sources, it was said that a ‘botnet’ of 90,000 servers was attempting to log into Wordpress sites (and some Joomla too it appears) by using easy to guess user names and passwords.
There are a number of things to note here, and the first is that this is nothing new. What as unusual here is that there was a sudden and pronounced increase in the volume of attacks, the amount increased by 3 to 4 times in the space of less than a week, so the sheer amount of traffic became an issue for hosting companies.
Secondly all systems, not just Wordpress, see this kind of activity, although because of the popularity of Wordpress it makes it easier to just go to any random domain, enter the address of the login page and then try a common user name and simple password.
Thirdly, and most importantly, there are a number of easy steps to protect your site from this type of attack, but you need to remember to do them.
The 5 Golden Rules to having a secure Wordpress site
- If you still use admin as the user name change it…now!
- Make your Wordpress password complex and difficult to guess
- Keep up to date with the Wordpress version
- Do not use the Wordpress password on any other sites
- Implement one of the many WP Security plug-ins to tighten security a notch or two higher
Do all this and you can be sure to be ahead of 99% of the other Wordpress sites out there.
Now let’s go into a bit more detail about how to implement the golden rules…
How to protect your Wordpress site
1. If you still use admin as the user name change it
In early versions of Wordpress the main user was called ‘admin’ and could not be changed. Some hosts even today are still using installation scripts that do not ask you for the admin user names but create the user as ‘admin’.
This makes the task of cracking into the site much, much easier, if you only have to work out the password because you can guess the user name then the task is 100% quicker and easier. So make sure the Administrator user (and any other users with Administrator access) has a complex name not derived from the site name or domain name, and also not called ‘user’, ‘test’ etc
2. Make your Wordpress password complex and difficult to guess
You will see many comments on this, and there are a few schools of thought, but it really is time you started paying attention to generating complex passwords for you online identities. In this case the security company sucuri.net noted that the scripts were looking for passwords like this:
- admin
- 123456
- 666666
- 111111
- 12345678
- qwerty
- 1234567
- password
- 12345
- 123
- 123qwe
- 123admin
- 12345qwe
- 12369874
- 123123
- 1234qwer
- 1234abcd
- 123654
- 123qwe123qwe
- 123abc
- 123qweasd
- 123abc123
- 12345qwert
Read this list carefully, if you use ANY of these passwords, or similar easy to guess ones, on ANY online service then take this as a wake up call and change them now!
Our best advice on managing complex passwords is to look at Lastpass.com an online password manager and Keepass a desktop based password manager.
We use and recommend both, and use dropbox in order to make sure we always have access to the passwords file whereever we are.
3. Keep up to date with the Wordpress version
This was a brute force attack on the log in page, but any software can suffer from security issues. If like me you are fed up with how many times Java or Adobe Acrobat prompts for upgrades then you will know that these things are regularly happening. Wordpress is regularly updated and to ensure you keep secure then your installation should be upgraded.
Customers of ours that run Wordpress and have opted for our ‘software assurance’ plan are automatically upgraded by us. If not then you need to do this yourself through the control panel. If you are not sure then get in touch.
4. Do not use the Wordpress password on any other sites
As Wordpress is one of the most high profile software packages it makes sense that you should not share any password you use on Wordpress with any other service, especially banking etc. If an attacker gains access to a site then they will often immediately try this user name and password on a range of other services to see if they can get in, and it might be on these other sites that they could really do you some serious financial damage if they gain access to a bank account, or say your Amazon account, Google Adwords account, Hosting account etc etc
5. Implement one of the many WP Security plug ins to tighten security a notch or two higher
There are a number of additional security plug-ins that you can add to Wordpress which increase the security. One we like for this sort of situation is ‘Login LockDown’
This plugin records the IP number and time of every attempted log in and if there are 3 failed attempts to log in from the same IP it activates a 1 hour lock out. If you have it enabled your log in screen will look similar to this:
In this particular instance it would not have blocked it, this attack was blindly posting up to 30 times a second from a different IP address every time – that is why hosts were scared because traffic levels rose alarmingly, but it is still a good idea generally.
There are more examples that might be useful, if you are using a blue spark Wordpress installation and want to look at any of the options and discuss the pros and cons of them then do get in touch.
You might lock the front door, but leave the back door open
These recent attacks have been ‘brute force’ attacks attempting to login using the admin user to gain control of the website. This is a common vector but unfortunately not the only one. There is still a danger that your hosting server can be compromised whether you have your own dedicated server or you are sharing a server. The security Hosting companies have in place can and have been broken, so make sure you keep a regular backup of your own, don’t just rely on someone else doing it.
Remember – the biggest vulnerability… is you
Sucuri summed up the attacks by concluding
“The thing to understand about these attacks is that they play on the biggest WordPress vulnerability, you, the end-user. You have to be doing your part, specifically when leveraging good passwords.”
This applies to all online services and websites not just Wordpress so Carpe diem – start your new password strategy and do it today!