Anyone who knows me knows that I’m a total WordPress addict. I love the platform for developing websites and have done a ton of custom development for the Virtual Administrator website as well as many others.
However, with the popularity WordPress has gained, it has also gained a lot of attention from the hacker world. There are a lot of assaults on the WordPress platform, so owners of WordPress websites should invest in some basic site security and backups.
While this isn’t directly related to the MSP world, it is entirely likely that your customers are running WordPress to power their websites as well, so I thought I would post a quick mention to do some work to protect against a current large scale attack against WordPress.
As a note, our site has already felt a brute force attack this morning and (as far as I can tell) has successfully repelled it.
Here are two articles which you can reference for information on the nature of this attack and what to do about it:
- http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/
- http://techcrunch.com/2013/04/12/hackers-point-large-botnet-at-wordpress-sites-to-steal-admin-passwords-and-gain-server-access/
Thanks goes to Rich over at Network Depot for the initial heads up.
What we did to protect our website.
We took three crucial steps.
1.) https://virtualadministrator.com was one of the last websites which I built that used Admin as the main username. The admin account has been deleted and removed from the system.
2.) I installed a brute force security plugin which also enforces some password security standards. Here is a link to the plugin.
3.) We take weekly backups of the website (which I may escalate to daily soon). I use the backup buddy plugin from iThemes which was linked above. But here is a direct link to backup buddy.
While this may be limited, it appears to have repelled the attack as we were notified this morning by the site that it had identified and repelled a brute force attack on the now non-existent Admin user.