Online security experts have warned that a mounting series of attacks on WordPress installations are behind the growth of an oddly powerful botnet, made up of over 90,000 IP addresses currently.
The BBC has reported on these wide-spread attacks, designed to target WordPress sites with poor security. When a new WordPress site is set up, the user is automatically given ‘admin’ as their username. The botnet is using brute-force password guessing attacks to try and gain access.
There are currently 64 million WordPress sites read by a staggering 371 million people each month, that’s around 17.6% of the world’s total websites (source: W3Techs).
After thorough investigations and initial lock-down of WordPress sites on our hosting cluster, we reported on Friday that our System Administrators had put new security measures in place and our servers are stable, allowing customers to access their WordPress sites as normal. We’ve had no reported issues over the weekend amidst this ongoing global WordPress attack.
Due to the complex, changing and global nature of this issue which impacts many web hosting providers, we will continue to closely monitor our systems and ensure that service remains acceptable. In the meantime, here is some advice on how to make your WordPress website more secure:
1. Change your WordPress admin username
Take a look at our Support Centre article on How to change a WordPress admin username
2. Change your WordPress password
- Immediately change your passwords to the WordPress admin area.
- Your password should be at least 30 characters and MUST have all of: uppercase and lowercase letters, numbers, and special characters. A good way to come up with a strong password that you can still remember is take a long phrase, song lyrics, a poem, similar, and replace certain letters with uppercase, numbers, and special characters.
- for example the relatively strong password: th1$l1ttl3p1ggy$3cur3dth31rW0rdpr3$$$1t3 is simply “thislittlepiggysecuredtheirWordpresssite” with i->1, s->$, e=3, and o->0 (zero)
- Scan your computer for viruses, keyloggers, rootkits, and botnet software.
- Do the same scans for any computer that has had access to your site admin area.
- Update WordPress and all plugins to the latest versions.
3. Upgrading your WordPress Installation
The people who write WordPress have tried to make upgrading as easy as possible, with all the work done behind the scenes, so you don’t need to know how to write code, or bother with replacing files by hand.
Before upgrading, we recommend that you back up your website and database – this will ensure that if the upgrade causes problems, then you have a copy of the original data to restore. It’s very rare to see any issues when you’re upgrading WordPress, as it’s used by so many people, but it’s better to be safe than sorry!
If the version you currently have installed is version 2.2 or higher, then all you need to do is log into your WordPress admin panel and click on the Upgrade link. The upgrade process is automatic – all you need to do is follow the instructions on the screen, and your site will then be using the latest version.
If the version of WordPress you’re running is older than version 2.2, you will need to upgrade manually. More details can be found at the main WordPress site www.wordpress.org on upgrading from your current version to the latest.
You should also upgrade any themes and plugins you are using, so that they are also at the latest versions. As with the main WordPress code, updated plugins and themes will also contain many security and bug fixes. This will help detect and prevent any unauthorised attempts to log in to WordPress.
4. Recommended Plugins
We recommend using the following plugins as a minimum on your WordPress site:
Change Uploaded File Permissions – This plugin fixes an issue some WordPress users experience when uploading pictures through the built-in Media Manager. This plugin has been updated to run with all versions of WordPress by one of our own staff!
TimThumb Vulnerability Scanner – This plug checks the image manipulation script timthumb.php, which is used in many themes and plugins, and makes sure it is up-to-date. Older versions of timthumb.php contained a lot of security bugs, and have been fixed in the new versions
Akismet – This anti-spam plugin comes with WordPress, and protects comments from being filled with junk, but you need an activation key to use it. The easiest way to get one is to create an account at http://www.wordpress.com – you get an Akismet key when you sign up.
Wordfence Security – This is a security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers.
All these plugins can be found by just searching for them by name in the Plugins section of your WordPress admin panel, and are installed and in use with only 3 clicks – Search, Install and Activate!
5. WordPress up-to-date…so what next?
Now that you’ve updated WordPress to the latest version, your website is more protected than it was when it was running the older version. But that’s not all you can do to keep your website safe.
Log into the admin panel regularly – Logging in once a week, even if you don’t have anything to post, will alert you to any future upgrades that are available and need to be applied. Once you get into the habit of logging in on a regular basis, upgrading WordPress and your themes and plugins will become second nature. Your website will be more secure as security loopholes will be patched, and any bugs in the code that the people at WordPress have found will be patched.
Check the Akismet section – Checking the Akismet section of the admin panel regularly will show you any comments that the plugin thinks are spam. You can delete them if they are, and if they’re genuine comments that have been caught (a false-positive), you can mark them as real comments, and Akismet will learn. The more you use Akismet’s features, the more accurate it becomes, and this benefits both you and all other WordPress users. Getting rid of spammy comments also keeps the database behind WordPress clean and efficient, meaning your website will run more smoothly, as it won’t be displaying any unwanted data.
Moderate comments – If you have enabled comments on your WordPress posts and articles, you can set them to either publish immediately, or wait until you’ve approved them. The latter is a safer method, as you have complete control over what gets added to your website, but with both methods you can delete unwanted comments, again trimming down the amount of data in the database.
Add a Captcha plugin – A Captcha is a series of words and numbers shown on screen as a picture. You have to type these into a box when adding a comment to prove you’re a real person, and not a spam-bot (a small script that automates adding nonsense or spammy comments to posts in order to move another website further up a search-engine’s rankings). Adding a Captcha plugin to posts helps prevent this happening. Admittedly, it’s not 100% foolproof, but with this and Akismet, you will stop a lot of unwanted comments being added to your articles.
Only use trusted themes and plugins – There are a lot of themes and plugins for WordPress available out there. The “official” ones can be found right inside the WordPress admin section. When you search for a theme or plugin in the WordPress admin section, you’re downloading it directly from the WordPress Codex – a part of the WordPress website dedicated to these add-ons. They usually have their own support section in the Codex as well, so you can question the plugin or theme’s creators and other users.
Sign up to the WordPress newsletter – WordPress provide a mailing list that will let you know when there are any updates being made, along with other WordPress-related news. You can sign up for this on the official WordPress download page at http://wordpress.org/download/
Please note: names.co.uk do not provide support for plugins. Support is provided through the plugins’ relevant support channels from either the plugin authors or the WordPress community. Please read the plugins’ documentation for full details.
Our plugin recommendations are for guidelines only to help secure and manage your WordPress site safely. Alternative plugins are available. names.co.uk accept no responsibility for any loss or corruption of data arising from the use or non-use of these plugins.
names.co.uk are in no way affiliated or associated with WordPress or any of the plugins mentioned in this article.