Back in April (2013), a MAJOR distributed Brute Force Login attack was perpetrated on every server where WordPress was installed. This was an on-going and highly-distributed, global attack across virtually every web host in existence that went on for weeks.
The attack was well organized and over 90,000 IP addresses were involved in it.
Statistics and research showed that the number of such attacks on sites tripled that month.
Should You Be Concerned?
Absolutely. Because the the biggest WordPress vulnerability is you. While this attack was the biggest concerted action seen to date, hackers are constantly on the lookout for weaknesses in blogs that they can exploit. Here are some stats:
Far too many people use weak passwords for their sites and you’d be surprised just how many blogs out there use “admin” as their username. So you, as a WordPress user have to do your part in choosing a blog username and password that are strong. That means using long strings (8+ characters) with a mix of upper and lowercase letters, numbers and symbols like @, #, $, *, etc. (I do this in the blogs I build here).
Always keep a record of your usernames and passwords so you can copy and paste them into your blog login page. Then look at adding some security plugins to your site to better protect it (again, this is something I routinely do on the blogs I build for you).
How Do You Know If Your Blog Has Been Hacked?
The obvious clue is if you see a “Hacked By” message on your blog’s home page. Other attacks are more subtle – maybe your blog looks fine but some malicious code has been injected onto it, infecting the PC of everyone who visits your site.
One way of spotting this is if you’ve found it difficult to log into your blog in the last few days or seen some other odd behavior with it? That could be because a hacker has changed the blog login credentials.
Another clue is if your blog is very slow, especially when logging in. In this case, it’s possible that your blog is under attack or that your webhost’s servers are under attack and they’re taking some remedial action to mitigate any damage – this may include temporarily blocking webmasters from logging into their sites.
Here’s what Hostgator had to say about what they were doing during the April attack:
We are taking several steps to mitigate this attack throughout our server farm, but in the same breath it is true that in cases like this there is only so much that can actually be done. The servers most likely to experience service interruptions will be VPS and Dedicated servers hosting high numbers of WordPress installations, due to the incredibly high load this attack has been seen to cause.
Here are some articles relating to the attack that were posted on various sites. They’re worth reading if you want to know more about the attack:
- Global WordPress Brute Force Flood – posted on Hostgator
- Mass WordPress Brute Force Attacks? – Myth or Reality – posted on Sucuri
- WordPress Brute Force Attack – posted on Hosting Discussion Forum
- Brute Force Attacks Build WordPress Botnet – posted on Krebs On Security
- Major brute force attack against WordPress underway – posted on Silicon Republic
Securing Your WordPress Blogs
So you can’t be complacent about your WordPress sites. It’s easy to accept default settings and simply use the “admin” username and a ridiculously easy password (like “123456“) when installing WordPress through your cPanel with Fantastico or Softalicious.
You need to not just think of your blog as simply “yours” but you should also have an attitude of responsibility towards your readers. You wouldn’t want your PC to get infected by visiting someone else’s blog so you should care that your visitors aren’t compromised by a visit to your blog.
The blogs I build all use premium security plugins and other strategies to thwart hack attacks. If you’ve ever lost a blog to a hack or spent the time recovering from one, you’ll know that it can be a costly business; you either lose a lot of time repairing a blog and/or you lose income because a blog is no longer earning money or worse, is lining the hacker’s pocket.
So take WordPress security issues seriously. If you want to find out more about my own experiences and how to protect and recover blogs from attacks, you can always read my WordPress Defender book.
Next Article: Review of The SecureScanPro WordPress Security Plugin
Tagged with: hack attack • secure WordPress • secure WordPress blog • wordpress • WordPress Botnet • WordPress hack • WordPress hack attack • wordpress security
Filed under: WordPress Security
Hiya! Quick question that’s entirely off topic.
Do you know how to make your site mobile friendly? My site looks weird when viewing
from my apple iphone. I’m trying to find a theme or plugin that might be able to correct this problem.
If you have any suggestions, please share. With thanks!
Hi Yankee Doodle,
You need to use a mobile responsive theme on your site. If your site uses WordPress, there are plenty of free mobile responsive themes out there (just do a Google search for “mobile responsive WordPress theme”. If your site uses another engine, like Joomla (which I’m not familiar with), then there may be mobile responsive site themes you can get for that.
If, however, your site is proprietary; i.e. it was built by a we designer but doesn’t use one of the current popular blogging tools (like WordPress), then updating the theme used on your site could be problematic. You’d probably need to re-hire the web designer or find another one who could do that for you.
The reason your site doesn’t look good on mobile devices is because it was probably exclusively designed for viewing on desktop PCs. Mobile responsive themes can see what resolution screen is on mobile devices and display the site so it looks good, no matter what the resolution of the screen it’s being viewed on.
Google now penalizes sites that don’t use mobile responsive themes so it’s always a good idea to upgrade other sites to use an up-to-date theme.
Gary
Nice article Gary! I’m using the Wordfence security plugin to secure my WP installation. Even though my web host offers free weekly backup, can you recommend any free backup plugin so I can have my own backup?
Thanks.
Hi Kevin,
I don’t use WordFence myself any more since they’re pulling the Falcon caching engine from the free version of the plugin. I use a mix of plugins, some free, some commercial, to harden my sites. But you’re right not to rely on the backups your webhost makes. Updraft Plus is a free plugin for backing up blogs that will do what you want.
Cheers,
Gary.