In April of 2013, a number of WordPress websites experienced targeted attacks – significantly more so than what is considered typical. These attacks used “brute force” methods to attempt to access administrator accounts in WordPress installations. Once accessed, the goal appears to be to amass a botnet (network of compromised computers) that can be used to issue DDoS (distributed denial-of-service) attacks. “Brute force” means that they are not so much taking advantage of a bug or vulnerability in the software, but rather using software to guess weak passwords on default WordPress administrator accounts and gain administrator access to the WordPress installations.
Ars Technica has a good post about the attacks if you are interested in more details.
What Can I Do To Protect My Site?
When activity like this ramps up, it’s a good time to revisit the precautions that can be taken to prevent your WordPress site from being compromised.
Harden your passwords
Make sure you have strong passwords on all of your WordPress accounts. Here are recommendations from WordPress on creating a strong password.
Install a security plugin on your website
As recommended in the Ars Technica article linked above, “Better WP Security” is a good, all-around security plugin to include on your website. This single plugin addresses security on your site from a number of different fronts, as opposed to having to get a plugin to address each of these areas individually.
Delete the default “admin” account
Strong passwords will do much to deter access, but since this particular attack is targeting the default “admin” WordPress account, you can also delete this account for added security. Keep in mind that you still do need an account with administrative privileges, but it doesn’t have to be the default “admin” account. First, create a new account and assign it the “administrator” role (if you don’t already have one). Then, make sure you are logged out of the default “admin” account and log into this new account. Now you can delete the default “admin” user. If you created any posts under this user, you will have to re-assign them to one of the other WordPress users on the site.
Keep WordPress and all plugins up-to-date
While this particular attack does not seem to be targeting code vulnerabilities, it does happen and is worth safeguarding against. Keeping your WordPress installation, themes, frameworks, and plugins up-to-date will keep you safer. Note that depending on the amount and type of customizing done to your website, updating WordPress and plugins may not be a DYI-type of thing. You can contact us to see precisely what is involved with your website.
Keep an eye out for odd behavior and let us know if you see something. It can be hard to know what to look for, but be proactive with anything that looks suspicious. It’s better to be safe than sorry.
We Can Help
In theory, these are things that any WordPress administrator can do. However, you may not be comfortable “under the hood” in WordPress, or your site may have customization that prohibits tackling these types of things on your own. That’s where we can help. We spend all day in and around WordPress, so we can take a look at your website and determine the exact steps needed. (And, it’s that much easier if we built your website.) Implementing these measures will typically take anywhere from 1–3 hrs, but if your site has extensive customization or other unique features it may take a bit longer. If you are interested, call us at 612-798-7244, email us at firstname.lastname@example.org, or fill out the “Getting Started” form on our website and we can give you a better estimate tailored to your situation.
Stay Safe and Secure
WordPress is one more facet of our digital lives that requires “care and feeding” to keep it not only functioning properly, but safe and secure. As scary as it can all sound, know that you can do much to protect yourself from these types of attacks and vulnerabilities. Following these suggestions won’t guarantee absolute 100% protection, but you can know that you’re doing your due diligence to keep your website as safe as can be.