On December 17th, at approximately 9pm central time, WordFence reported that they were seeing the largest brute force attack on WordPress security in history. The attack is reportedly coming from a large number of IP’s, all of which are generating a significant number of attacks individually. As of Sunday evening, the attack was just starting to ramp up, despite reaching record numbers. Here is some of the information posted by WordFence that we know about the attacks:
- The attack has so far peaked at 14.1 million attacks per hour.
- The total number of IPs involved at this time is over 10,000.
- We are seeing up to 190,000 WordPress sites targeted per hour.
- This is the most aggressive campaign we have ever seen by hourly attack volume.
Why is this happening?
WordFence has speculated that this happened due to the recent hacking of a massive database of credentials. That database included over 1.4 billion username/password pairs. With this new information out there, with 14% of them being new credentials never seen before, there is a good chance that many of them will match up with WordPress usernames and passwords.
What can I do to make sure my site is secure?
I’m glad you asked that question. It’s ever important to keep on top of security in today’s age, and there are a number of things you can do to make sure your site isn’t affected:
- Change your password. This is something you should do regularly anyway with all of your credentials. I always suggest using something like LastPass or DashLane to manage your passwords so that you don’t have to worry about remembering every password you use. You can generate a number of extremely complex passwords and the programs are extremely safe to use.
- Install a plugin like WordFence. Although premium users are automatically updated with blocked IP lists when attacks like this happen, even the free version of the plugin will help protect you. Note: Our clients who are on WPEngine do not need this step.
- Choose your host wisely. It’s no longer acceptable to buy into a cheap hosting solution for your business website. Budget hosts like HostGator, Host My Site, and many others have proven to have numerous problems with hackers. We have seen sites get malware just because they were on the same server as another site that was infected. Instead, choosing a host like WPEngine, although more expensive, is well worth the cost. They have built in security measures that give our clients peace of mind. At $29/month you can rest assured that you’re being taken care of and protected from attacks like these.
- Keep your WordPress plugins up to date. This is extremely important as old code can leave vulnerabilities that hackers are out there looking for. Many of the updates pushed out on a regular basis are for security reasons, not just functionality.
For more ideas, check out the official post from WordFence. They provide a few more ideas to help keep your site secure. If you’d like help determining whether your site is vulnerable, or would like to move to a better host, give Checkerboard a call. We don’t like to see your website go down any more than you do.