Well … it eventually had to happen!
When you are the world’s most popular content management system and the preferred online publishing platform for over 60 million websites around the world, used by millions of businesses and loved by thousands of web developers and web designers, it’s inevitable that, at some point, WordPress will come under attack from hackers wanting to score a “big win”.
In early April 2013 a global “brute-force” attack began hitting WordPress installations across virtually every web host in existence around the world using botnets.
A “Botnet” is a network of private computers that has been infected with malicious software, which is then controlled remotely as a group, typically without the computer owners’ knowledge. Botnets are often used to send mass spam emails.
Below is a screenshot taken from an Internet Security monitoring site showing the locations of the command centers of ZeuS – a botnet that has been actively infecting computer networks all around the globe since 2009 …
The ongoing botnet attacks on WordPress are well-organized and highly-distributed. Over 90,000 IP addresses were identified by a number of webhosting companies just in the initial attack, when the web was flooded with millions of attempts to force their way into WordPress users administration areas. As this article is being written, over 30,000 WordPress sites are being hacked per day.
News of the April mass brute-force botnet attack was reported by all of the major webhosting companies, as well as the leading technology publications, such as Forbes, TechNews Daily, PC Magazine, Tech Crunch, BBC News, and even on the official website of the US Department of Homeland Security …
How To Prevent Your WordPress Site From Being Attacked – 10 Simple Steps
If your website is powered by WordPress and youíre not taking steps to harden your site, it’s practically guaranteed that your site will be hacked, or at least targeted by bots, because these attacks are systematically targeting WordPress sites around the world!
Typically, whenever a site is hacked, website owners will discover much to their dismay that they have been “locked out” of their own site, or that their content has been vandalized or even entirely wiped out. Often, sites will be infected with malicious software without the owner’s knowledge.
To help avoid the heartache of having your site being hacked into, we have published below 10 simple, yet essential steps that will help to protect your WordPress site from brute force attacks.
Note: Some of the steps listed below require some technical understanding of how to modify core WordPress and server files. If you are not technical, or don’t want to mess around with code on your site, you can hire someone to do it for you, or see our recommended software solution further down this page.
1 – Contact Your Web Host
Contact your webhosting provider and ask them exactly what they have put into place to help prevent your site from being attacked, and what they are doing to ensure that your WordPress sites are being regularly backed up. Check that your host is backing up your sites and that, if anything happens, you can easily get your site back.
2 – BackUp Your WordPress Data And Files And Keep Your Site Regularly Maintained
You should never rely only on your webhost for your site backups. Instead, learn how to maintain and manage your WordPress site and develop a habit of performing a complete WordPress site maintenance routine on a regular basis (e.g. weekly, monthly, etc …)
3 – Make Sure That Your User Name Is Not “Admin”
The mass brute-force botnet attack on WordPress is mostly attempting to compromise websitesí administrator panels by exploiting hosts with ìadminî as their account name. If your site’s username is “admin” you need to change this immediately.
Since WordPress doesn’t allow administrators to change the username assigned during installation, the simplest way to fix this issue is to create a new User account with administrator privileges. Make sure your new username is not obvious and choose a very strong password (see next section below).
Once you have created a new user with a new username and assigned it the role of administrator, log out of your WordPress site and log back in using your new user login details.
Once you have logged into your WP admin area, delete the old administrator account (i.e. the account with username = admin)
4 – Change Your Password
A “brute force” attack occurs when malicious software continually and persistently hits a login or password field with different strings of characters in an attempt to guess the right combination that will unlock it and give them access to your site.
Unless some measure is put into place to block the brute force attack (see further below for a simple and effective way to do this), the “bot” will just keep attacking your site until it eventually “cracks” the code.
Weak passwords are very easy targets for brute force attack methods. Make sure, therefore, that you change your password to something that is at least eight characters long, and that includes upper and lowercase letters, and ìspecialî characters (^%$#&@*).
If you have trouble coming up with strong passwords or feel reluctant to set up different passwords for all of your online logins, then use a password management tool like Roboform.
5 – Prevent the wp-config.php file from being accessed
If a hacker breaks into your site, they will look for the wp-config.php file, because this is the file that contains your WordPress database details.
To prevent the wp-config.php file from being accessed, insert the following code into your .htaccess file:
Note: Editing your .htaccess file can seriously mess up your site. Make sure that your site is fully backed up before you modify any system files.
6 – Rename or delete your install.php, upgrade.php and readme.html files
These files are completely unnecessary after installation and can be removed. If you don’t want to delete these files, then just rename them.
7 – Upgrade your WordPress installation, plugins and themes to their latest version
Hackers look for vulnerabilities they can exploit in older versions of WordPress, including outdated versions of WordPress plugins and themes. Ensure that all of your WordPress files, plugins, themes etc. are always up to date.
8 – Disable Your WordPress Theme Editor
When you log into WordPress, you can access your WordPress Theme Editor (by selecting Appearance > Editor) from the dashboard menu. This means that anyone who logs into your site can see all of your WordPress files and make changes or cause havoc on your site.
The WordPress Theme Editor can be easily disabled by adding the line of code below to your wp-config.php file:
Once again, please don’t modify any files on your site if you don’t know what you are doing and always backup your data before making changes. See our recommended solution further down the page if you need help with this step.
9 – Remove Access To Your WordPress Uploads Folder
The “uploads” folder stores all the media that gets uploaded to your WordPress site. By default, this folder is visible to anyone online.
Adding the line below to your .htaccess file will prevent online users from viewing your Uploads folder:
It’s worth repeating this warning once again: back up your site before making changes to core files and don’t edit files if you don’t know what you are doing.
Tip: You can add a blank ìindex.phpî file into any directory that you donít want people to look into. This will display a blank page to visitors. (The downside to this method is that you have to add a blank “index.php” file into every folder that has content or files you don’t want people to access.)
10 – Use WordPress Security Plugins
Currently, a number of WordPress security plugins are available that address many of the common security issues that most WordPress website owners face (e.g. preventing hackers from accessing your site, protecting your site from malicious software, etc …)
We provide detailed WordPress step-by-step tutorials to our clients on all aspects of using WordPress, and these also include tutorials on WordPress security.
Many WordPress plugins address some but not all areas of WordPress security. One WordPress security plugin that seems to do a comprehensive job of scanning, fixing and preventing issues that could lead to hackers accessing your site files and damaging your site is SecureScanPro.
SecureScanPro is easy to install and easy to use, and does a great job of addressing most of the security areas and fixing the issues that WordPress users need to address.
Here are some of the main features and benefits of this plugin:
- It requires no technical knowledge to use and is easy to install.
- It scans, fixes and prevents your site from being attacked in around 2 minutes.
- It scans for 33 known risks and vulnerabilities and automatically corrects 12 known vulnerabilities on WordPress sites with a click of the mouse.
- It does all of the recommended “code” fixes suggested earlier
- Each test is accompanied by a detailed explanation of the risk and the solution provided.
- You can schedule scans on a daily or weekly basis that will regularly monitor your site and notify you in seconds via email if someone tries to log into your site using incorrect login details, or executes a brute-force attack on your site.
- It ensures that unauthorized IP addresses are not permitted entry to your site and will automatically ban intruders after a number of failed logins.
- Free technical support and upgrades are provided.
Here are some screenshots of SecureScanPro in action …
The plugin adds important protection features on your WordPress login screen. This includes removing any references to the username during unsuccessful logins (WordPress tells you what the username isn’t, so if someone guesses the username correctly, all they have to do is try to work out your password), as well as adding an IP ban after a number of specified failed login attempts, and a simple challenge that only human beings can solve …
Once installed, the plugin performs a comprehensive scan and returns the results in an easy to understand report (green = good, red = bad) …
You can automatically correct a number of issues found by the plugin scan simply by clicking a “Fix It” button …
The plugin also lets you schedule scans to run automatically and email you the results …
You can also block the IP addresses of known spammers, botnets, content harvesters and malicious attackers from various locations around the world …
After recently installing the plugin on client sites, the software immediately went to work and began sending reports of one site that was being brute-force attacked without the owner even realizing that this was happening …
At the plugin’s documentation states, there are no guarantees that your site will not be hacked if you use the SecureScanPro plugin. However, when used as part of a comprehensive WordPress site security strategy, you should find that your site will no longer be an easy target for attacks, especially from people looking for any obvious or know weakness and vulnerabilities.
For more details, visit this website: SecureScanPro
What Doesn’t Kill You Makes You Stronger
As cybercrime grows worldwide and cybercriminals develop more sophisticated mass methods to identify and exploit vulnerabilities online, WordPress security is becoming increasingly more important. Hackers range from individuals who carry out attacks on sites out of curiosity, for entertainment, or to earn “bragging rights” with their peers, all the way to sophisticated, co-ordinated and highly organized criminal networks and cyberterrorists.
As stated earlier, WordPress is a target for hackers because it is the most widely used platform for publishing websites and managing content online. We have covered some of the steps you can take to protect your WordPress site, now let’s take a quick look at why you should still consider using WordPress if you are currently looking to start your own website.
There are some people who argue that WordPress is not the most secure platform for running a website or blog because it is ìopen sourceî (i.e. free), which means that hackers can easily access the software to find and exploit holes and weaknesses in its coding and security.
While itís true that WordPress is free and hackers can easily access it and study the code for weaknesses and vulnerabilities (hackers can do the same with any program), the fact that WordPress is a free, open platform makes it actually more secure in many ways.
The reason for this is that WordPress has the support of a huge community of thousands of people such as software programmers, plugin developers and theme designers who are constantly working to help improve the program.
WordPress evolves through the effort of a huge community and benefits from thousands of minds who are dedicated to improving the software and making it safer for every user. As soon as an issue, weakness, vulnerability or problem is discovered, therefore, it is almost immediately reported to the software creators and addressed by the WordPress development team. This is why WordPress releases new security updates so often, and why you need to keep your WordPress site constantly updated and maintained.
Contrast the above with other proprietary web development platforms and technologies which are developed by one company with a limited number of employees, and whose updates are therefore much less frequent, and you will quickly realize the value and advantages of using WordPress to power your website or blog.
Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end ñ and as we have been stressing throughout this training program ñ you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
And just one last thing …
It’s important to note that in the case of this recent mass brute-force botnet attack there is actually no WordPress vulnerability being exploited (the same script is also attacking Joomla sites).
In a recent interview, Mike Little – the co-founder of WordPress with Matt Mullenweg, said the following about the attacks:
It is a “simple” script that attempts to login using the admin login and a generated password. So if your password is too short or based on dictionary words it will be guessed and then the script can login legitimately and do whatever it wants including installing scripts (as plugins) or editing files. The attack tries to guess your password, if it succeeds, the most secure site in the world is wide open because they have your password.
Hopefully this information will help to keep your site protected. Please contact us if you need any further help or assistance with WordPress security issues.